No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring BGP GTSM

Configuring BGP GTSM

BGP GTSM must be configured on both peers.

Usage Scenario

GTSM prevents attacks through TTL detection. An attacker simulates real BGP packets and sends the packets in a large quantity to the router. After receiving the packets, an interface board of the router directly sends the packets to the BGP module of the control plane if the interface board finds that the packets are sent by the local router, without checking the validity of the packets. The control plane of the router needs to process the "legal" packets. As a result, the system becomes abnormally busy and the CPU usage is high.

GTSM protects the router by checking whether the TTL value in an IP packet header is within a pre-defined range to enhance the system security.

NOTE:
  • GTSM supports only unicast addresses; therefore, GTSM must be configured on all the routers configured with routing protocols.

Pre-configuration Tasks

Before configuring the BGP GTSM, complete the following task:

  • Configuring Basic BGP Functions

Perform the following steps on both BGP peers:

Procedure

  1. Configure the basic BGP GTSM functions.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run peer { group-name | ipv4-address } valid-ttl-hops [ hops ]

      The BGP GTSM is configured.

      The valid TTL range of detected packets is [255 - hops + 1, 255]. For example, for an EBGP direct route, the number of hops is 1, that is, the valid TTL value is 255. By default, the valid TTL range is [1, 255], that is, the value of hops is 255.

      NOTE:
      • When being configured in the BGP view, GTSM is also applicable to MP-BGP VPNv4 extensions because they use the same TCP connection.
      • The GTSM and EBGP-MAX-HOP functions both affect the TTL values of sent BGP messages and they conflict with each other. Thus, for a peer or a peer group, you can use only either of them.

      A BGP router that is enabled with GTSM checks the TTL values in all BGP packets. As required by the actual networking, packets whose TTL values are not within the specified range are discarded. If GTSM is not configured on a BGP router, the received BGP packets are forwarded if the BGP peer configuration is matched. Otherwise, the received BGP packets are discarded. This prevents bogus BGP packets from consuming CPU resources.

    4. Run commit

      The configuration is committed.

  2. Set the default action for packets that do not match the GTSM policy.

    GTSM only checks the TTL values of packets that match the GTSM policy. Packets that do not match the GTSM policy can be allowed or dropped. If "drop" is set as the default GTSM action for packets, you need to configure TTL values for all the packets sent from valid peers in the GTSM policy. If TTL values are not configured for the packets sent from a peer, the device will discard the packets sent from the peer and cannot establish a connection to the peer. Therefore, GTSM enhances security but reduces the ease of use.

    You can enable the log function to record packet drop for troubleshooting.

    Perform the following configurations on the GTSM-enabled router:

    1. Run system-view

      The system view is displayed.

    2. Run gtsm default-action { drop | pass }

      The default action for packets that do not match the GTSM policy is configured.

      NOTE:

      If the default action is configured but no GTSM policy is configured, GTSM does not take effect.

      This command is supported only on the Admin-VS and cannot be configured in other VSs. This command takes effect on all VSs.

    3. Run commit

      The configuration is committed.

Checking the Configurations

Run the following command to check the previous configurations.

  • Run the display gtsm statistics { slot-id | all } command to check the statistics about GTSM.

    NOTE:

    This command is supported only on the Admin-VS.

Run the display gtsm statistics command. Then, you can view the statistics about GTSM, including the numbers of protocol packets, the number of packets that are allowed to pass through, and the number of dropped packets. For example:

<HUAWEI> display gtsm statistics all
GTSM Statistics Table
---------------------------------------------------------------
SlotId  Protocol   Total Counters  Drop Counters  Pass Counters
---------------------------------------------------------------
2       BGP                    18              0             18
2       BGPv6                   0              0              0
2       OSPF                    0              0              0
2       LDP                     0              0              0
2       OSPFv3                  0              0              0
2       RIP                     0              0              0
---------------------------------------------------------------
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 21957

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next