No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Feature Description - WAN Access 01

This is ME60 V800R010C10SPC500 Feature Description - WAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
BGP Security

BGP Security

BGP Authentication

BGP can work properly only after BGP peer relationships are established. Authenticating BGP peers can improve BGP security. BGP supports the following authentication modes:

  • MD5 authentication

    BGP uses TCP as the transport layer protocol. Message Digest 5 (MD5) authentication can be used when establishing TCP connections to improve BGP security. MD5 authentication sets the MD5 authentication password for the TCP connection, and TCP performs the authentication. If the authentication fails, the TCP connection cannot be established.

  • Keychain authentication

    Keychain authentication is performed on the application layer. It ensures smooth service transmission and improves security by periodically changing the password and encryption algorithms. When keychain authentication is configured for BGP peer relationships over TCP connections, BGP packets as well as the establishment process of a TCP connection can be authenticated. For details about keychain, see "Keychain" in HUAWEI ME60 Feature Description - Security.

GTSM

During network attacks, attackers may simulate BGP packets and continuously send them to the ME device. If the packets are destined for the ME device, it directly forwards them to the control plane for processing without validating them. As a result, the increased processing workload on the control plane results in high CPU usage.

The Generalized TTL Security Mechanism (GTSM) defends against attacks by checking whether the time to live (TTL) value in each IP packet header is within a pre-defined range. TTL refers to the maximum number of ME devices through which a packet can pass.

In actual networking, packets whose TTL values are not within the specified range are either allowed to pass or discarded by the GTSM. To configure the GTSM to discard packets, you need to set an appropriate TTL value range according the network topology. Then, packets whose TTL values are not within the specified range are discarded, which prevents the local device from potential attacks.

You can also enable the log function to record discarded packets for further fault location.

RPKI

Resource Public Key Infrastructure (RPKI) improves BGP security by validating the origin ASs of BGP routes.

Attackers can steal user data by advertising routes that are more specific than those advertised by carriers. For example, if a carrier has advertised a route destined for 10.10.0.0/16, an attacker can advertise a route destined for 10.10.153.0/16, which is more specific than 10.10.0.0/16. According to the longest match rule, 10.10.153.0/16 is preferentially selected for traffic forwarding. As a result, the attacker succeeds in intercepting user data.

To address this issue, establish an RPKI session between a router and an RPKI server. The router will then query Route Origin Authorizations (ROAs) from the RPKI server through the RPKI session and match the origin AS of each received BGP route against the ROAs. This mechanism ensures that only the routes that originate from the trusted ASs are accepted. The validation result can also be applied to BGP route selection to ensure that hosts in the local AS can communicate with hosts in other ASs.

Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059473

Views: 14386

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next