No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring BGP4+ GTSM

Configuring BGP4+ GTSM

BGP4+ GTSM must be configured on both peers.

Usage Scenario

The GTSM prevents attacks through TTL detection. An attacker simulates real BGP4+ packets and sends the packets in a large quantity to the router. After receiving the packets, an interface board of the router directly sends the packets to the BGP4+ module of the control plane if the interface board finds that the packets are sent by the local router, without checking the validity of the packets. The control plane of the router needs to process the "legal" packets. As a result, the system becomes abnormally busy and the CPU usage is high.

The GTSM protects the router by checking whether the TTL value in an IP packet header is within a pre-defined range to enhance the system security.

NOTE:
  • The GTSM supports only unicast addresses; therefore, the GTSM must be configured on all the routers configured with routing protocols.

Pre-configuration Tasks

Before configuring the BGP4+ GTSM, complete the following task:

  • Configuring Basic BGP4+ Functions

Perform the following steps on both BGP4+ peers:

Procedure

  1. Configure the basic BGP4+ GTSM functions.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run peer { group-name | ipv6-address } valid-ttl-hops [ hops ]

      The BGP4+ GTSM is configured.

      The valid TTL range of detected packets is [255 - hops + 1, 255]. For example, for an EBGP direct route, the number of hops is 1, that is, the valid TTL value is 255.

      NOTE:
      • When being configured in the BGP view, the GTSM is also applicable to MP-BGP VPNv4 extensions because they use the same TCP connection.
      • The GTSM and EBGP-MAX-HOP functions both affect the TTL values of sent BGP4+ messages and they conflict with each other. Thus, for a peer or a peer group, you can use only either of them.

      A BGP4+ router that is enabled with GTSM checks the TTL values in all BGP4+ packets. As required by the actual networking, packets whose TTL values are not within the specified range are discarded. If GTSM is not configured on a BGP4+ router, the received BGP4+ packets are forwarded if the BGP4+ peer configuration is matched. Otherwise, the received BGP4+ packets are discarded. This prevents bogus BGP4+ packets from consuming CPU resources.

    4. Run commit

      The configuration is committed.

  2. Set the default action for packets that do not match the GTSM policy.

    GTSM only checks the TTL values of packets that match the GTSM policy. Packets that do not match the GTSM policy can be allowed or dropped. If "drop" is set as the default GTSM action for packets, you need to configure TTL values for all the packets sent from valid peers in the GTSM policy. If TTL values are not configured for the packets sent from a peer, the device will discard the packets sent from the peer and cannot establish a connection to the peer. Therefore, GTSM enhances security but reduces the ease of use.

    You can enable the log function to record packet drop for troubleshooting.

    Perform the following configurations on the GTSM-enabled router:

    1. Run system-view

      The system view is displayed.

    2. Run gtsm default-action { drop | pass }

      The default action for packets that do not match the GTSM policy is configured.

      NOTE:

      If the default action is configured but no GTSM policy is configured, GTSM does not take effect.

      This command is supported only on the Admin-VS and cannot be configured in other VSs. This command takes effect on all VSs.

    3. Run commit

      The configuration is committed.

Checking the Configurations

Run the following command to check the previous configurations.

  • Run the display gtsm statistics { slot-id | all } command to check the statistics about the GTSM.

    NOTE:

    This command is supported only on the Admin-VS.

Run the display gtsm statistics command. Then, you can view the statistics about the GTSM, including the numbers of protocol packets, the number of packets that are allowed to pass through, and the number of dropped packets. For example:

<HUAWEI> display gtsm statistics all
GTSM Statistics Table
---------------------------------------------------------------
SlotId  Protocol   Total Counters  Drop Counters  Pass Counters
---------------------------------------------------------------
2       BGP                    18              0             18
2       BGPv6                   0              0              0
2       OSPF                    0              0              0
2       LDP                     0              0              0
2       OSPFv3                  0              0              0
2       RIP                     0              0              0
---------------------------------------------------------------
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19594

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next