[c-nsp] Use NTP server for syncing but do not respond to NTP requests
Gert Doering
gert at greenie.muc.de
Sat Mar 22 10:58:59 EDT 2014
Hi,
On Sat, Mar 22, 2014 at 02:35:55PM +0000, Drew Weaver wrote:
> I just applied an ACL to the ntp command and that fixed it,
Yeah, that's what you need to do.
> but you have to wonder why configuring an IOS device to synchronize with an external source would explicitly mean that you also want that IOS device to also be a clock source itself.
>
> That seems like a mistake given the current climate we are in (amp attacks)...
Well, the underlying train of thought in the NTP community seems to be
"there are no servers or clients, just machines running NTP" (which
reflects in "packets have source+destination = UDP/123" and in other
aspects, leading to stuff like the ping-pong attacks where you bounce
one NTP error packet endlessly between two servers...).
Back in the day, that wasn't harmful, and I found it convenient at
times ("just sync the switch to the nearest router"), but nowadays,
it's backfiring. So it would be good to have a switch to differenciate
between "(s)ntp client" and "full ntp functionality".
Until then, spread the word of Cymru's Secure NTP template...
http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
... has all you need for IOS, JunOS, Unix, ..
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20140322/5f75ba56/attachment.sig>
More information about the cisco-nsp
mailing list