> Vincent Bernat > Sent: Wednesday, May 8, 2019 3:22 PM > > ❦ 8 mai 2019 09:56 +02, Lars Prehn <[email protected]>: > > > do you NTP sync your AS boundary routers? If so, what are incentives > > for doing so? Are there incentives, e.g. security considerations, not > > to do it? > > Ensure you have a firewall rule in place to prevent people to use your router > for NTP amplification. NTP clients are also servers. On Juniper > devices: > > policy-options { > prefix-list ntp-servers { > apply-path "system ntp server <*>"; > } > } > firewall { > /* ... */ > term accept-ntp { > from { > source-prefix-list { > ntp-servers; > } > protocol udp; > port ntp; > } > then { > policer management-1m; > accept; > } > } > } > > (see > <https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/S > ecuring_RouteEngine_v2.pdf> > for more details). > --
You mean in addition to iACLs allowing only BGP and ICMP to your "infrastructure" IP address block(s) right? ;) adam
