The Generalized TTL Security Mechanism (GTSM) protects services over the IP layer against attacks by checking whether the value of the time to live (TTL) in an IP packet header is within a predefined range. An attacker may simulate real unicast OSPF packets and continuously send the packets to a router. When the router finds that these packets are destined for itself, it directly sends the packets to the control plane for processing without checking the validity of these packets. As a result, the router will remain busy processing these packets, leading to a high CPU usage.
GTSM protects a device's TCP/IP-based control plane from certain attacks that consume CPU resources, for example, the CPU overload attack.
Devices with GTSM enabled check the TTL values in all received packets according to configured policies. An action is then performed on the packets that do not match the criteria specified in the policies. (For example, the packets may be discarded).
A GTSM policy includes:
Source address of an IP packet sent to the device
VPN instance to which a packet belongs
Protocol number of an IP packet (89 for OSPF and 6 for BGP)
Source interface number and destination interface number of a protocol above TCP/UDP
Valid TTL range
GTSM can be implemented for different connections:
For directly connected neighbors, the TTL of unicast protocol packets is set to 255.
For multi-hop neighbors, an appropriate TTL range is defined.
The applicability of GTSM is as follows:
GTSM is applicable to unicast packets instead of multicast packets. The TTL of multicast packets cannot exceed 255, and therefore GTSM is not required for multicast packets.
GTSM does not apply to devices that use a tunnel to communicate with each other.
On networks requiring high security, OSPF packet authentication can be configured on routers to improve OSPF network security. During OSPF packet authentication, routers must use the same authentication mode and can establish a neighbor relationship to exchange routing information only after they pass the authentication.
OSPF supports two authentication methods:
Simple password authentication: uses a password in either plaintext or ciphertext for authentication.
Message digest authentication: uses Message Digest5 (MD5), Hash Message Authentication Code (HMAC) MD5, or HMAC-Secure Hash Algorithm (SHA) 256 for authentication.
Packet Authentication can be configured for all networks in an area or for individual interfaces in the area. Interface authentication configuration overrides area authentication.