[169171] in North American Network Operators' Group
JunOS NTP - Re: OpenNTPProject.org
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Feb 18 09:15:47 2014
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAJygYd3f3rJYSKBzxVS=LrQHUFy7+pud1Kcv7ym2cNgbQurXzQ@mail.gmail.com>
Date: Tue, 18 Feb 2014 09:14:59 -0500
To: Yucong Sun <sunyucong@gmail.com>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
So, be careful as the Juniper solution varies depending on the platform =
involved.
Make sure you check your devices. It took a few iterations for us to =
get the right filters on everything.
- Jared
On Feb 17, 2014, at 12:26 AM, Yucong Sun <sunyucong@gmail.com> wrote:
> Just for the reference, here is a more complete solution for Junos =
(took me
> a while searching the web to figure it out), hope it helps someone.
>=20
> policy-options {
> prefix-list lo0.0-inet-address {
> apply-path "interfaces lo0 unit 0 family inet address <*>";
> }
> prefix-list ntp-servers {
> apply-path "system ntp server <*>";
> }
> }
>=20
> firewall {
> family inet {
> filter lo-filter {
> term ntp-allow {
> from {
> source-prefix-list {
> ntp-servers;
> lo0.0-inet-address;
> }
> protocol udp;
> destination-port ntp;
> }
> then accept;
> }
> term ntp-other-discard {
> from {
> protocol udp;
> destination-port ntp;
> }
> then {
> discard;
> }
> }
> term zz-accept {
> then accept;
> }
> }
> }
> }
>=20
>=20
>=20
> On Sun, Feb 16, 2014 at 8:42 PM, Mark Tinka <mark.tinka@seacom.mu> =
wrote:
>=20
>> On Monday, February 17, 2014 06:35:46 AM Lyndon Nerenberg
>> wrote:
>>=20
>>> I was suggesting it as an alternative to just chopping
>>> off NTP at your border. Presumably it would be a
>>> one-off thing until Juniper issues a patch.
>>=20
>> In Junos, applying the right filters to your router's
>> control plane will fix the issue. You don't need to block
>> NTP in the data plane.
>>=20
>> Mark.
>>=20
