NTP for ASBRs?

adamv0025 at netconsultings.com adamv0025 at netconsultings.com
Wed May 8 16:25:06 UTC 2019


> Vincent Bernat
> Sent: Wednesday, May 8, 2019 3:22 PM
> 
>  ❦  8 mai 2019 09:56 +02, Lars Prehn <lprehn at mpi-inf.mpg.de>:
> 
> > do you NTP sync your AS boundary routers? If so, what are incentives
> > for doing so? Are there incentives, e.g. security considerations, not
> > to do it?
> 
> Ensure you have a firewall rule in place to prevent people to use your router
> for NTP amplification. NTP clients are also servers. On Juniper
> devices:
> 
> policy-options {
>     prefix-list ntp-servers {
>         apply-path "system ntp server <*>";
>     }
> }
> firewall {
>     /* ... */
>            term accept-ntp {
>                 from {
>                     source-prefix-list {
>                         ntp-servers;
>                     }
>                     protocol udp;
>                     port ntp;
>                 }
>                 then {
>                     policer management-1m;
>                     accept;
>                 }
>             }
> }
> 
> (see
> <https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/S
> ecuring_RouteEngine_v2.pdf>
> for more details).
> --

You mean in addition to iACLs allowing only BGP and ICMP to your "infrastructure" IP address block(s) right? ;)

adam





More information about the NANOG mailing list