Mikrotik+certs+1970
Hi all, I'm playing with mikrotiks for VPNs, and one of the "features" is that the RB750's we have don't hold time when they reboot. I'm planning to build them with NTP access (so if they can get internet then they can get time), but I'm also tempted to generate certs backdated to 1970 instead. Is anyone else doing this? How do you get mikrotiks to validate certs if the clock keeps resetting on power off - is relying on NTP the answer? Cheers Sam
I use NTP on all of ours. Regards, Matthew Harrison The Top Dog p. 06 7566620 | e. matthew(a)primowireless.co.nz Please excuse the shortness of my email as it was sent from my iPhone.
On 3/06/2014, at 10:02, Sam Russell <sam.h.russell(a)gmail.com> wrote:
Hi all,
I'm playing with mikrotiks for VPNs, and one of the "features" is that the RB750's we have don't hold time when they reboot. I'm planning to build them with NTP access (so if they can get internet then they can get time), but I'm also tempted to generate certs backdated to 1970 instead.
Is anyone else doing this? How do you get mikrotiks to validate certs if the clock keeps resetting on power off - is relying on NTP the answer?
Cheers Sam _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
We have a private network to all our routers, in which we run a internal NTP server from the office which the NTP server has public internet access to get the updated time and then the routers will hit our internal NTP server to grab the latest time, this makes it a bit more secure then having each router open to the internet Daniel From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Matthew Harrison - PrimoWireless Ltd Sent: Tuesday, 3 June 2014 10:09 AM To: Sam Russell Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Mikrotik+certs+1970 I use NTP on all of ours. Regards, Matthew Harrison The Top Dog p. 06 7566620<tel:06%207566620> | e. matthew(a)primowireless.co.nz<mailto:matthew(a)primowireless.co.nz> [Image removed by sender.] Please excuse the shortness of my email as it was sent from my iPhone. On 3/06/2014, at 10:02, Sam Russell <sam.h.russell(a)gmail.com<mailto:sam.h.russell(a)gmail.com>> wrote: Hi all, I'm playing with mikrotiks for VPNs, and one of the "features" is that the RB750's we have don't hold time when they reboot. I'm planning to build them with NTP access (so if they can get internet then they can get time), but I'm also tempted to generate certs backdated to 1970 instead. Is anyone else doing this? How do you get mikrotiks to validate certs if the clock keeps resetting on power off - is relying on NTP the answer? Cheers Sam _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz<mailto:NZNOG(a)list.waikato.ac.nz> http://list.waikato.ac.nz/mailman/listinfo/nznog
NTP is certainly the best way to go. I don't rely on anything to keep it's own time unless it's specifically a time-keeping device or connected to one (e.g. GPS). - Damian On 03/06/14 12:02, Sam Russell wrote:
Hi all,
I'm playing with mikrotiks for VPNs, and one of the "features" is that the RB750's we have don't hold time when they reboot. I'm planning to build them with NTP access (so if they can get internet then they can get time), but I'm also tempted to generate certs backdated to 1970 instead.
Is anyone else doing this? How do you get mikrotiks to validate certs if the clock keeps resetting on power off - is relying on NTP the answer?
Cheers Sam
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Hi Sam, I am not sure if this is something you might want/can do, but with openwrt you can set an initial "builddate" ( see : https://forum.openwrt.org/viewtopic.php?id=39835 ) setting this to something more recent (i.e June 2014 ) etc solves some of the cert crazy you might be experiencing. I've 'fixed' several non mikrotiks with the same issue doing this. Obviously you want to run tiered NTP as well, but this may be of use. -Joel On 3 June 2014 12:02, Sam Russell <sam.h.russell(a)gmail.com> wrote:
Hi all,
I'm playing with mikrotiks for VPNs, and one of the "features" is that the RB750's we have don't hold time when they reboot. I'm planning to build them with NTP access (so if they can get internet then they can get time), but I'm also tempted to generate certs backdated to 1970 instead.
Is anyone else doing this? How do you get mikrotiks to validate certs if the clock keeps resetting on power off - is relying on NTP the answer?
Cheers Sam
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Hi Sam, In general I'd tend to agree that setting the certs to 1970 was a bad idea, for one thing none of your logs will match up so troubleshooting will be come difficult. You may want to consider CRL implications - currently I don't think Mikrotik implements any CRL checking except for SSL VPN, but at the rate Mikrotiks developers work that may change in the near future. Time wise, its basically NTP, unless you want to consider adding a GPS to all of your nodes. If your devices are in one place then it might make sense to have one or two mikrotiks act as a NTP time source for the rest. If you have a hub and spoke model then perhaps the hub could provide the time source for the spokes? Russ On 3 June 2014 01:02, Sam Russell <sam.h.russell(a)gmail.com> wrote:
Hi all,
I'm playing with mikrotiks for VPNs, and one of the "features" is that the RB750's we have don't hold time when they reboot. I'm planning to build them with NTP access (so if they can get internet then they can get time), but I'm also tempted to generate certs backdated to 1970 instead.
Is anyone else doing this? How do you get mikrotiks to validate certs if the clock keeps resetting on power off - is relying on NTP the answer?
Cheers Sam
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Thanks all for the on and off-list replies. For more detail, these are being installed at customer sites so they can phone home and build an SSTP tunnel so I can remote admin the other kit at site. Given I'm going to need internet access for these to be able to phone home, it's probably reasonable to assume NTP will work if I can access the internet - it'd be a real corner case for these nodes to be able to phone home but not reach an NTP server. tl;dr NTP is the way to go On 3 June 2014 12:02, Sam Russell <sam.h.russell(a)gmail.com> wrote:
Hi all,
I'm playing with mikrotiks for VPNs, and one of the "features" is that the RB750's we have don't hold time when they reboot. I'm planning to build them with NTP access (so if they can get internet then they can get time), but I'm also tempted to generate certs backdated to 1970 instead.
Is anyone else doing this? How do you get mikrotiks to validate certs if the clock keeps resetting on power off - is relying on NTP the answer?
Cheers Sam
participants (6)
-
Damian Kissick -
Daniel Watson -
Joel Wirāmu Pauling -
Matthew Harrison - PrimoWireless Ltd -
Russell Tester -
Sam Russell