[j-nsp] NTP Reflection

Saku Ytti saku at ytti.fi
Tue Jan 14 10:33:00 EST 2014 

On (2014-01-14 14:36 +0000), Per Granath wrote:

> # show firewall
> firewall {
>    family inet {
>       filter protect_RE {
>          term NTP {
>             from {
>                source-prefix-list {
>                   ntp-servers;
>                   lo0.0-inet-address;
>               }
>            protocol udp;
>            port ntp;
>            }
>           then accept;
>     }
> }

There are two potential problems here

a) if NTP servers are not fully trusted (why grant them more trust than you
must?) then NTP server can access any UDP service on box by setting source to
NTP port

b) destination address should always be included, you know that you talk to
NTP from loop, so don't allow packets to other addresses. Why? Because you
control what addresses are in your router, but you cannot always control
source address (L3MPLS VPN it is typically trusted, so customer can add/remove
addresses). This is not usually problem, customer can only reach the PE
logical interface facing customer, but if they can change source, they can
pretend to be your NTP source and can hit your control-plane. If you verify
destination address, they can't (I presume you never configure core loopbacks
in customer linknetworks)

> bla
> bla
> bla
> 
> 
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Chris Adams
> Sent: Tuesday, January 14, 2014 4:19 PM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] NTP Reflection
> 
> Once upon a time, Olivier Benghozi <olivier.benghozi at wifirst.fr> said:
> > Because if you don't do it, you'll obtain some nice "Server Timeout" if you want to issue a "show ntp status" or "show ntp associations".
> > So:
> > - Junos doesn't use 127.0.0.1 to locally communicate with ntpd
> > - In you filters you're obliged to manually authorize internal private 
> > IP traffic used by the CLI and that doesn't even leave the RE
> > 
> > Another fine design...
> 
> Seems like a good case for a commit script to auto-build the filter rule from configured NTP servers and configured loopback addresses.
> --
> Chris Adams <cma at cmadams.net>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

-- 
  ++ytti

More information about the juniper-nsp mailing list