Configuring the Device to Process IP Packets with Options
Context
IP packets can carry route options including the route alert option, route record option, source route option, and timestamp option. These route options are used to diagnose network paths and temporarily transmit special services. These options, however, may be used by attackers to spy on the network structure for initiating attacks. This degrades network security and device performance. To solve this problem, you can perform the following configurations to configure the device to discard the IP packets that contain the route options.
Procedure
- Run system-view
The system view is displayed.
- Run interface interface-type interface-number
The interface view is displayed.
- Do as follows
according to different route options in IP packets:
Run discard ra
The interface is configured to discard IP packets with route-alert options.
Run discard rr
The interface is configured to discard IP packets with record-route options.
Run discard srr
The interface is configured to discard IP packets with source-route options.
Run discard ts
The interface is configured to discard IP packets with time-stamp options.
By default, the IP packets carrying route options are processed by the device.