No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Feature Description - MPLS 01

NE05E and NE08E V300R003C10SPC500

This is NE05E and NE08E V300R003C10SPC500 Feature Description - MPLS

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
LDP GTSM

LDP GTSM

For an overview of GTSM, see the NE device Feature Description - Security.

Principles

LDP GTSM implements GTSM implementation over LDP.

To protect the NE against attacks, GTSM checks the TTL in each packet to verify it. GTSM for LDP verifies LDP packets exchanged between neighbor or adjacent (based on a fixed number of hops) NEs. The TTL range is configured on each NE for packets from other NEs, and GTSM is enabled. If the TTL of an LDP packet received by a NE configured with LDP is out of the TTL range, the packet is considered invalid and discarded. Therefore, the upper layer protocols are protected.

Usage Scenario

GTSM is used to protect the TCP/IP-based control plane against CPU usage attacks, for example, CPU overload attacks. GTSM for LDP is used to verify all LDP packets to prevent LDP from suffering CPU-based attacks when LDP receives and processes a large number of forged packets.

Figure 3-17 Networking diagram for LDP GTSM

In Figure 3-17, LSR1 through LSR5 are core NEs on the backbone network. When LSRA is connected to the NE through another device, LSRA may initiate an attack by forging LDP packets that are transmitted among LSR 1 to LSR 5.

After LSRA accesses the backbone network through another device and forges a packet, the TTL carried in the forged packet cannot be forged.

A GTSM policy is configured on LSR1 through LSR5 separately and is used to verify packets reaching possible neighbors. For example, on LSR5, the valid number of hops is set to 1 or 2, and the valid TTL is set to 254 or 255 for packets sent from LSR2. The forged packet sent by LSRA to LSR5 through multiple intermediate devices contains a TTL value that is out of the preset TTL range. LSR5 discards the forged packet and prevents the attack.

Translation
Download
Updated: 2019-01-14

Document ID: EDOC1100058933

Views: 11269

Downloads: 12

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next