No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


  • BGP MD5 authentication

    BGP uses TCP as a transmission protocol, and BGP considers a packet valid as long as the source IP address, destination IP address, source port, destination port, and TCP sequence number of the packet are correct. Most parameters in a packet can be easily obtained by attackers. Therefore, to protect BGP from attacks, use MD5 authentication over TCP between BGP peers to reduce the possibility of attacks.

    To prevent an MD5 password configured on the BGP peers from being decrypted, change the MD5 password periodically.

  • Keychain authentication

    A keychain consists of multiple authentication keys, each of which contains an ID and a password. Each key has a lifecycle. According to the lifecycle of a key, a device dynamically selects different authentication keys in a keychain. After a keychain with the same rules is configured on the two ends of a BGP connection, the keychain can dynamically select an authentication key to enhance BGP attack defense.


    GTSM checks TTL values to defend against attacks. If an attacker simulates real BGP packets and sends packets continuously to a router, an interface board of the router receives these packets, determines that these packets are destined for the router, and sends the packets to the BGP protocol on the control plane without verifying the packets. The router becomes extremely busy, and CPU usage is high because the control plane of the router needs to process these unchecked packets.

    GTSM protects the router by checking whether the TTL value within the IP packet header is in a pre-defined range to improve system security.

  • BGP whitelist

    The application layer association module checks protocol packets sent to the CPU and sends protocol packets that match the whitelist at a high rate.

  • CP-CAR

    For enabled services or protocols, the device can send related packets at the specified rate to protect the CPU from attacks and ensure proper network operations.

  • Route over-threshold control

    The number of route records in a BGP routing table is generally large. To prevent consuming too many system resources when a large number of routes are received from peers, you can configure the maximum number of routes that a BGP device can receive from a BGP peer.

  • Limitation on the number of AS-paths

    When a BGP router receives a route, the router checks whether the AS ID in the AS-path attribute exceeds a specified threshold. If the AS ID exceeds the threshold, the router discards the route. During route advertisement, the router also checks whether the AS ID in the AS-path attribute exceeds the threshold. If the AS ID exceeds the threshold, the router does not advertise the route to prevent maliciously constructed error packets with extra-long AS-path attributes from attacking the router.

  • RPKI

    Resource Public Key Infrastructure (RPKI) improves BGP security by validating the origin ASs of BGP/BGP4+ routes.

    When an RPKI server is available on the network and you want to validate the origin ASs of BGP routes, configure RPKI on a client to accept only the routes that originate from the specified ASs. In addition, you can apply the validation result to BGP route selection to ensure that hosts in the local AS can securely communicate with hosts in other ASs.

  • BMP

    The BGP Monitoring Protocol (BMP) monitors BGP/BGP4+ running status, such as BGP peer relationship establishment and termination and route updates.

    Without BMP, manual query is required if you want to know about BGP/BGP4+ running status. To improve the network monitoring efficiency, you can configure BMP on a router to use a monitoring server on the network to monitor BGP/BGP4+ running status.

Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 7505

Downloads: 9

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next