Re: [j-nsp] NTP Reflection

Tue, 14 Jan 2014 07:45:25 -0800 

On (2014-01-14 14:36 +0000), Per Granath wrote:

> # show firewall
> firewall {
>    family inet {
>       filter protect_RE {
>          term NTP {
>             from {
>                source-prefix-list {
>                   ntp-servers;
>                   lo0.0-inet-address;
>               }
>            protocol udp;
>            port ntp;
>            }
>           then accept;
>     }
> }

There are two potential problems here

a) if NTP servers are not fully trusted (why grant them more trust than you
must?) then NTP server can access any UDP service on box by setting source to
NTP port

b) destination address should always be included, you know that you talk to
NTP from loop, so don't allow packets to other addresses. Why? Because you
control what addresses are in your router, but you cannot always control
source address (L3MPLS VPN it is typically trusted, so customer can add/remove
addresses). This is not usually problem, customer can only reach the PE
logical interface facing customer, but if they can change source, they can
pretend to be your NTP source and can hit your control-plane. If you verify
destination address, they can't (I presume you never configure core loopbacks
in customer linknetworks)

> bla
> bla
> bla
> 
> 
> -----Original Message-----
> From: juniper-nsp [mailto:[email protected]] On Behalf Of 
> Chris Adams
> Sent: Tuesday, January 14, 2014 4:19 PM
> To: [email protected]
> Subject: Re: [j-nsp] NTP Reflection
> 
> Once upon a time, Olivier Benghozi <[email protected]> said:
> > Because if you don't do it, you'll obtain some nice "Server Timeout" if you 
> > want to issue a "show ntp status" or "show ntp associations".
> > So:
> > - Junos doesn't use 127.0.0.1 to locally communicate with ntpd
> > - In you filters you're obliged to manually authorize internal private 
> > IP traffic used by the CLI and that doesn't even leave the RE
> > 
> > Another fine design...
> 
> Seems like a good case for a commit script to auto-build the filter rule from 
> configured NTP servers and configured loopback addresses.
> --
> Chris Adams <[email protected]>
> _______________________________________________
> juniper-nsp mailing list [email protected] 
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> _______________________________________________
> juniper-nsp mailing list [email protected]
> https://puck.nether.net/mailman/listinfo/juniper-nsp

-- 
  ++ytti
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to