No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
BGP/BGP4+

BGP/BGP4+

Security Policy

  • BGP MD5 authentication

    BGP uses TCP as the transmission protocol, and BGP considers a packet valid as long as the source address, destination address, source port, destination port, and TCP sequence number of the packet are correct. Most parameters in a packet can be easily obtained by attackers. Therefore, to protect BGP from attacks, you can use MD5 authentication of TCP between BGP peers to reduce the possibility of attack.

    To prevent the MD5 password set on the BGP peers from being decrypted, you need to update the MD5 password periodically.

  • Keychain authentication

    A keychain consists of multiple authentication keys, each of which contains an ID and a password. Each key has the lifecycle. According to the life cycle of the key, you can dynamically select different authentication keys from keychain. After keychain with the same rules is configured on the two ends of a BGP connection, the keychain can dynamically select the authentication key to enhance BGP attack defense.

  • BGP GTSM

    The GTSM checks TTL values to defend against attacks. If an attacker simulates real BGP packets and sends packets continuously to a router, the interface board of the router receives these packets, determines that these packets are destined for the router, and directly sends the packets to the BGP protocol on the control plane without checking the validity of packets. The router becomes extremely busy and the CPU usage is high because the control plane of the router needs to process these unchecked packets.

    The GTSM function protects the router by checking whether the TTL value in the IP packet header is in a pre-defined range to improve the system security.

  • CPCAR

    For enabled services or protocols, the device can send related packets at the specified rate by limiting the transmission rate to protect the CPU against attacks and ensure normal running of the network.

  • Route over-threshold control

    The number of route records in a BGP routing table is generally large. To prevent consuming too many system resources because a lot of routes are received from peers, you can configure the maximum number of routes that a BGP router can receive from a BGP peer on the router.

    The BGP PAF file is used to limit the total number of routes learned from all BGP peers. This prevents the problem that a device restarts because the device receives too many routes and therefore the CPU usage is high.

  • Limitation on the number of AS-paths

    When a BGP router receives a route, the router checks whether the AS ID in the AS-path attribute exceeds the threshold. If yes, the router discards the route. During route advertisement, the router also checks whether the AS ID in the AS-path attribute exceeds the threshold. If yes, the router does not advertise the route to prevent maliciously-constructed error packets with extra-long AS-path attribute from attacking the router.

Attack Modes

  • DoS attacks

    Attackers can send various types of packets to attack devices. If the packets are multicast protocol packets or the destination IP address is the IP address of an interface (including the loopback interface) on the device, the device directly sends these packets to the CPU. These packets consume the CPU and system resources of the device, causing DoS attacks. After a BGP session is created, the system sends a whitelist. The application layer association module checks the received protocol packets and sends protocol packets that match the whitelist at a large bandwidth and high rate. The module sends protocol packets that do not match the whitelist at the default bandwidth and rate to prevent DoS attacks. In addition, CPCAR is applied on interfaces to limit the transmission rate of BGP packets, protect the CPU against attacks, and ensure normal running of the network.

  • Injection of a large number of BGP routes

    BGP runs on various devices. The number of BGP routes supported by the device is determined by the CPU and memory of a device. If the number of BGP routes received by a device exceeds the capacity limit of this device, the device cannot run normally and services cannot be provided normally because the memory of the device is exhausted. The PAF-based route control can be introduced or the maximum number of routes for a single peer can be configured. If attackers inject a large number of routes and the quantity exceeds the value specified by the PAF or the maximum number of routes for a single peer, the excessive routes are directly discarded to prevent exhaustion of system resources on the device.

  • Construction of error BGP packets

    Attackers may construct various types of error packets, such as packets with extra-long AS-paths, packets with incorrect packet headers, packets with incorrect lengths, and packets with invalid next hops, and use these error packets to attack devices. BGP implements the policy of tolerant on input and strict on output. The router discards error packets without interrupting the connections with peers to ensure uninterrupted services. For packets with extra-long AS-paths, the AS-path-limit is configured. During route reception or advertisement, if the router finds that the AS-path exceeds the limit, it refuses to receive or advertise routes.

  • Network packet attacks

    It is easy for attackers to obtain the majority of parameters in the quintuple of a packet. To protect BGP against attacks, take the following measures:

    • Use TCP MD5 authentication between BGP peers to reduce the possibility of being attacked.

    • Configure the keychain authentication for BGP sessions to enhance the anti-attack performance of BGP.

    • Deploy GTSM and check the TTLs to prevent attacks.

Configuration and Maintenance Methods

  • Configuring MD5 authentication

    An MD5 authentication password is configured for TCP connections and TCP implements the MD5 authentication of BGP. If authentication fails, no TCP connections can be established.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      bgp { as-number-plain | as-number-dot }

      The BGP view is displayed.

    3. Run:

      peer { ipv4-address | ipv6-address | group-name } password { cipher cipher-password | simple simple-password }

      An MD5 authentication password is configured.

      When configuring a password, record the password in the configuration file in either plain text or cipher text.

      If the command contains cipher cipher-password, the password is recorded in cipher text, that is, a string that is encrypted using a special algorithm is recorded.

      If the command contains simple simple-password, the password is recorded in plain text, that is, a string that is entered by the user is recorded.

    NOTE:

    If MD5 is configured in the BGP view, it is also applicable to MP-BGP VPNv4, because both BGP and MP-BGP use the same TCP connection.

    An MD5 key cannot start with symbols $@$@ because these symbols are used to identify key types during an upgrade.

  • Configuring the keychain authentication

    Configure the keychain authentication on both ends of BGP peers. In addition, the configured keychains must use the same encryption algorithm and password so that TCP connections can be set up and BGP messages can be exchanged normally.

  • Run:

    system-view

    The system view is displayed.

  • Run:

    bgp { as-number-plain | as-number-dot }

    The BGP view is displayed.

  • Run:

    peer { ipv4-address | ipv6-address | group-name } keychain keychain-name

    The keychain authentication is configured.

  • Configure the keychain authentication on both ends of BGP peers. In addition, the configured keychains must use the same encryption algorithm and password so that TCP connections can be set up and BGP messages can be exchanged normally.

    Before configuring the keychain authentication, ensure that keychain-name to be specified in this command exists. If it does not exist, the TCP connection cannot be established.

  • If GTSM is configured in the BGP view, it is also applicable to MP-BGP VPNv4, because both BGP and MP-BGP use the same TCP connection.

    NOTE:
    • The BGP MD5 authentication is mutually exclusive with the BGP keychain authentication.

  • Configuring the BGP GTSM function

    Configure the GTSM function. This function protects routers against attacks by checking whether the TTL in the header of an IP packet is in the pre-defined range.

    Perform the following steps on both ends:

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      bgp { as-number-plain | as-number-dot }

      The BGP view is displayed.

    3. Run:

      peer { group-name | ipv4-address  | ipv6-address } valid-ttl-hops [ hops ]

      The BGP GTSM function is configured.

      The valid TTL range of the detected packet is [255 - hops + 1, 255]. For example, for an EBGP directly-connected route, the value of hops is 1, that is, the valid TTL value is [1, 255]. By default, the value of hops is 255, that is, the valid TTL range is [1, 255].

    NOTE:

    If GTSM is configured in the BGP view, it is also applicable to MP-BGP VPNv4, because both BGP and MP-BGP use the same TCP connection.

    The configurations of GTSM and EBGP-MAX-HOP affect the TTL values of sent BGP packets, and the configurations of the two functions are mutually exclusive.

    After the GTSM is enabled for BGP, an interface board checks the TTL values in all BGP packets. In actual networking, packets whose TTL values are not within the specified range are either allowed to pass or discarded by the GTSM. To configure the GTSM to discard packets by default, you need to set an appropriate TTL value range according the network topology. Then, packets whose TTL values are not within the specified range are discarded. In this manner, attacks by bogus BGP packets are avoided.

  • Set the default GTSM action.

    Configure data on a GTSM-enabled router as follows:

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      gtsm default-action { drop | pass }

      The default action to be taken for packets that do not match the GTSM policy is set.

      By default, the packets that do not match the GTSM policy can pass the filtering.

    NOTE:

    If the default action is configured but the GTSM policy is not configured, the GTSM does not take effect.

    Configure the log function for dropped packets.

    Configure data on a GTSM-enabled router as follows:

    1. Run the system-view command to display the system view.

    2. Run the gtsm log drop-packet all command to enable the log function on the board in the specified slot to record the information about packets dropped by GTSM.

      The log that records the information about packets dropped by GTSM facilitates fault location.

Translation
Download
Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 4774

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next