No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring OSPF GTSM

Configuring OSPF GTSM

To apply OSPF GTSM functions, enable GTSM on the two ends of the OSPF connection.

Usage Scenario

The GTSM prevents attacks through TTL detection. If an attacker simulates real OSPF unicast packets and keeps sending them to the router, an interface board on the router receives the packets and directly sends them to the control plane for OSPF processing, without checking the validity of the packets. The control plane of the router needs to process the "legal" packets. As a result, the system becomes abnormally busy and the CPU usage is high.

The GTSM protects the router by checking whether the TTL value in an IP header is within a pre-defined range to enhance the system security.

Pre-configuration Tasks

Before configuring the OSPF GTSM, complete the following task:

  • Configuring basic OSPF functions

Procedure

  1. Configure basic OSPF GTSM functions.

    To apply the GTSM, you need to enable GTSM on both ends of the OSPF connection.

    The valid TTL range of detected packets is [255 - hops + 1, 255].

    Perform the following steps on the GTSM routers at the two ends of the virtual link or sham link:

    1. Run system-view

      The system view is displayed.

    2. Run ospf valid-ttl-hops [ hops ] [ nonstandard-multicast ] [ vpn-instance vpn-instance-name ]

      The OSPF GTSM is configured.

      NOTE:
      • The ospf valid-ttl-hops command has two functions: enabling the OSPF GTSM and configuring the TTL value to be detected. The vpn-instance parameter is valid only for the latter function.

      • The valid TTL range of detected packets is [255 - hops + 1, 255].

    3. Run commit

      The configuration is committed.

  2. Set the default action for packets that do not match the GTSM policy.

    GTSM only checks the TTL values of packets that match the GTSM policy. Packets that do not match the GTSM policy can be allowed or dropped.

    You can enable the log function to record packet drop for troubleshooting.

    Perform the following configurations on the GTSM-enabled router:

    1. Run system-view

      The system view is displayed.

    2. Run gtsm default-action { drop | pass }

      The default action for packets that do not match the GTSM policy is configured.

      NOTE:

      If the default action is configured but no GTSM policy is configured, GTSM does not take effect.

      This command is supported only on the Admin-VS and cannot be configured in other VSs. This command takes effect on all VSs.

    3. Run commit

      The configuration is committed.

Checking the Configurations

Run the following commands to check the previous configurations.

  • Run the display gtsm statistics { slot-id | all } command to view the statistics about the GTSM.

    NOTE:

    This command is supported only on the Admin-VS.

Run the display gtsm statistics command. Then, you can view the statistics about the GTSM, including the total number of protocol packets, the number of packets that are allowed to pass through, and the number of dropped packets. For example:

<HUAWEI> display gtsm statistics all
GTSM Statistics Table
---------------------------------------------------------------
SlotId  Protocol   Total Counters  Drop Counters  Pass Counters
---------------------------------------------------------------
2       BGP                    18              0             18
2       BGPv6                   0              0              0
2       OSPF                    0              0              0
2       LDP                     0              0              0
2       OSPFv3                  0              0              0
2       RIP                     0              0              0
---------------------------------------------------------------
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 25151

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next