Improving OSPFv3 Network Security

Usage Scenario

If an OSPFv3 network requires high security, you can configure OSPFv3 generalized TTL security mechanism (GTSM) and an authentication mode to improve network security.

During network attacks, attackers may simulate OSPFv3 unicast packets and continuously send them to the switch. If the packets are destined for the switch, it directly forwards them to the control plane for processing without validating them. As a result, the increased processing workload on the control plane leads to high CPU usage. GTSM protects the switch against potential attacks and improves system security by checking whether the time to live (TTL) value in each IP packet header is within a pre-defined range.

OSPFv3 GTSM takes effect only on unicast packets and therefore applies to virtual links and sham links.
In OSPFv3 authentication, an authentication field is added to each OSPFv3 packet for encryption. When a local device receives an OSPFv3 packet from a remote device, the local device discards the packet if the authentication password carried in the packet is different from the local one, which protects the local device against potential attacks. Therefore, OSPFv3 authentication improves network security.

Pre-configuration Tasks

Before improving OSPFv3 network security, complete the following tasks:

Configure an IP address for each interface to ensure that neighboring routers can use the IP addresses to communicate with each other.
Configure basic OSPFv3 functions.

Configuring OSPFv3 GTSM

Configuring an Authentication Mode

Verifying the OSPFv3 Network Security Optimization Configuration