NTP for ASBRs?
Vincent Bernat
bernat at luffy.cx
Wed May 8 14:22:25 UTC 2019
❦ 8 mai 2019 09:56 +02, Lars Prehn <lprehn at mpi-inf.mpg.de>:
> do you NTP sync your AS boundary routers? If so, what are incentives
> for doing so? Are there incentives, e.g. security considerations, not
> to do it?
Ensure you have a firewall rule in place to prevent people to use your
router for NTP amplification. NTP clients are also servers. On Juniper
devices:
policy-options {
prefix-list ntp-servers {
apply-path "system ntp server <*>";
}
}
firewall {
/* ... */
term accept-ntp {
from {
source-prefix-list {
ntp-servers;
}
protocol udp;
port ntp;
}
then {
policer management-1m;
accept;
}
}
}
(see
<https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/Securing_RouteEngine_v2.pdf>
for more details).
--
Keep it simple to make it faster.
- The Elements of Programming Style (Kernighan & Plauger)
More information about the NANOG
mailing list