No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Feature Description - WAN Access 01

This is ME60 V800R010C10SPC500 Feature Description - WAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
OSPF GTSM

OSPF GTSM

Definition

Generalized TTL security mechanism (GTSM) is a mechanism that protects services over the IP layer by checking whether the TTL value in an IP packet header is within a pre-defined range.

Purpose

On networks, attackers may simulate OSPF packets and keep sending them to a device. After receiving these packets, the device directly sends them to the control plane for processing without checking their validity if the packets are destined for the device. As a result, the control plane is busy processing these packets, resulting in high CPU usage.

GTSM is used to protect the TCP/IP-based control plane against CPU-utilization attacks, such as CPU-overload attacks.

Principles

GTSM-enabled devices check the TTL value in each received packet based on a configured policy. The packets that fail to pass the policy are discarded or sent to the control plane, which prevents the devices from possible CPU-utilization attacks. A GTSM policy involves the following items:

  • Source address of the IP packet sent to the device

  • VPN instance to which the packet belongs

  • Protocol number of the IP packet (89 for OSPF, and 6 for BGP)

  • Source port number and destination port number of protocols above TCP/UDP

  • Valid TTL range

GTSM is implemented as follows:

  • For directly connected OSPF neighbors, the TTL value of the unicast protocol packets to be sent is set to 255.

  • For multi-hop neighbors, a reasonable TTL range is defined.

The applicability of GTSM is as follows:

  • GTSM takes effect on unicast packets rather than multicast packets. This is because the TTL value of multicast packets can only be 255, and therefore GTSM is not needed to protect against multicast packets.

  • GTSM does not support tunnel-based neighbors.

Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059473

Views: 15743

Downloads: 10

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next