Securing IOS-XR Devices

A quick reminder of NTP peer types

peer — Allows time requests and NTP control queries and allows the system to synchronize itself to a system whose address passes the access list criteria.
serve — Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria.
serve-only — Allows only time requests from a system whose address passes the access list criteria.
query-only — Allows only NTP control queries from a system whose address passes the access list criteria.

Filter NTP packets from everywhere except our central NTP servers:

ipv4 access-list ntp-deny
 1 remark Deny NTP queries from everywhere
 10 deny ipv4 any any
!
ipv4 access-list allow-our-ntp-servers
 1 remark Allow NTP packets from our NTP servers only
 10 permit ipv4 host 10.0.0.1 any
 20 permit ipv4 host 10.0.0.2 any

ntp
 access-group ipv4 serve core-ipv4-ntp-in-deny
 access-group ipv4 serve-only core-ipv4-ntp-in-deny
 access-group ipv4 query-only core-ipv4-ntp-in-deny
 access-group ipv4 peer core-ipv4-ntp-in-allow
 server vrf MGMT 192.168.56.102
 source vrf MGMT Lo123
 update-calendar

RP/0/0/CPU0:Oct 22 11:40:21.808 : ntpd[238]: Rx 192.168.56.2->192.168.56.35 on if 0x100[unnamed, flags:0x0/0x11] (48 bytes)
RP/0/0/CPU0:Oct 22 11:40:21.808 : ntpd[238]: restrictions found: 3
RP/0/0/CPU0:Oct 22 11:40:21.808 : ntpd[238]: (5)ntp_receive: dropping message: RES_DONTSERVE restriction.

This doesn't work for all global IPs though. The ACLs still allow the NTP control packets through (naughty IOS-XR!). LPTS must be used to rate limit "all other" connections as low as possible instead (this may be fixed in a future IOS-XR release). The lowest configurable value is 0 but at least 1 packet has to come through to trigger the policer so in fact, the lowest PPS rate is 1. The "known" rate limiter uses the NTP servers defined in the config above to build a list of trusted IPs. Also see https://tools.cisco.com/bugsearch/bug/CSCus64993.

lpts pifib hardware police
 flow ntp default rate 1
 flow ntp known rate 64