[c-nsp] IOS XR 4.3.4, control-plane policing, and NTP

Gert Doering gert at greenie.muc.de
Sat Aug 2 11:27:26 EDT 2014 

Hiya,

I'm confused.  I have this new and shiny ASR9001 with IOS XR on it, with
supposedly totally superior local services access control, and stuff.

So, I configure:

control-plane
 management-plane
  inband
   interface all
    allow all peer
     address ipv4 1.1.1.0/24
     address ipv6 2001:1:1::/48
    !
   !
  ! 
 !

(nothing else under control-plane/management-plane, addresses 
obviously faked)

I can see that this works perfectly to restrict access to telnet and ssh
to sources in 1.1.1.0/24 or 2001:1:1::/48 -- but at the same time, the
box happily answers NTP packets, both "time query" as well as "status 
query", from all over the world.

If I configure an explicit NTP ACL ("ntp access-group ipv* serve $ACL"),
it stops answering the packet, but "debug ntp packet" tells me the
packet is still arriving at the CPU level:

RP/0/RSP0/CPU0:Aug  2 17:18:51.686 : ntpd[258]: Rx 213.95.27.20->193.149.45.3 on if 0x4000180[unnamed, flags:0x0/0x11] (48 bytes)
RP/0/RSP0/CPU0:Aug  2 17:18:52.687 : ntpd[258]: Rx 213.95.27.20->193.149.45.3 on if 0x4000180[unnamed, flags:0x0/0x11] (48 bytes)

... so, what am I missing here?  How do I stop NTP packets not coming from
configured NTP servers (those are all inside "1.1.1.0/24") from arriving
at the CPU level?  (Yes, interface ACLs would work, of course, and when
the box is in it's final location, incoming ACLs on all transit links will
prevent packets to the box, but I still think its control plane policing
should catch NTP packets just as well as SSH or SNMP)

IOS XR 4.3.4, ASR 9001

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 291 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20140802/a8cf9791/attachment.sig>

More information about the cisco-nsp mailing list