NTP for ASBRs?

• Previous message (by thread): NTP for ASBRs?
• Next message (by thread): NTP for ASBRs?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 ❦  8 mai 2019 09:56 +02, Lars Prehn <lprehn at mpi-inf.mpg.de>:

> do you NTP sync your AS boundary routers? If so, what are incentives
> for doing so? Are there incentives, e.g. security considerations, not
> to do it?

Ensure you have a firewall rule in place to prevent people to use your
router for NTP amplification. NTP clients are also servers. On Juniper
devices:

policy-options {
    prefix-list ntp-servers {
        apply-path "system ntp server <*>";
    }
}
firewall {
    /* ... */
           term accept-ntp {
                from {
                    source-prefix-list {
                        ntp-servers;
                    }
                    protocol udp;
                    port ntp;
                }
                then {
                    policer management-1m;
                    accept;
                }
            }
}

(see
<https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/Securing_RouteEngine_v2.pdf>
for more details).
-- 
Keep it simple to make it faster.
            - The Elements of Programming Style (Kernighan & Plauger)

• Previous message (by thread): NTP for ASBRs?
• Next message (by thread): NTP for ASBRs?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]