Hi Randy, On Apr 6, 2011, at 6:45 AM, Randy Bush wrote:
>> [WEG] +1. I don't know why we're so stressed about something so >> simple. > > not stressed out, though some coffee would help. > > brian is a crypto/security guy. he is validly worried that we could hit > a problem. i suspect he is not too familiar with how we all config our > networks, and that ntp, warts and all, is kind of assumed in all base > configs. I'm actually not surprised ntp is assumed in all the base configs, but I did want to see some discussion as to whether not being able to reach an ntp server for an indeterminate period of time was a problem. My way of example, you mentioned those old 2511's in your first reply ... I'm pretty sure they don't retain the time over a reboot, which means not reaching an ntp server could be serious if you were depending on it. If all your BGP routers keep reasonably accurate time all of the time including over reboots, then ntp might not be a problem. I still think the requirement is a good general requirement to keep in mind for BGPSEC. > i suspect one key here is that, if the router has a time tick and loses > it, it will be a looooong time before it loses sufficient accuracy that > x.509 gloop will notice. and then all sorts of red flags will go up and > our noc's bgp/snmp monitors will go bright red. > > another thought is that i am not sure we monitor time drift and ntp > death in our routers. this would be a good thing if we're betting our > buns on it. That's in the spirit of my concern .... Brian _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
