Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NTP ACL on IOS-XE (4500-X) bugged?

Hi,

for obvious reasons the protection of NTP servers exposed to the Internet is currently getting some reinvestigation. On a fresh 4500-X running IOS-XE 03.04.03.SG (aka 151-2.SG3) I encountered that

access-list 12 permit x.y.z.123

access-list 12 permit a.b.c.123 access-list 12 deny   any

[...]


ntp access-group peer 12

ntp server x.y.z.123

ntp server a.b.c.123

will not prevent certain control queries from getting answered by the switch. For instance, ntpq peer list queries (ntpq -p device-ip) from any source still get a reply, even though the deny any ACE counter (and only that) will increment. Legitimate control queries (from the configured sources) will work as well, but increment the appropriate permittive ACE counters. On other switches (non-XE, like 4900M), the exact same configuration works as expected and denies ntpq control queries. Now those queries (there are more than just peer list queries that bypass the ACL on XE, I haven't checked all of them) aren't as dangerous an amplification tool as monlist is, but there still is amplification - and even without amplification, there's at least an information leak, if not a capability for remote control.

Has anyone else encountered this issue? Is it present in XE generally, or specific to this platform? I don't have much hardware to test against currently

BTW, the ACL successfully blocks pure time queries, but in the context of NTP amp attacks, they are of least concern.

BTW^2, adding a pure deny-all ACL to the three other NTP ACL classes makes no difference - they increment counters, but answers still come back.

TIA,

Andre.

Everyone's tags (3)
7 REPLIES
tim
New Member

NTP ACL on IOS-XE (4500-X) bugged?

I'm seeing this same issue on ASR1K1 on IOS-XE 3.10.01.S and also 7200 NPE-G2 on 152-4.S so doesn't seem limit to the 4500X or IOS-XE either

New Member

NTP ACL on IOS-XE (4500-X) bugged?

I have 6 devices where the ntp access-group is not working:

5 x ASR1002 - IOS-XE 03.07.03.S 15.2(4)S3

1 x 4500X-32 - IOS-XE 03.04.02.SG  15.1(2)SG2

I have a few older ASR1000's running 03.04.05.S IOS-XE 15.1(3)S5, that do not have the problem.

Open TAC case. No resolution yet.

New Member

Recently, I tried to

More about ntp access-groups at:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html#wp5471302810

New Member

Re: NTP ACL on IOS-XE (4500-X) bugged?

Spoke with TAC after 3 days of very little communiction.

They told me to use bug id: CSCUJ66318

That bug id is for vanilla IOS and marked as fixed.

I have escalated the issue to my account manager.

New Member

Re: NTP ACL on IOS-XE (4500-X) bugged?

Another limited update...

TAC is moving forward with bug id CSCUJ66318

They added "It will affect IOS-XE too" to the bug id. That is all.  No additional info.

Recieved email today saying a bug fix for the ASR will be available with 15.3(3)S3 on 05/30/2014.

No update on the 4500x. They asked for my "show version", so I hope to get additional info soon.

New Member

Re: NTP ACL on IOS-XE (4500-X) bugged?

Update from Cisco:

"For 4500 IOS-XE  the next release dates  are not planned yet .

Will cascade the info once I get a date from Release team."

New Member

Latest update from Cisco for

Latest update from Cisco for the 4500X running IOS-XE:

I have been working with the Business Unit and the defect CSCuj66318 has been fixed in the interim releases for 4500X running IOS XE. The next release containing the fix should be 15.1(2)SG5 which is currently expected to post in Oct. on CCO.
2095
Views
7
Helpful
7
Replies