No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring LDP GTSM

Configuring LDP GTSM

To configure LDP GTSM, you need to configure both LDP peers.

Usage Scenario

The GTSM prevents attacks through TTL detection. An attacker simulates real LDP unicast packets and keeps sending them to the router. After receiving the packets, an interface board of the router directly sends the packets to LDP of the control plane if the interface board finds that the packets are sent to the local router, without checking the validity of the packets. The control plane of the router needs to process the "legal" packets; therefore, the system becomes abnormally busy and the CPU usage is high.

The GTSM protects the router by checking whether the TTL value in the LDP packet header is within a pre-defined range to improve the system security.

Pre-configuration Tasks

Before configuring the LDP GTSM, complete the following task:

  • Enable MPLS and MPLS LDP.

Context

Perform the following steps on the two LDP peers that need to be configured with the GTSM:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run mpls ldp

    The MPLS LDP view is displayed.

  3. Run gtsm peer ip-address valid-ttl-hops hops

    The LDP GTSM is configured.

    If the value of hops is set to the maximum number of valid hops permitted by the GTSM, when the TTL values carried in the packets sent by an LDP peer are within the range [255 - hops + 1, 255], the packets are accepted; otherwise, the packets are discarded.

    NOTE:

    The valid TTL range is from 1 to 255 or from 1 to 64, depending on the specific vendor. If a Huawei device is connected to a non-Huawei device, set hops to a value in a valid range that both devices support; otherwise, the Huawei device will discard packets sent by the non-Huawei device, resulting in LDP session interruption.

  4. Run commit

    The configuration is committed.

Checking the Configurations

Run the following command to check the previous configurations.

  • Run the display gtsm statistics { slot-id | all } command to view the statistics about the GTSM.

    NOTE:

    This command is supported only on the Admin-VS.

Run the display gtsm statistics command. Then, you can view the statistics about the GTSM, including the total number of protocol packets, the number of packets that are allowed to pass through, and the number of dropped packets. For example:

<HUAWEI> display gtsm statistics all
GTSM Statistics Table
---------------------------------------------------------------
SlotId  Protocol   Total Counters  Drop Counters  Pass Counters
---------------------------------------------------------------
2       BGP                    18              0             18
2       BGPv6                   0              0              0
2       OSPF                    0              0              0
2       LDP                     0              0              0
2       OSPFv3                  0              0              0
2       RIP                     0              0              0
---------------------------------------------------------------
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 25403

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next