Hi everyone,
do you NTP sync your AS boundary routers? If so, what are incentives for doing so? Are there incentives, e.g. security considerations, not to do it?
Best regards,
Lars
Dear Lars,
do you NTP sync your AS boundary routers?
yes
If so, what are incentives for doing so? Are there incentives, e.g.
security considerations, not to do it?
The major advantage of NTP syncing your routers is that it allows you to
more effectively correlate any log messages that these devices emit to
log messages other devices generated.
Did two events happen at separate times, or was it perhaps the same
event at the same time? the incentive is ease of troubleshooting.
on this topic, i strongly recommend to operate all devices in the
Etc/UTC timezone, this makes coordination with external entities much
easier.
Kind regards,
Job
Ensure you have a firewall rule in place to prevent people to use your
router for NTP amplification. NTP clients are also servers. On Juniper
devices:
policy-options {
prefix-list ntp-servers {
apply-path "system ntp server <*>";
}
}
firewall {
/* ... */
term accept-ntp {
from {
source-prefix-list {
ntp-servers;
}
protocol udp;
port ntp;
}
then {
policer management-1m;
accept;
}
}
}
(see
<https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/Securing_RouteEngine_v2.pdf>
for more details).
You will also need to add you localhost as a source if you want to show that ntp association status on the router
apply-flags omit;
term allow-ntp {
from {
source-prefix-list {
ntp-server;
localhost;
}
protocol udp;
port ntp;
}
then {
policer gen-use-1m;
accept;
}
}
show policy-options prefix-list localhost
apply-flags omit;
apply-path "interfaces lo0 unit 0 family inet address <*>”;
Note that if you step into the wonderful world of streaming telemetry
you MAY need to worry about certificate validation and time becomes
important for that.
Similarly any other usages of certificates on the devices will bring
with it a stricter time regime.
Yes.
There are probably a lot of technical reasons you will receive from
folk, but ultimately, if you can get all your devices in sync. re: time,
simply, why not?
Mark.
Yep, that's a nasty little situation in Junos that took me a week to
figure out back in the day :-).
Mark.
Vincent Bernat
Sent: Wednesday, May 8, 2019 3:22 PM> do you NTP sync your AS boundary routers? If so, what are incentives
> for doing so? Are there incentives, e.g. security considerations, not
> to do it?Ensure you have a firewall rule in place to prevent people to use your router
for NTP amplification. NTP clients are also servers. On Juniper
devices:policy-options {
prefix-list ntp-servers {
apply-path "system ntp server <*>";
}
}
firewall {
/* ... */
term accept-ntp {
from {
source-prefix-list {
ntp-servers;
}
protocol udp;
port ntp;
}
then {
policer management-1m;
accept;
}
}
}(see
<- Elevate Community | Juniper Networks
ecuring_RouteEngine_v2.pdf>
for more details).
--
You mean in addition to iACLs allowing only BGP and ICMP to your "infrastructure" IP address block(s) right? 
adam
Hi,
We (and I suppose a lot of others) do sync the border routers like any other network device : to our internal NTP servers that are in their turn synchronized to other time source. I don't see a reason to treat them differently.