Re: NTP for ASBRs?

[Radu-Adrian Feurdean]

On Wed, May 8, 2019, at 14:21, Lars Prehn wrote:
> Hi everyone,
> 
> do you NTP sync your AS boundary routers? If so, what are incentives for 
> doing so? Are there incentives, e.g. security considerations, not to do it?

Hi,

We (and I suppose a lot of others) do sync the border routers like any other 
network device : to our internal NTP servers that are in their turn 
synchronized to other time source. I don't see a reason to treat them 
differently.

Re: NTP for ASBRs?

[Chris Adams]

Once upon a time, Royce Williams  said:
> The La Crosse 404-1235UA-SS UltrAtomic (not affiliated, just a fan) tracks
> DST - and even leap seconds. They have much better reach than previous
> similar clocks.

Looks like somebody finally brought a clock to market that uses the
new-format phase-modulated signal.  Hopefully there'll be more, but with
the WWVB funding threats, I wouldn't be surprised if companies don't
want to invest in any new products that use it.

-- 
Chris Adams 

Re: NTP for ASBRs?

[Royce Williams]

On Wed, May 8, 2019 at 7:16 PM Bryan Holloway  wrote:

> On 5/8/19 7:55 PM, Brian Kantor wrote:
> > On Wed, May 08, 2019 at 07:47:56PM -0500, Bryan Holloway wrote:
> >> 100% true. But there is also a practical side to this ...
> >>
> >> When a NOC-ling, in their own local timezone, says, "hey, what happened
> >> two hours ago?", they have to make a calculation. And that calculation
> >> annoyingly depends on the time of year in many if not most locales
> >> worldwide. And to make matters worse, some folks change at different
> >> times of the year, so, if you're a global network 
> >>
> >> Hawai'i and Arizona can add/subtract without looking at the damn
> >> calendar. I'm just sayin' I'd like to see more of that.
> >
> > Clocks are cheap. I have two on the wall; one is local time and
> > the other is marked GMT.
> >   - Brian
>
> Cheap != free. Many clocks have to be set after a DST change. Clocks
> that do this automatically are > cheap.
>
> I stand by my point.
>
> Disclaimer: I have two clocks.
>

Assuming that WWVB will persist (a medium-sized assumption) ...

The La Crosse 404-1235UA-SS UltrAtomic (not affiliated, just a fan) tracks
DST - and even leap seconds. They have much better reach than previous
similar clocks. Mine work during daytime deep inside buildings in Alaska,
far outside the traditional WWVB reach. They're also also simple and
legible, which could make them a good NOC choice. Local timezone is
adjustable, so you could easily run one on local time and one on UTC. They
also change their hand positions to indicate low-battery status. Not cheap,
but not too bad - price hovers around US$48-$52. Big fan.

Royce

Re: NTP for ASBRs?

[Bryan Holloway]

On 5/8/19 10:15 PM, Bryan Holloway wrote:



On 5/8/19 7:55 PM, Brian Kantor wrote:

On Wed, May 08, 2019 at 07:47:56PM -0500, Bryan Holloway wrote:

100% true. But there is also a practical side to this ...

When a NOC-ling, in their own local timezone, says, "hey, what happened
two hours ago?", they have to make a calculation. And that calculation
annoyingly depends on the time of year in many if not most locales
worldwide. And to make matters worse, some folks change at different
times of the year, so, if you're a global network 

Hawai'i and Arizona can add/subtract without looking at the damn
calendar. I'm just sayin' I'd like to see more of that.


Clocks are cheap. I have two on the wall; one is local time and
the other is marked GMT.
- Brian


Cheap != free. Many clocks have to be set after a DST change. Clocks 
that do this automatically are > cheap.


I stand by my point.

Disclaimer: I have two clocks.


And furthermore, GMT != UTC.

Re: NTP for ASBRs?

[Bryan Holloway]

On 5/8/19 7:55 PM, Brian Kantor wrote:

On Wed, May 08, 2019 at 07:47:56PM -0500, Bryan Holloway wrote:

100% true. But there is also a practical side to this ...

When a NOC-ling, in their own local timezone, says, "hey, what happened
two hours ago?", they have to make a calculation. And that calculation
annoyingly depends on the time of year in many if not most locales
worldwide. And to make matters worse, some folks change at different
times of the year, so, if you're a global network 

Hawai'i and Arizona can add/subtract without looking at the damn
calendar. I'm just sayin' I'd like to see more of that.


Clocks are cheap. I have two on the wall; one is local time and
the other is marked GMT.
- Brian


Cheap != free. Many clocks have to be set after a DST change. Clocks 
that do this automatically are > cheap.


I stand by my point.

Disclaimer: I have two clocks.

Re: NTP for ASBRs?

[Randy Bush]

> isn't the point: "Pick one for all of your things, stick to that one
> thing" it's find if you pick central indiana time, if you are setting
> the same everywhere and keeping it update properly

i find the time zone they choose says a lot about an operation.  can be
a flag of parochialism.

randy

Re: NTP for ASBRs?

[Christopher Morrow]

On Wed, May 8, 2019 at 9:42 PM Valdis Klētnieks  wrote:
>
>
> Newfoundland time, anybody? :)
>

isn't the point: "Pick one for all of your things, stick to that one thing"
it's find if you pick central indiana time, if you are setting the
same everywhere and keeping it update properly...AND you agree that
when I send you central Fiji time you'll silently convert =57 hrs and
understand that we're talking about the same slice of time.

UTC is nice
EST is nice
PDT is nice..

pick one, deal with the eccentricities of that decision without
foisting your religion on the rest of me. :)
Also, PLEASE use a constant / automatic time source that's available
world-wide (like NTP).

-chris

Re: EXERCISE: 2019 IAA Planetary Defence Conference - Day 5 Scenario

[Rich Kulawiec]

On Wed, May 08, 2019 at 10:11:10AM -0400, Sean Donelan wrote:
> Many exercise designers could use help coming up with useful Internet
> disaster sub-plots.  Bad enough to inject stress into the exercise, but not
> extinction.
> 
> All ISP tech support agents are infected, and become brain eating zombies.

We call that "Tuesday".

---rsk

p.s. On a more serious note, disaster exercises that include partial
failures of emergency response infrastructure are often quite challenging.
As I write this, the IT infrastructure of Baltimore is down due to
a ransomware attack.  As a consequence, while 911 is functional,
fire department computers are down.  If a significant event requiring
BCFD happened tonight, it would be challenging for them to coordinate
a large-scale response.

Re: NTP for ASBRs?

[Scott Weeks]

--- valdis.kletni...@vt.edu wrote:
From: "Valdis Klētnieks" 
On Wed, 08 May 2019 14:00:11 -0700, "Scott Weeks" said:
> From: Job Snijders 
>
> on this topic, i strongly recommend to operate all
> devices in the Etc/UTC timezone, this makes
> coordination with external entities much easier.
> 
>
>
> Yes, this!  Holy crap I come upon a lot of networks
> that don't do this and it's always painful.

Newfoundland time, anybody? :)


I had to go and look that up:

"The Newfoundland Time Zone (NT) is a geographic 
region that keeps time by subtracting ​3 1⁄2 hours 
from Coordinated Universal Time (UTC) during 
standard time, resulting in UTC−03:30; or subtracting ​
2 1⁄2 hours during daylight saving time."

WTF???  This is exactly what I mean on a geographicly 
dispersed network.  Do everything UTC and put clocks 
on your computer/wall/phone/whatever.  Then, like Job 
said, it's easier to coordinate with others not in 
your timezone.

scott

Re: NTP for ASBRs?

[Valdis Klētnieks]

On Wed, 08 May 2019 14:00:11 -0700, "Scott Weeks" said:

> From: Job Snijders 
>
> on this topic, i strongly recommend to operate all
> devices in the Etc/UTC timezone, this makes
> coordination with external entities much easier.
> 
>
>
> Yes, this!  Holy crap I come upon a lot of networks
> that don't do this and it's always painful.

Newfoundland time, anybody? :)



pgpg36V5e1mlM.pgp
Description: PGP signature

Re: NTP for ASBRs?

[Brian Kantor]

On Wed, May 08, 2019 at 07:47:56PM -0500, Bryan Holloway wrote:
> 100% true. But there is also a practical side to this ...
> 
> When a NOC-ling, in their own local timezone, says, "hey, what happened 
> two hours ago?", they have to make a calculation. And that calculation 
> annoyingly depends on the time of year in many if not most locales 
> worldwide. And to make matters worse, some folks change at different 
> times of the year, so, if you're a global network 
> 
> Hawai'i and Arizona can add/subtract without looking at the damn 
> calendar. I'm just sayin' I'd like to see more of that.

Clocks are cheap. I have two on the wall; one is local time and
the other is marked GMT.
- Brian

Re: NTP for ASBRs?

[Bryan Holloway]

On 5/8/19 6:54 PM, Scott Weeks wrote:



--- br...@shout.net wrote:
From: Bryan Holloway 
On 5/8/19 4:00 PM, Scott Weeks wrote:

--- j...@ntt.net wrote:
From: Job Snijders 

on this topic, i strongly recommend to operate all
devices in the Etc/UTC timezone, this makes
coordination with external entities much easier.



Yes, this!  Holy crap I come upon a lot of networks
that don't do this and it's always painful.


Now if only we could get rid of Daylight Saving Time ...
--

Luckily, Hawaii doesn't have that problem...

https://en.wikipedia.org/wiki/Daylight_saving_time_in_the_United_States#Hawaii

But, that's the thing.  One time.  No trying to figure
out who does DST and who doesn't.



100% true. But there is also a practical side to this ...

When a NOC-ling, in their own local timezone, says, "hey, what happened 
two hours ago?", they have to make a calculation. And that calculation 
annoyingly depends on the time of year in many if not most locales 
worldwide. And to make matters worse, some folks change at different 
times of the year, so, if you're a global network 


Hawai'i and Arizona can add/subtract without looking at the damn 
calendar. I'm just sayin' I'd like to see more of that.

Re: EXERCISE: 2019 IAA Planetary Defence Conference - Day 5 Scenario

[J. Hellenthal via NANOG]

To sum it all up... if and when ... I doubt we will worry about the internet.

Food, Water, shelter and ammunition’s || that’s all else if anyone could 
possibly make it through.

#ProblemSolved



-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On May 8, 2019, at 18:03, Mark Rousell  wrote:
> 
>> On 08/05/2019 02:44, Sean Donelan wrote:
>> Of course, any fictional scenario is more likely to hit an ocean or miss the 
>> planet. But that makes for a dull exercise. 
> 
> An ocean impact needn't be boring. It would potentially create megatsunamis 
> over a possibly wide area on multiple coasts. Even cities away from coasts 
> but on rivers could be affected.
> 
> A large ocean impactor could even damage undersea cables.
> 
> -- 
> Mark Rousell


smime.p7s
Description: S/MIME cryptographic signature

Re: NTP for ASBRs?

[Scott Weeks]

--- br...@shout.net wrote:
From: Bryan Holloway 
On 5/8/19 4:00 PM, Scott Weeks wrote:
> --- j...@ntt.net wrote:
> From: Job Snijders 
> 
> on this topic, i strongly recommend to operate all
> devices in the Etc/UTC timezone, this makes
> coordination with external entities much easier.
> 
> 
> 
> Yes, this!  Holy crap I come upon a lot of networks
> that don't do this and it's always painful.

Now if only we could get rid of Daylight Saving Time ...
--

Luckily, Hawaii doesn't have that problem...

https://en.wikipedia.org/wiki/Daylight_saving_time_in_the_United_States#Hawaii

But, that's the thing.  One time.  No trying to figure 
out who does DST and who doesn't.

>From the above:

===
Arizona has not observed DST since 1967

Calif - in 2018, voters ratified a legislative plan for 
year-round daylight saving time, subject to congressional 
approval.

On March 6, 2018, the Florida Senate approved the "Sunshine 
Protection Act" which would put Florida on permanent Daylight 
Saving Time year round...Congress would need to amend the 
existing 1966 federal law to allow the change.

Hawaii has never observed daylight saving time



etc...

scott

Re: NTP for ASBRs?

[Bryan Holloway]

On 5/8/19 4:00 PM, Scott Weeks wrote:



--- j...@ntt.net wrote:
From: Job Snijders 

on this topic, i strongly recommend to operate all
devices in the Etc/UTC timezone, this makes
coordination with external entities much easier.



Yes, this!  Holy crap I come upon a lot of networks
that don't do this and it's always painful.

scott



Now if only we could get rid of Daylight Saving Time ...

Re: EXERCISE: 2019 IAA Planetary Defence Conference - Day 5 Scenario

[Mark Rousell]

On 08/05/2019 02:44, Sean Donelan wrote:
> Of course, any fictional scenario is more likely to hit an ocean or
> miss the planet. But that makes for a dull exercise.

An ocean impact needn't be boring. It would potentially create
megatsunamis over a possibly wide area on multiple coasts. Even cities
away from coasts but on rivers could be affected.

A large ocean impactor could even damage undersea cables.

-- 
Mark Rousell

Re: NTP for ASBRs?

[Scott Weeks]

--- j...@ntt.net wrote:
From: Job Snijders 

on this topic, i strongly recommend to operate all 
devices in the Etc/UTC timezone, this makes 
coordination with external entities much easier.



Yes, this!  Holy crap I come upon a lot of networks 
that don't do this and it's always painful.

scott

Re: Routing issues to AWS environment.

[John Von Essen]

I was just about to email the group for a related issue.

We are also seeing some funky routing/peering within the AWS network.

We primarily communicate with Verizon Media/Oath - AS10310. Verizon Media has a 
presence in Singapore, and its peered locally with AWS AS38895 - we normally 
see 8ms latency. Verizon Media also peers with AWS AS16509 in Japan, but for 
Singapore traffic, Verizon Media sends a lower MED so AWS Singapore should 
prefer that route/peer, but its not working properly on the AWS side, all of 
our traffic is going to Japan, this started early AM today.

I had Verizon Media investigate, and we gave them our AWS Singapore IP 
addresses, they confirmed that they are not receiving those 
prefixes/announcements from AWS Singapore (AS38895).

So something is broke…. hopefully if someone from AWS is reading they can 
escalate.

In my case, the AWS Singapore IP ranges in question are : 46.51.216.0/21 and 
52.74.0.0/16

-John




> On May 8, 2019, at 10:55 AM, Curt Rice  wrote:
> 
> Hi are there any AWS engineers out there? We are seeing routing problems 
> between NTT and AWS in Ashburn, Va and would like to find out which side is 
> having the problem.
>  
> Thanks,
> Curt

Routing issues to AWS environment.

[Curt Rice]

Hi are there any AWS engineers out there? We are seeing routing problems 
between NTT and AWS in Ashburn, Va and would like to find out which side is 
having the problem.

Thanks,
Curt

Spoofer Report for NANOG for Apr 2019

[CAIDA Spoofer Project]

In response to feedback from operational security communities,
CAIDA's source address validation measurement project
(https://spoofer.caida.org) is automatically generating monthly
reports of ASes originating prefixes in BGP for systems from which
we received packets with a spoofed source address.
We are publishing these reports to network and security operations
lists in order to ensure this information reaches operational
contacts in these ASes.

This report summarises tests conducted within usa, can.

Inferred improvements during Apr 2019:
   ASN Name   Fixed-By
 53597 HOYOS-CONSULTING-LLC   2019-04-09
  2828 XO-AS152019-04-10
 33523 ROWANUNIVERSITY2019-04-24

Further information for the inferred remediation is available at:
https://spoofer.caida.org/remedy.php

Source Address Validation issues inferred during Apr 2019:
   ASN Name   First-Spoofed Last-Spoofed
  6939 HURRICANE 2016-02-22   2019-04-04
  5650 FRONTIER-FRTR 2016-02-22   2019-04-15
  7029 WINDSTREAM2016-06-21   2019-04-06
   209 CENTURYLINK-US-LEGACY-QWEST   2016-08-16   2019-04-30
  6128 CABLE-NET-1   2016-09-03   2019-04-11
 20412 CLARITY-TELECOM   2016-09-30   2019-04-27
  6181 FUSE-NET  2016-10-10   2019-04-30
 25787 ROWE-NETWORKS 2016-10-21   2019-04-27
   174 COGENT-1742016-10-21   2019-04-02
 30341 SCTA-ASN  2016-10-31   2019-04-16
 32440 LONI  2016-11-03   2019-04-24
 12083 WOW-INTERNET  2016-11-09   2019-04-25
 13427 SOFTCOM-INTERNET-COMMUNICATION2016-11-14   2019-04-30
 21832 KELLINCOM-1   2017-02-03   2019-04-29
 18451 LESNET2017-02-22   2019-04-05
 36007 KAMATERA  2017-04-21   2019-04-26
 19624 SERVERROOM2017-06-02   2019-04-30
  6461 ZAYO-6461 2017-06-21   2019-04-15
 63296 AMARILLO-WIRELESS 2017-09-01   2019-04-25
 33523 ROWANUNIVERSITY   2017-10-29   2019-04-17
 1 AKAMAI2018-02-14   2019-04-26
  4201 ORST  2018-04-19   2019-04-30
393564 SPOKANE   2018-06-05   2019-04-17
   225 VIRGINIA  2018-06-18   2019-04-26
 40911 L2NC  2018-08-31   2019-04-24
 33452 RW2018-09-19   2019-04-11
 20448 VPNTRANET-LLC 2018-09-20   2019-04-10
 11215 LOGIXCOMM 2018-09-20   2019-04-02
 11996 LOBOIS2018-09-24   2019-04-02
 13825 TROYCABLE-NET 2018-11-21   2019-04-11
393437 KLAYER2018-12-21   2019-04-27
 62957 HOSPITALITY-NETWORK   2018-12-30   2019-04-06
 63275 RADIOWIRE 2019-02-07   2019-04-29
 19531 NODESDIRECT   2019-03-14   2019-04-25
 11297 LIPSCOMB  2019-03-29   2019-04-12
 14813 BB-COLUMBUS   2019-04-08   2019-04-11
 15290 ALLST-15290   2019-04-09   2019-04-10
  8047 GCI   2019-04-11   2019-04-30
 10745 ARIN-ASH-CHA  2019-04-29   2019-04-29

Further information for these tests where we received spoofed
packets is available at:
https://spoofer.caida.org/recent_tests.php?country_include=usa,can&no_block=1

Please send any feedback or suggestions to spoofer-i...@caida.org

RE: NTP for ASBRs?

[adamv0025]

> Vincent Bernat
> Sent: Wednesday, May 8, 2019 3:22 PM
> 
>  ❦  8 mai 2019 09:56 +02, Lars Prehn :
> 
> > do you NTP sync your AS boundary routers? If so, what are incentives
> > for doing so? Are there incentives, e.g. security considerations, not
> > to do it?
> 
> Ensure you have a firewall rule in place to prevent people to use your router
> for NTP amplification. NTP clients are also servers. On Juniper
> devices:
> 
> policy-options {
> prefix-list ntp-servers {
> apply-path "system ntp server <*>";
> }
> }
> firewall {
> /* ... */
>term accept-ntp {
> from {
> source-prefix-list {
> ntp-servers;
> }
> protocol udp;
> port ntp;
> }
> then {
> policer management-1m;
> accept;
> }
> }
> }
> 
> (see
>  ecuring_RouteEngine_v2.pdf>
> for more details).
> --

You mean in addition to iACLs allowing only BGP and ICMP to your 
"infrastructure" IP address block(s) right? ;)

adam

Re: NTP for ASBRs?

[John Kristoff]

On Wed, 8 May 2019 07:56:33 +
Lars Prehn  wrote:

> do you NTP sync your AS boundary routers? If so, what are incentives for 
> doing so? Are there incentives, e.g. security considerations, not to do it?

In addition to what others have mentioned, if these systems are to
perform route origin validation (ROV), an accurate notion of time would
be desirable.  From section 6 in IETF RFC 7115 / BCP 185 - Origin
Validation Operation Based on the Resource Public Key Infrastructure
(RPKI):

   As a router must evaluate certificates and ROAs that are time
   dependent, routers' clocks MUST be correct to a tolerance of
   approximately an hour.

John

Re: NTP for ASBRs?

[Mark Tinka]

On 8/May/19 16:22, Vincent Bernat wrote:

> Ensure you have a firewall rule in place to prevent people to use your
> router for NTP amplification. NTP clients are also servers. On Juniper
> devices:

Yep, that's a nasty little situation in Junos that took me a week to
figure out back in the day :-).

Mark.

Re: NTP for ASBRs?

[Mark Tinka]

On 8/May/19 09:56, Lars Prehn wrote:

> Hi everyone,
>
> do you NTP sync your AS boundary routers? If so, what are incentives
> for doing so? Are there incentives, e.g. security considerations, not
> to do it?

Yes.

There are probably a lot of technical reasons you will receive from
folk, but ultimately, if you can get all your devices in sync. re: time,
simply, why not?

Mark.

Re: EXERCISE: 2019 IAA Planetary Defence Conference - Day 5 Scenario

[james jones]

Did anyone trying calling Bruce Willis?

On Wed, May 8, 2019 at 10:41 AM William Herrin  wrote:

> On Tue, May 7, 2019 at 11:20 AM Sean Donelan  wrote:
>
>> The scenario was chosen to stress the partcipants, not an actual asteroid
>> impact. It was a fictional scenario. This was only an exercise.
>>
>> 60 meter asteroid impact in New York City, NY (roughly Central Park, NYC)
>>
>
> So what happened? Where's the post-game? You guys had 8 years to stop the
> thing. Why is there a big hole in Manhattan? And with 10 days warning at
> the very end, why did any critical Internet operations remain active in NYC?
>
> Regards,
> Bill
>
>
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Dirtside Systems . Web: 
>

Re: EXERCISE: 2019 IAA Planetary Defence Conference - Day 5 Scenario

[William Herrin]

On Tue, May 7, 2019 at 11:20 AM Sean Donelan  wrote:

> The scenario was chosen to stress the partcipants, not an actual asteroid
> impact. It was a fictional scenario. This was only an exercise.
>
> 60 meter asteroid impact in New York City, NY (roughly Central Park, NYC)
>

So what happened? Where's the post-game? You guys had 8 years to stop the
thing. Why is there a big hole in Manhattan? And with 10 days warning at
the very end, why did any critical Internet operations remain active in NYC?

Regards,
Bill


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: NTP for ASBRs?

[Christopher Morrow]

On Wed, May 8, 2019 at 8:38 AM Job Snijders  wrote:
>
> Dear Lars,
>
> On Wed, May 08, 2019 at 09:56:33AM +0200, Lars Prehn wrote:
> > do you NTP sync your AS boundary routers?
>
> yes
>
> > If so, what are incentives for doing so? Are there incentives, e.g.
> > security considerations, not to do it?
>
> The major advantage of NTP syncing your routers is that it allows you to
> more effectively correlate any log messages that these devices emit to
> log messages other devices generated.

Note that if you step into the wonderful world of streaming telemetry
you MAY need to worry about certificate validation and time becomes
important for that.
Similarly any other usages of certificates on the devices will bring
with it a stricter time regime.

Re: NTP for ASBRs?

[Kenneth McRae via NANOG]

You will also need to add you localhost as a source if you want to show that 
ntp association status on the router

apply-flags omit;
term allow-ntp {
from {
source-prefix-list {
ntp-server;
localhost;
}
protocol udp;
port ntp;
}
then {
policer gen-use-1m;
accept;
}
}

show policy-options prefix-list localhost 
apply-flags omit;
apply-path "interfaces lo0 unit 0 family inet address <*>”;



> On May 8, 2019, at 7:22 AM, Vincent Bernat  wrote:
> 
> ❦  8 mai 2019 09:56 +02, Lars Prehn :
> 
>> do you NTP sync your AS boundary routers? If so, what are incentives
>> for doing so? Are there incentives, e.g. security considerations, not
>> to do it?
> 
> Ensure you have a firewall rule in place to prevent people to use your
> router for NTP amplification. NTP clients are also servers. On Juniper
> devices:
> 
> policy-options {
>prefix-list ntp-servers {
>apply-path "system ntp server <*>";
>}
> }
> firewall {
>/* ... */
>   term accept-ntp {
>from {
>source-prefix-list {
>ntp-servers;
>}
>protocol udp;
>port ntp;
>}
>then {
>policer management-1m;
>accept;
>}
>}
> }
> 
> (see
> 
> for more details).
> -- 
> Keep it simple to make it faster.
>- The Elements of Programming Style (Kernighan & Plauger)

Re: NTP for ASBRs?

[Vincent Bernat]

 ❦  8 mai 2019 09:56 +02, Lars Prehn :

> do you NTP sync your AS boundary routers? If so, what are incentives
> for doing so? Are there incentives, e.g. security considerations, not
> to do it?

Ensure you have a firewall rule in place to prevent people to use your
router for NTP amplification. NTP clients are also servers. On Juniper
devices:

policy-options {
prefix-list ntp-servers {
apply-path "system ntp server <*>";
}
}
firewall {
/* ... */
   term accept-ntp {
from {
source-prefix-list {
ntp-servers;
}
protocol udp;
port ntp;
}
then {
policer management-1m;
accept;
}
}
}

(see

for more details).
-- 
Keep it simple to make it faster.
- The Elements of Programming Style (Kernighan & Plauger)

Re: EXERCISE: 2019 IAA Planetary Defence Conference - Day 5 Scenario

[Bryan Fields]

On 5/7/19 3:39 PM, Mark Seiden wrote:
> excellent!  (but i was hoping this would be a swamp-draining-by-vaporization
> exercise.)

the matador...the matador... the matador!

-- 
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net

Re: EXERCISE: 2019 IAA Planetary Defence Conference - Day 5 Scenario

[Sean Donelan]

On Tue, 7 May 2019, Haudy Kazemi wrote:

For any hit, a lot depends on impactor size. With an impactor of the size
that took out the non-avian dinosaurs...the site of impact probably won't
matter to us if humanity is unable to deflect it.


I understand the intent.  Earth is still a single point of failure.

For disaster exercise planning purposes, extinction level events don't 
make for very interesting game-play. The disaster game-play is over by 
Monday afternoon, and the rest of the exercise week is a bust. The white 
team is forced to roll-back time and raise civilization from the ashes 
to continue with rest of the week.  That's why extinction level events are 
generally used only in disaster planning study papers, not exercises.



Many exercise designers could use help coming up with useful Internet 
disaster sub-plots.  Bad enough to inject stress into the exercise, but 
not extinction.


All ISP tech support agents are infected, and become brain eating 
zombies.

Re: NTP for ASBRs?

[Job Snijders]

Dear Lars,

On Wed, May 08, 2019 at 09:56:33AM +0200, Lars Prehn wrote:
> do you NTP sync your AS boundary routers?

yes

> If so, what are incentives for doing so? Are there incentives, e.g.
> security considerations, not to do it?

The major advantage of NTP syncing your routers is that it allows you to
more effectively correlate any log messages that these devices emit to
log messages other devices generated.

Did two events happen at separate times, or was it perhaps the same
event at the same time? the incentive is ease of troubleshooting.

on this topic, i strongly recommend to operate all devices in the
Etc/UTC timezone, this makes coordination with external entities much
easier.

Kind regards,

Job

NTP for ASBRs?

[Lars Prehn]

Hi everyone,

do you NTP sync your AS boundary routers? If so, what are incentives for 
doing so? Are there incentives, e.g. security considerations, not to do it?


Best regards,

Lars