[c-nsp] IOS XR 4.3.4, control-plane policing, and NTP

Daniel Suchy danny at danysek.cz
Sat Aug 2 12:03:51 EDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
this should help:

lpts pifib hardware police
 flow ntp default rate 0

Configured ntp servers uses "flow ntp known". There're many other HW
ratelimiters.

With regards,
Daniel

On 2.8.2014 17:27, Gert Doering wrote:
> Hiya,
> 
> I'm confused.  I have this new and shiny ASR9001 with IOS XR on it,
> with supposedly totally superior local services access control, and
> stuff.
> 
> So, I configure:
> 
> control-plane management-plane inband interface all allow all peer 
> address ipv4 1.1.1.0/24 address ipv6 2001:1:1::/48 ! ! ! !
> 
> (nothing else under control-plane/management-plane, addresses 
> obviously faked)
> 
> I can see that this works perfectly to restrict access to telnet
> and ssh to sources in 1.1.1.0/24 or 2001:1:1::/48 -- but at the
> same time, the box happily answers NTP packets, both "time query"
> as well as "status query", from all over the world.
> 
> If I configure an explicit NTP ACL ("ntp access-group ipv* serve
> $ACL"), it stops answering the packet, but "debug ntp packet" tells
> me the packet is still arriving at the CPU level:
> 
> RP/0/RSP0/CPU0:Aug  2 17:18:51.686 : ntpd[258]: Rx
> 213.95.27.20->193.149.45.3 on if 0x4000180[unnamed, flags:0x0/0x11]
> (48 bytes) RP/0/RSP0/CPU0:Aug  2 17:18:52.687 : ntpd[258]: Rx
> 213.95.27.20->193.149.45.3 on if 0x4000180[unnamed, flags:0x0/0x11]
> (48 bytes)
> 
> ... so, what am I missing here?  How do I stop NTP packets not
> coming from configured NTP servers (those are all inside
> "1.1.1.0/24") from arriving at the CPU level?  (Yes, interface ACLs
> would work, of course, and when the box is in it's final location,
> incoming ACLs on all transit links will prevent packets to the box,
> but I still think its control plane policing should catch NTP
> packets just as well as SSH or SNMP)
> 
> IOS XR 4.3.4, ASR 9001
> 
> gert
> 
> 
> 
> _______________________________________________ cisco-nsp mailing
> list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp archive at
> http://puck.nether.net/pipermail/cisco-nsp/
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlPdC+UACgkQ0m6yQqKjWoLBlACghDQUQdhgbnZ46rBomBHJ2FVd
SuoAoKnBubVnVErNXbniBpIrb+sgbSQp
=kIbX
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list