No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - IP Unicast Routing

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes the concepts and configuration procedures of IP Service features on the device, and provides the configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
OSPF GTSM

OSPF GTSM

Definition

GTSM is short for Generalized TTL Security Mechanism, a mechanism that protects the services over the IP layer by checking whether the TTL value in the IP packet header is within a pre-defined range.

Purpose

On the network, an attacker may simulate valid OSPF packets and keeps sending them to a device. After receiving these packets, the device identifies the destination of the packets. The forwarding plane of the device then directly sends the packets to the control plane for processing without checking the validity of the packets. As a result, the device is busy processing these "valid" packets, resulting in high CPU usage.

In applications, the GTSM is mainly used to protect the TCP/IP-based control plane from CPU-utilization based attacks, for example, attacks that cause CPU overload.

Principle

Devices enabled with GTSM check the TTL values in all the received packets according to the configured policies. The packets that fail to pass the policies are discarded or sent to the control plane. This prevents devices from possible CPU-utilization based attacks. A GTSM policy involves the following items:

  • Source address of the IP packet sent to the device

  • VPN instance to which the packet belongs

  • Protocol number of the IP packet (89 for OSPF, and 6 for BGP)

  • Source interface number and destination interface number of protocols above TCP/UDP

  • Valid TTL range

The method of implementing GTSM is as follows:

  • For the directly connected OSPF neighbors, the TTL value of the unicast protocol packets to be sent is set to 255.

  • For multi-hop neighbors, a reasonable TTL range is defined.

The applicability of GTSM is as follows:

  • GTSM takes effect only for unicast packets. The TTL value of multicast packets cannot exceed 255; therefore, GTSM is not required for multicast packets.

  • GTSM does not support tunnel-based neighbors.

Translation
Download
Updated: 2019-08-12

Document ID: EDOC1100034072

Views: 114100

Downloads: 168

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next