Hi all -
Some of you probably know that the US Navy time servers recently experienced an issue
in which USNO.NAVY.MIL suddenly dropped back to the year 2000 on November 19th between the hours of 21:07 UTC and 21:59 UTC (16:07-16:59 EST
If you didn't hear about it, read this:
http://blogs.technet.com/b/askpfeplat/archive/2012/11/23/fixing-when-your-domain-traveled-back-in-time-the-great-system-time-rollback-to-the-year-2000.aspx
http://tycho.usno.navy.mil/ntp.html
USNO NTP FAILURE -- 19 NOV 2012
On Monday, November 19, USNO made what was expected to be a routine upgrade. Unfortunately, for 51 minutes, between 21:07:32 - 21:58:56 UTC, the server gave out the year as 2000 instead of 2012. We have resolved the issue that caused this error.
Microsoft offers a fix in Windows 2003 and 2008 (tho not default in 2003, you have to manually adjust)
in the form of two registry values: MaxPosPhaseCorrection and MaxNegPhaseCorrection
Those registry entries ensure that no Microsoft DC using an NTP server will ever 'believe' any NTP server that
provides an NTP time update of greater than 48 hours difference between the current time and the suggested update.
My question is this (I'm being asked this by several customers who were affected, or are now worried about being affected)
Does Cisco IOS from 12.2 and ASA code from 8.0 onwards support the same sort of thing?
Or all Cisco routers/ASAs talking to an external NTP server simply going to believe any NTP
update they happen to get, so long as all security checks correctly validate?
Several of my customers who used tock.navy.mil or tick.navy.mil as a primary NTP server reported that:
- their routers simply took the Navy at it's word that it was the year 2000
- Because the primary (or preferred) NTP server responded with incorrect time, the routers DID NOT query a secondary time server
and thus ignore the wildly incorrect time coming from the Navy.
One customer specifically informs me that he had NIST timeservers configured, which (according to firewall logs) were
never accessed at all to doube check the time that the Navy had passed out!
What does the community know about how Cisco protects IOS and ASA code from
this sort of failure?
I don't find any reference in Cisco's guidelines on NTP that discusses IOS ignoring wildly out of bounds timestamps,
unless I'm just not looking for the right keywords??