Improving the Security of an OSPF Network

Applicable Environment

In a network demanding high security, you can configure OSPF authentication and adopt the GTSM mechanism to improve the security of the OSPF network.

The GTSM mechanism defends against attacks by checking the TTL value. If an attacker keeps sending packets to a router by simulating real OSPF unicast packets, the router finds that itself is the destination of the packets after the interface board receives these packets. The router directly sends the packets to the control plane for OSPF processing without checking the validity of the packets. The router busies itself with processing these "valid" packets. As a result, the system is busy, and the CPU is highly occupied.

The GTSM mechanism protects a router by checking whether the TTL value in the IP packet header is in a pre-defined range to enhance the system security.

GTSM supports only unicast addresses; therefore, in OSPF, GTSM takes effect on the virtual link and the sham link.

Pre-configuration Tasks

Before improving the security of an OSPF network, complete the following tasks:

• Configuring IP addresses for interfaces to ensure that neighboring nodes are reachable at the network layer

• Configuring Basic OSPF Functions

Configuration Procedure

Perform one or more configuration tasks (excluding the task of Verifying the OSPF Network Security Optimization Configuration) as required.