所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

NE40E V800R010C00 配置指南 - 安全加固 01

评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
基于路径距离的访问控制

基于路径距离的访问控制

路由器部署在运营商网络中,起到的主要作用是进行报文转发,因此,需要访问路由器的主机是极其有限的,其访问路径和网络跳数距离是相对固定的。

因此,路由器可以限制来自超过路径跳数距离的报文,以避免来自不可信网络的攻击,从而保障路由器的安全。

对于直连的协议邻居:将需要发出的协议报文的TTL值设定为255,这样部署了GTSM功能的邻居收到时,邻居转发层面会将TTL值非255的协议报文直接丢弃,避免了对控制层面的攻击。

对于多跳的邻居:可以定义一个合理的TTL范围,例如251~255,邻居转发层面将超出这个TTL范围的协议报文直接过滤掉,从而避免了控制层面受到攻击。

配置BGP的GTSM功能示例

BGP网络中使用BGP GTSM功能可保障路由器免受CPU利用类型的攻击。

组网需求

网上的“有效报文”攻击导致设备有限资源(如CPU)的过载和消耗。例如,攻击者模拟真实的BGP协议报文,对一台路由器不断地发送报文,路由器收到这些报文后,发现是发送给本机的报文,转发层面则直接上送控制层面由BGP协议处理,而不加辨别其“合法性”,这样导致路由器因为处理这些“合法”报文,系统异常繁忙,CPU占用率高。

GTSM功能通过检查IP报文头中的TTL值是否在一个预先定义好的范围内,可以有效保护设备免受CPU利用型攻击。

图7-8所示,DeviceA属于AS10,DeviceB、DeviceC、DeviceD属于AS20。在下面的网络中运行BGP协议,并使用BGP GTSM功能保障DeviceB免受CPU利用类型的攻击。

图7-8  配置BGP GTSM功能组网图
说明:

本例中interface1,interface2分别代表GE1/0/0,GE2/0/0



配置注意事项
在配置过程中,需注意以下事项:
  • GTSM功能需要在BGP连接的两端同时使能.

  • BGP连接的两端对等体必须配置相同的valid-ttl-hops值。

配置思路

采用如下的思路配置BGP的GTSM功能:

  1. 在AS20的路由器DeviceB、DeviceC、DeviceD上配置OSPF协议实现互通。

  2. DeviceA和DeviceB之间建立EBGP连接,在DeviceB、DeviceC和DeviceD之间使用Loopback接口建立IBGP全连接。

  3. DeviceA、DeviceB、DeviceC和DeviceD上配置GTSM功能。

数据准备

为完成此配置例,需准备如下的数据:

  • DeviceA、DeviceB、DeviceC、DeviceD的Router ID,所在的AS号。

  • DeviceA和DeviceB之间、DeviceB和DeviceC之间、DeviceC和DeviceD之间、DeviceB和DeviceD之间的有效TTL跳数值。

操作步骤

  1. 配置各接口的IP地址(略)
  2. 配置OSPF(略)
  3. 配置IBGP全连接

    # 配置DeviceB。

    [~DeviceB] bgp 20
    [*DeviceB-bgp] router-id 2.2.2.9
    [*DeviceB-bgp] peer 3.3.3.9 as-number 20
    [*DeviceB-bgp] peer 3.3.3.9 connect-interface LoopBack0
    [*DeviceB-bgp] peer 3.3.3.9 next-hop-local
    [*DeviceB-bgp] peer 4.4.4.9 as-number 20
    [*DeviceB-bgp] peer 4.4.4.9 connect-interface LoopBack0
    [*DeviceB-bgp] peer 4.4.4.9 next-hop-local
    [*DeviceB-bgp] commit

    # 配置DeviceC。

    [~DeviceC] bgp 20
    [*DeviceC-bgp] router-id 3.3.3.9
    [*DeviceC-bgp] peer 2.2.2.9 as-number 20
    [*DeviceC-bgp] peer 2.2.2.9 connect-interface LoopBack0
    [*DeviceC-bgp] peer 4.4.4.9 as-number 20
    [*DeviceC-bgp] peer 4.4.4.9 connect-interface LoopBack0
    [*DeviceC-bgp] commit

    # 配置DeviceD。

    [~DeviceD] bgp 20
    [*DeviceD-bgp] router-id 4.4.4.9
    [*DeviceD-bgp] peer 2.2.2.9 as-number 20
    [*DeviceD-bgp] peer 2.2.2.9 connect-interface LoopBack0
    [*DeviceD-bgp] peer 3.3.3.9 as-number 20
    [*DeviceD-bgp] peer 3.3.3.9 connect-interface LoopBack0
    [*DeviceD-bgp] commit

  4. 配置EBGP连接

    # 配置DeviceA。

    [~DeviceA] bgp 10
    [*DeviceA-bgp] router-id 1.1.1.9
    [*DeviceA-bgp] peer 10.1.1.2 as-number 20
    [*DeviceA-bgp] commit

    # 配置DeviceB。

    [*DeviceB-bgp] peer 10.1.1.1 as-number 10
    [*DeviceB-bgp] commit

    # 查看对等体的连接状态。

    <DeviceB> display bgp peer
     BGP local router ID : 2.2.2.9
     Local AS number : 20
     Total number of peers : 3                 Peers in established state : 3
    
      Peer            V    AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
    
      3.3.3.9         4    20        8        7     0 00:05:06 Established       0
      4.4.4.9         4    20        8       10     0 00:05:33 Established       0
      10.1.1.1        4    10        7        7     0 00:04:09 Established       0

    可以看出,DeviceB到其他路由器的BGP连接均已建立。

  5. DeviceA和DeviceB之间配置GTSM功能。由于两台路由器直连,因此TTL到达对方的有效范围是[255, 255]。所以此处的valid-ttl-hops值取1。

    # 在DeviceA上配置GTSM功能。

    [~DeviceA] bgp 10
    [*DeviceA-bgp] peer 10.1.1.2 valid-ttl-hops 1
    [*DeviceA-bgp] commit

    # 在DeviceB上配置EBGP连接的GTSM功能。

    [~DeviceB] bgp 20
    [*DeviceB-bgp] peer 10.1.1.1 valid-ttl-hops 1
    [*DeviceB-bgp] commit

    # 查看GTSM功能配置情况。

    <DeviceB> display bgp peer 10.1.1.1 verbose
    BGP Peer is 10.1.1.1,  remote AS 10
             Type: EBGP link
             BGP version 4, Remote router ID 1.1.1.9
    
      Group ID : 2
             BGP current state: Established, Up for 00h49m35s
             BGP current event: RecvKeepalive
             BGP last state: OpenConfirm
             BGP Peer Up count: 1
             Received total routes: 0
             Received active routes total: 0
             Advertised total routes: 0
             Port:  Local - 179      Remote - 52876
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 59 messages
                      Update messages                0
                      Open messages                  2
                      KeepAlive messages             57
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 79 messages
                      Update messages                5
                      Open messages                  2
                      KeepAlive messages             71
                      Notification messages          1
                      Refresh messages               0
     Last keepalive received: 2009-02-20 13:54:58
     Minimum route advertisement interval is 30 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     GTSM has been enabled, valid-ttl-hops: 1
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    可见GTSM功能已经使能,有效跳数为1。BGP连接状态为“Established”。

  6. DeviceB和DeviceC之间配置GTSM功能。由于两台路由器直连,因此TTL到达对方的有效范围是[255, 255]。所以此处的valid-ttl-hops值取1。

    # 在DeviceB上配置GTSM功能。

    [~DeviceB] bgp 20
    [*DeviceB-bgp] peer 3.3.3.9 valid-ttl-hops 1
    [*DeviceB-bgp] commit

    # 在DeviceC上配置IBGP连接的GTSM功能。

    [*DeviceC-bgp] peer 2.2.2.9 valid-ttl-hops 1
    [*DeviceC-bgp] commit

    # 查看GTSM功能配置情况。

    <DeviceB> display bgp peer 3.3.3.9 verbose
    BGP Peer is 3.3.3.9,  remote AS 20
             Type: IBGP link
             BGP version 4, Remote router ID 3.3.3.9
    
      Group ID : 0
             BGP current state: Established, Up for 00h54m36s
             BGP current event: KATimerExpired
             BGP last state: OpenConfirm
             BGP Peer Up count: 1
             Received total routes: 0
             Received active routes total: 0
             Advertised total routes: 0
             Port:  Local - 54998    Remote - 179
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 63 messages
                      Update messages                0
                      Open messages                  1
                      KeepAlive messages             62
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 69 messages
                      Update messages                10
                      Open messages                  1
                      KeepAlive messages             58
                      Notification messages          0
                      Refresh messages               0
     Last keepalive received: 2009-02-20 13:57:43
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Nexthop self has been configured
     Connect-interface has been configured
     GTSM has been enabled, valid-ttl-hops: 1
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    可见GTSM功能已经使能,有效跳数为1。BGP连接状态为“Established”。

  7. DeviceC和DeviceD之间配置GTSM功能。由于两台路由器直连,因此TTL到达对方的有效范围是[255, 255]。所以此处的valid-ttl-hops值取1。

    # 在DeviceC上配置IBGP连接的GTSM功能。

    [~DeviceC] bgp 20
    [*DeviceC-bgp] peer 4.4.4.9 valid-ttl-hops 1
    [*DeviceC-bgp] commit

    # 在DeviceD上配置IBGP连接的GTSM功能。

    [*DeviceD] bgp 20
    [*DeviceD-bgp] peer 3.3.3.9 valid-ttl-hops 1
    [*DeviceD-bgp] commit

    # 查看GTSM功能配置情况。

    <DeviceC> display bgp peer 4.4.4.9 verbose
    BGP Peer is 4.4.4.9,  remote AS 20
             Type: IBGP link
             BGP version 4, Remote router ID 4.4.4.9
    
      Group ID : 1
             BGP current state: Established, Up for 00h56m06s
             BGP current event: KATimerExpired
             BGP last state: OpenConfirm
             BGP Peer Up count: 1
             Received total routes: 0
             Received active routes total: 0
             Advertised total routes: 0
             Port:  Local - 179      Remote - 53758
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 63 messages
                      Update messages                0
                      Open messages                  1
                      KeepAlive messages             62
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 63 messages
                      Update messages                0
                      Open messages                  2
                      KeepAlive messages             61
                      Notification messages          0
                      Refresh messages               0
     Last keepalive received: 2009-02-20 14:00:06
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Connect-interface has been configured
     GTSM has been enabled, valid-ttl-hops: 1
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    可见GTSM功能已经使能,有效跳数为1。BGP连接状态为“Established”。

  8. DeviceB和DeviceD之间配置GTSM功能。由于两台路由器经过DeviceC连接,经过一跳后,TTL到达对方的有效范围是[254, 255],所以此处的valid-ttl-hops值取2。

    # 在DeviceB上配置IBGP连接的GTSM功能。

    [~DeviceB-bgp] peer 4.4.4.9 valid-ttl-hops 2
    [*DeviceB-bgp] commit

    # 在DeviceD上配置GTSM功能。

    [~DeviceD-bgp] peer 2.2.2.9 valid-ttl-hops 2
    [*DeviceD-bgp] commit

    # 查看GTSM功能配置情况。

    <DeviceB> display bgp peer 4.4.4.9 verbose
    BGP Peer is 4.4.4.9,  remote AS 20
             Type: IBGP link
             BGP version 4, Remote router ID 4.4.4.9
    
      Group ID : 0
             BGP current state: Established, Up for 00h57m48s
             BGP current event: RecvKeepalive
             BGP last state: OpenConfirm
             BGP Peer Up count: 1
             Received total routes: 0
             Received active routes total: 0
             Advertised total routes: 0
             Port:  Local - 53714    Remote - 179
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Address family IPv4 Unicast: advertised and received
     Received: Total 72 messages
                      Update messages                0
                      Open messages                  1
                      KeepAlive messages             71
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 82 messages
                      Update messages                10
                      Open messages                  1
                      KeepAlive messages             71
                      Notification messages          0
                      Refresh messages               0
     Last keepalive received: 2009-02-20 14:01:27
     Minimum route advertisement interval is 15 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Nexthop self has been configured
     Connect-interface has been configured
     GTSM has been enabled, valid-ttl-hops: 2
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

    可见GTSM功能已经使能,TLL有效跳数为2。BGP连接状态为“Established”。

    说明:
    • 此例中如果DeviceB和DeviceD中任意一个路由器的valid-ttl-hops值小于2,则此IBGP连接无法建立。

    • GTSM功能需要在BGP连接的两端同时使能。

  9. 检查配置结果

    # 在DeviceB上执行display gtsm statistics all,查看DeviceB的GTSM统计信息,在缺省动作是通过且没有非法报文的情况下,丢弃的报文数是0。

    <DeviceB> display gtsm statistics all
    GTSM Statistics Table
    ----------------------------------------------------------------
    SlotId  Protocol  Total Counters  Drop Counters  Pass Counters
    ----------------------------------------------------------------
     0      BGP       17              0              17
     0      BGPv6     0               0              0
     0      OSPF      0               0              0
     0      LDP       0               0              0
     0      OSPFv3    0               0              0 
     0      RIP       0               0              0 
     1      BGP       0               0              0
     1      BGPv6     0               0              0
     1      OSPF      0               0              0
     1      LDP       0               0              0
     1      OSPFv3    0               0              0 
     1      RIP       0               0              0 
     2      BGP       0               0              0
     2      BGPv6     0               0              0
     2      OSPF      0               0              0
     2      LDP       0               0              0
     2      OSPFv3    0               0              0 
     2      RIP       0               0              0 
     3      BGP       0               0              0
     3      BGPv6     0               0              0
     3      OSPF      0               0              0
     3      LDP       0               0              0
     3      OSPFv3    0               0              0 
     3      RIP       0               0              0 
     4      BGP       32              0              32
     4      BGPv6     0               0              0
     4      OSPF      0               0              0
     4      LDP       0               0              0
     4      OSPFv3    0               0              0 
     4      RIP       0               0              0 
     5      BGP       0               0              0
     5      BGPv6     0               0              0
     5      OSPF      0               0              0
     5      LDP       0               0              0
     5      OSPFv3    0               0              0 
     5      RIP       0               0              0 
     7      BGP       0               0              0
     7      BGPv6     0               0              0
     7      OSPF      0               0              0
     7      LDP       0               0              0
     7      OSPFv3    0               0              0 
     7      RIP       0               0              0 
    ----------------------------------------------------------------

    此时如果主机PC模拟DeviceA的BGP报文对DeviceB进行攻击,由于该报文到达DeviceB时,TTL值不是255,所以被丢弃,在DeviceB的GTSM统计信息中丢弃的报文数也会相应的增加。

配置文件
  • DeviceA的配置文件

    #
     sysname DeviceA
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    bgp 10
     router-id 1.1.1.9
     peer 10.1.1.2 as-number 20
     peer 10.1.1.2 valid-ttl-hops 1
     #
     ipv4-family unicast
      undo synchronization
      peer 10.1.1.2 enable
    #
    return
  • DeviceB的配置文件

    #
     sysname DeviceB
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.2.1.1 255.255.255.0
    #
    interface LoopBack0
     ip address 2.2.2.9 255.255.255.255
    #
    bgp 20
     router-id 2.2.2.9
     peer 3.3.3.9 as-number 20
     peer 3.3.3.9 valid-ttl-hops 1
     peer 3.3.3.9 connect-interface LoopBack0
     peer 4.4.4.9 as-number 20
     peer 4.4.4.9 valid-ttl-hops 2
     peer 4.4.4.9 connect-interface LoopBack0
     peer 10.1.1.1 as-number 10
     peer 10.1.1.1 valid-ttl-hops 1
    #
     ipv4-family unicast
      undo synchronization
     import-route ospf 1
      peer 3.3.3.9 enable
      peer 3.3.3.9 next-hop-local
      peer 4.4.4.9 enable
      peer 4.4.4.9 next-hop-local
      peer 10.1.1.1 enable
    #
    ospf 1
     area 0.0.0.0
      network 10.2.1.0 0.0.0.255
      network 2.2.2.9 0.0.0.0
    #
    return
  • DeviceC的配置文件

    #
     sysname DeviceC
    #
    interface GigabitEthernet1/0/0
     ip address 10.2.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.2.2.1 255.255.255.0
    #
    interface LoopBack0
     ip address 3.3.3.9 255.255.255.255
    #
    bgp 20
     router-id 3.3.3.9
     peer 2.2.2.9 as-number 20
     peer 2.2.2.9 valid-ttl-hops 1
     peer 2.2.2.9 connect-interface LoopBack0
     peer 4.4.4.9 as-number 20
     peer 4.4.4.9 valid-ttl-hops 1
     peer 4.4.4.9 connect-interface LoopBack0
    #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
      peer 4.4.4.9 enable
    #
    ospf 1
     area 0.0.0.0
      network 10.2.1.0 0.0.0.255
      network 10.2.2.0 0.0.0.255
      network 3.3.3.9 0.0.0.0
    #
    return
  • DeviceD的配置文件

    #
     sysname DeviceD
    #
    interface GigabitEthernet1/0/0
     ip address 10.2.2.2 255.255.255.0
    #
    interface LoopBack0
     ip address 4.4.4.9 255.255.255.255
    #
    bgp 20
     router-id 4.4.4.9
     peer 2.2.2.9 as-number 20
     peer 2.2.2.9 valid-ttl-hops 2
     peer 2.2.2.9 connect-interface LoopBack0
     peer 3.3.3.9 as-number 20
     peer 3.3.3.9 valid-ttl-hops 1
     peer 3.3.3.9 connect-interface LoopBack0
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
      peer 3.3.3.9 enable
    #
    ospf 1
     area 0.0.0.0
      network 10.2.2.0 0.0.0.255
      network 4.4.4.9 0.0.0.0
    #
    return
下载文档
更新时间:2018-07-12

文档编号:EDOC1100028554

浏览量:4034

下载量:121

平均得分:
本文档适用于这些产品
相关文档
相关版本
分享
上一页 下一页