No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPv4 Protocol Stack

IPv4 Protocol Stack

GTSM

Security Policy

The Generalized TTL Security Mechanism (GTSM) checks whether time to live (TTL) values are valid to protect the TCP/IP-based control plane protocols from CPU-utilization (CPU overload) attacks.

Currently, BGP, BGP4+, OSPF, and LDP support the GTSM.

  • BGP and BGP4+ support deployment of GTSM policies based on the number of neighbors. The number of GTSM policies can be equal to the number of established BGP peers.

  • OSPF supports deployment of GTSM policies based on the protocol. On a public network, only one type of GTSM policies can be deployed. On a private network, GTSM policies are deployed based on the LDP VPN instances and a GTSM policy can be configured for each OSPF VPN.

  • LDP supports deployment of GTSM policies based on peers. The number of GTSM policies can be equal to the number of established LDP peers.

A GTSM policy is generated after a GTSM configuration command is executed on a service module. The policy matching conditions vary with protocols.

  • The GTSM policy matching conditions of BGP or BGP4+ include the source IP address, VRF index, source port ID, and destination port ID.

  • The GTSM policy matching condition of OSPF includes the VRF index.

  • The GTSM policy matching conditions of LDP include the source IP address, source port ID, and destination port ID.

A GTSM policy is deployed as follows:

  • If the GTSM function of the related protocol is disabled on a device, packets are directly sent to the control plane.

  • If the GTSM function of the related protocol is enabled on a device, the device performs GTSM policy matching. If a matched GTSM policy is found, the device checks whether the TTL of a packet is within the range accepted by the policy. If not, the device determines that the packet is an attack packet and drops the packet. If matched GTSM policy is not found, the device processes packets based on the default actions of GTSM.

Attack Modes

An attacker simulates a real routing protocol and continuously sends packets to a device. The device is extremely busy when processing these attack packets, causing a high CPU usage. To avoid CPU overload, GTSM can be deployed to protect IP-forwarded services by checking whether the TTL value in the IP header of an IP packet is within a pre-defined range.

Figure 2-4  Security attack

Configuration and Maintenance Methods

Run gtsm default-action { drop | pass } to configure default actions for packets when a matched GTSM policy is not found. The default action is pass, indicating that a packet for which a matched GTSM policy is not found is directly passed.

Take BGP for example. The valid TTL range of received packets is [255,255].

[HUAWEI] bgp 10
[HUAWEI-bgp] peer 10.1.1.2 valid-ttl-hops 1

You can run display gtsm statistics all to view statistics on the GTSM, including the total number of packets, number of passed packets, and number of dropped packets. For example,

<HUAWEI> display gtsm statistics all
GTSM Statistics Table
----------------------------------------------------------------
SlotId  Protocol  Total Counters  Drop Counters  Pass Counters
----------------------------------------------------------------
 0      BGP       2               0              2
 0      BGPv6     0               0              0
 0      OSPF      0               0              0
 0      LDP       0               0              0
 1      BGP       0               0              0
 1      BGPv6     0               0              0
 1      OSPF      0               0              0
 1      LDP       0               0              0
----------------------------------------------------------------
Configuration and Maintenance Suggestions

GTSM is suitable for small-size networks. The anti-attack effect can be achieved only when the GTSM policy is deployed on the entire network.

Translation
Download
Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 5156

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next