No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
OSPF

OSPF

Security Policy

The GTSM checks TTL values to defend against attacks. GTSM only checks the TTL values of the packets that match the GTSM policy. The packets that do not match the GTSM policy can be allowed or dropped. If the default action to be taken on packets is drop, configure all router connections in the GTSM policy. Packets sent from a router that is not specified in the GTSM policy will be dropped. The connection thus cannot be established. Therefore, GTSM ensures better security but reduces the ease of use.

OSPF supports packet authentication. Only the OSPF packets that pass the authentication can be received. If packets fail to pass the authentication, the neighbor relationship cannot be established. When area authentication is used, all the routers in an area must have the same area authentication mode and password. For example, the authentication mode of all routers in Area 0 is simple authentication and the password is abc. The interface authentication mode is used to set the authentication mode and password between neighboring routers, and takes precedence over the area authentication mode.

Attack Modes

Packets are often forged to attack OSPF on the network. Measures such as MD5 authentication can be taken to identify and discard these packets.

The possible attack measures are as follows:

  • Changing the aging time of a packet to the maximum aging time so that all routers flush this packet.

  • Advertising the LSA with the maximum ID or with an ID closing to the maximum

  • Changing the sequence number when a peer router restarts and resets the state of the encryption sequence number

  • Changing the peer list in a Hello packet

Configuration and Maintenance Methods

OSPF is used as an example.

  • GTSM:

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      ospf [ process-id ]

      The OSPF process view is displayed.

    3. Run:

      area area-id

      The OSPF area view is displayed.

    4. Run:

      ospf valid-ttl-hops hops [ vpn-instance vpn-instance-name ]

      The OSPF GTSM function is configured.

    5. Run:
      gtsm default-action { drop | pass }

      The default action to be taken for packets that do not match the GTSM policy is set.

  • Area authentication:

    1. Run:

      authentication-mode simple [ plain plain-text | [ cipher ] cipher-text ]

      The authentication mode is set to simple authentication for the OSPF area.

    2. Run:

      authentication-mode { md5 | hmac-md5 } [ key-id { plain plain-text | [ cipher ] cipher-text } ]

      The authentication mode is set to MD5 authentication for the OSPF area.

    3. Run:

      authentication-mode keychain keychain-name

      The authentication mode is set to keychain authentication for the OSPF area.

  • Interface authentication:

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The OSPF interface view is displayed.

    3. Run:

      area area-id

      The OSPF area view is displayed.

    4. Run:

      ospf authentication-mode simple [ plain plain-text | [ cipher ] cipher-text ]

      The authentication mode is set to simple authentication for the OSPF area.

    5. Run:

      ospf authentication-mode { md5 | hmac-md5 } [ key-id { plain plain-text | [ cipher ] cipher-text } ]

      The authentication mode is set to MD5 authentication for the OSPF area.

    6. Run:

      ospf authentication-mode keychain keychain-name

      The authentication mode is set to keychain authentication for the OSPF area.

Configuration and Maintenance Suggestions

Run the authentication-mode hmac-md5 command in the OSPF area view to configure MD5 authentication for packets.

Translation
Download
Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 4757

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next