No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of GTSMs

Overview of GTSMs

The Generalized TTL Security Mechanism (GTSM) is designed to protect devices against CPU utilization-based attacks by checking whether the time to live (TTL) value in the IP header is within a specified range.

The attack of "valid packets" on the network makes the device overloaded and consumes the device resources, such as the CPU. For example, an attacker keeps sending packets to the device by simulating BGP packets. After receiving these packets, the device finds that it is the destination of these packets. Then, the forwarding plane directly sends the packets to the control plane for BGP processing without checking the validity of the packets. The device busies itself with processing these "valid" packets and the its CPU is thus highly occupied.

Th GTSM protects the services above the IP layer against attacks by checking whether the TTL value in the IP header is within a pre-defined range. In applications, the GTSM is mainly used to protect the TCP/IP-based control plane including the routing protocols against attacks of the CPU-utilization type, such as CPU overload.

When configuring GTSM, note the following precautions:

  • The GTSM supports only unicast addresses; therefore, the GTSM must be configured on all the routers configured with routing protocols.

  • When being configured in the BGP view, the GTSM is also applicable to MP-BGP VPNv4 extensions because they use the same TCP connection.

  • The GTSM and EBGP-MAX-HOP functions both affect the TTL values of sent BGP packets and they conflict with each other. Thus, for a peer or a peer group, you can use only either of them.

  • GTSM does not support tunnel-based neighbors. For example, an IP packet that carries a BGP packet is transmitted through a tunnel. When the IP packet reaches the peer end of the tunnel, the tunnel protocol parses the IP packet. The TTL value in the IP packet cannot reflect the number of forwarding hops; therefore, the GTSM cannot be applied.

A device that is enabled with GTSM checks the TTL values in all protocol packets. As required by the actual networking, packets whose TTL values are not within the specified range are discarded. If GTSM is not configured, the received protocol packets are forwarded if the neighbor configuration is matched. Otherwise, the received protocol packets are discarded. This prevents bogus protocol packets from consuming CPU resources.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19588

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next