Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1037
Views
0
Helpful
0
Replies

NTP sanity checking?

treimers1
Level 1
Level 1

‎12-02-2012 07:58 PM - edited ‎03-07-2019 10:21 AM

                   Hi all -

Some of you probably know that the US Navy time servers recently experienced an issue

in which USNO.NAVY.MIL suddenly dropped back to the year 2000 on November 19th between the hours of 21:07 UTC and 21:59 UTC (16:07-16:59 EST

If you didn't hear about it, read this:

http://blogs.technet.com/b/askpfeplat/archive/2012/11/23/fixing-when-your-domain-traveled-back-in-time-the-great-system-time-rollback-to-the-year-2000.aspx

http://tycho.usno.navy.mil/ntp.html

USNO NTP FAILURE -- 19 NOV 2012

On Monday, November 19, USNO made what was expected to be a routine upgrade. Unfortunately, for 51 minutes, between 21:07:32 - 21:58:56 UTC, the server gave out the year as 2000 instead of 2012. We have resolved the issue that caused this error.

Microsoft offers a fix in Windows 2003 and 2008 (tho not default in 2003, you have to manually adjust)

in the form of two registry values: MaxPosPhaseCorrection and MaxNegPhaseCorrection

Those registry entries ensure that no Microsoft DC using an NTP server will ever 'believe' any NTP server that

provides an NTP time update of greater than 48 hours difference between the current time and the suggested update.

My question is this (I'm being asked this by several customers who were affected, or are now worried about being affected)

Does Cisco IOS from 12.2 and ASA code from 8.0 onwards support the same sort of thing?

Or all Cisco routers/ASAs talking to an external NTP server simply going to believe any NTP

update they happen to get, so long as all security checks correctly validate?

Several of my customers who used tock.navy.mil or tick.navy.mil as a primary NTP server reported that:

- their routers simply took the Navy at it's word that it was the year 2000

- Because the primary (or preferred) NTP server responded with incorrect time, the routers DID NOT query a secondary time server

and thus ignore the wildly incorrect time coming from the Navy.

One customer specifically informs me that he had NIST timeservers configured, which (according to firewall logs) were

never accessed at all to doube check the time that the Navy had passed out!

What does the community know about how Cisco protects IOS and ASA code from

this sort of failure?

I don't find any reference in Cisco's guidelines on NTP that discusses IOS ignoring wildly out of bounds timestamps,

unless I'm just not looking for the right keywords??

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card