No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Feature Description - MPLS 01

This is ME60 V800R010C10SPC500 Feature Description - MPLS
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
LDP GTSM

LDP GTSM

For an overview of GTSM, see the HUAWEI ME60 Feature Description - Security.

Principles

LDP GTSM implements GTSM implementation over LDP.

To protect the ME device against attacks, GTSM checks the TTL in each packet to verify it. GTSM for LDP verifies LDP packets exchanged between neighbor or adjacent (based on a fixed number of hops) ME devices. The TTL range is configured on each ME device for packets from other ME devices, and GTSM is enabled. If the TTL of an LDP packet received by a ME device configured with LDP is out of the TTL range, the packet is considered invalid and discarded. Therefore, the upper layer protocols are protected.

Usage Scenario

GTSM is used to protect the TCP/IP-based control plane against CPU usage attacks, for example, CPU overload attacks. GTSM for LDP is used to verify all LDP packets to prevent LDP from suffering CPU-based attacks when LDP receives and processes a large number of forged packets.

Figure 3-19 Networking diagram for LDP GTSM

In Figure 3-19, LSR1 through LSR5 are core ME devices on the backbone network. When LSRA is connected to the ME device through another device, LSRA may initiate an attack by forging LDP packets that are transmitted among LSR 1 to LSR 5.

After LSRA accesses the backbone network through another device and forges a packet, the TTL carried in the forged packet cannot be forged.

A GTSM policy is configured on LSR1 through LSR5 separately and is used to verify packets reaching possible neighbors. For example, on LSR5, the valid number of hops is set to 1 or 2, and the valid TTL is set to 254 or 255 for packets sent from LSR2. The forged packet sent by LSRA to LSR5 through multiple intermediate devices contains a TTL value that is out of the preset TTL range. LSR5 discards the forged packet and prevents the attack.

Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059460

Views: 8040

Downloads: 17

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next