GTSM attack
An attacker simulates real Open Shortest Path First (OSPF)/OSPF version 3 (OSPFv3) packets and keeps sending them to a switch. The switch becomes extremely busy in processing these attack packets, causing a high CPU usage.
Attack by forged packets
The possible attack measures are as follows:
Maximizing the aging time of a packet so that all switches drop this packet
Advertising a Link State Advertisement (LSA) with a valid maximum sequence number or an approximately maximum sequence number
Changing the sequence number when a peer switch restarts and resets the state of the encryption sequence number
Changing the peer list in a Hello packet
Injection of bad routing information
OSPFv3 accepts all packets from valid sources. Therefore, a switch may be attacked by OSPFv3 packets carrying invalid or incorrect routing information. The routing information can result in routing database calculation errors and cause network failures.
To defend against the preceding attacks, configure the following security policies on a switch:
OSPF/OSPFv3 GTSM
GTSM checks TTL values to defend against attacks. GTSM only checks the TTL values of packets that match the GTSM policy. The packets that do not match the GTSM policy can be allowed or dropped. If the default action on packets is drop, configure all switch connections in the GTSM policy. Packets sent from a switch that is not specified in the GTSM policy will be dropped, and the connection for this switch cannot be established.
OSPF/OSPFv3 packet authentication
OSPF/OSPFv3 packet authentication can prevent forged packet attacks. Only authenticated OSPF/OSPFv3 packets can be received. If OSPF/OSPFv3 packets fail in authentication, neighbor relationships cannot be properly established. When area authentication is used, all switches in an area must use the same authentication method and password. For example, all switches in area 0 use simple authentication and the password abc. Interface authentication is used to set the authentication method and password used between neighboring switches, and takes precedence over area authentication.
OSPFv3 IPsec
The OSPFv3 Internet Protocol Security (IPsec) authentication mechanism prevents the import of bad routing information. When IPsec runs over OSPFv3 on both communicating peers, OSPFv3 processes only authenticated packets. In this way, OSPFv3 will not accept bad routing information from unauthenticated peers.
To configure OSPF GTSM, OSPF area authentication, and OSPF interface authentication, perform the following operations:
Configure OSPF GTSM.
Enable OSPF GTSM and set the maximum number of TTL hops to 5 for OSPF packets that can be received from the public network.
<HUAWEI> system-view [HUAWEI] ospf valid-ttl-hops 5
Set pass in the gtsm default-action { drop | pass } command or run the undo gtsm default-action drop command to permit packets that do not match the policy, or set drop in the gtsm default-action { drop | pass } command to drop these packets. You can enable the log function using the gtsm log drop-packet all command to record information about the dropped packets.
Configure OSPF area authentication.
Configure Hash-based Message Authentication Code-SHA256 (HMAC-SHA256) authentication for OSPF area 0.
<HUAWEI> system-view [HUAWEI] ospf 100 [HUAWEI-ospf-100] area 0 [HUAWEI-ospf-100-area-0.0.0.0] authentication-mode hmac-sha256
Configure OSPF interface authentication.
Configure OSPF HMAC-SHA256 authentication on the VLANIF100 interface.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ospf authentication-mode hmac-sha256
To configure OSPFv3 GTSM, OSPFv3 area authentication, OSPFv3 process authentication, OSPFv3 interface authentication, and OSPFv3 IPsec authentication, perform the following steps:
Configure OSPFv3 GTSM.
Enable OSPFv3 GTSM and set the maximum number of TTL hops to 5 for OSPFv3 packets that can be received from the public network.
<HUAWEI> system-view [HUAWEI] ospfv3 valid-ttl-hops 5
Set pass in the gtsm default-action { drop | pass } command or run the undo gtsm default-action drop command to permit packets that do not match the policy, or set drop in the gtsm default-action { drop | pass } command to drop these packets. You can enable the log function using the gtsm log drop-packet all command to record information about the dropped packets.
Configure OSPFv3 area authentication.
Configure HMAC-SHA256 authentication for OSPFv3 area 0.
<HUAWEI> system-view [HUAWEI] ospfv3 100 [HUAWEI-ospfv3-100] area 0 [HUAWEI-ospfv3-100-area-0.0.0.0] authentication-mode hmac-sha256 key-id 10 cipher huawei
Configure OSPFv3 process authentication.
Configure HMAC-SHA256 authentication for OSPFv3 process 100.
<HUAWEI> system-view [HUAWEI] ospfv3 100 [HUAWEI-ospfv3-100] authentication-mode hmac-sha256 key-id 10 cipher huawei
Configure OSPFv3 interface authentication.
Configure OSPFv3 HMAC-SHA256 authentication on VLANIF100.
<HUAWEI> system-view [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] ipv6 enable [HUAWEI-Vlanif100] ospfv3 1 area 0 [HUAWEI-Vlanif100] ospfv3 authentication-mode hmac-sha256 key-id 10 cipher huawei
Use a Security Association (SA) to authenticate packets in a specified OSPFv3 process.
Configure an SA named sa1 in the OSPFv3 process. (This SA must have been created.)
<HUAWEI> system-view [HUAWEI] ospfv3 1 [HUAWEI-ospfv3-1] ipsec sa sa1
Use an SA to authenticate packets in a specified OSPFv3 area.
Configure an SA named sa2 in the OSPFv3 area. (This SA must have been created.)
<HUAWEI> system-view [HUAWEI] ospfv3 1 [HUAWEI-ospfv3-1] area 10.0.0.0 [HUAWEI-ospfv3-1-area-10.0.0.0] ipsec sa sa2
Use an SA to authenticate packets sent and received by a specified OSPFv3 interface.
Configure an SA named sa3 for VLANIF10. (This SA must have been created.)
<HUAWEI> system-view [HUAWEI] interface vlanif 10 [HUAWEI-Vlanif10] ipv6 enable [HUAWEI-Vlanif10] ospfv3 1 area 0 [HUAWEI-Vlanif10] ospfv3 ipsec sa sa3
Use an SA to authenticate packets sent and received on an OSPFv3 virtual link.
Create an OSPFv3 virtual link to 10.110.0.3.
<HUAWEI> system-view [HUAWEI] ospfv3 1 [HUAWEI-ospfv3-1] area 10.0.0.0 [HUAWEI-ospfv3-1-area-10.0.0.0] vlink-peer 10.110.0.3
Use an SA to authenticate packets sent and received on an OSPFv3 sham link.
Create an OSPFv3 sham link with the source address of FC00:0:0:1001::1 and destination address of FC00:0:0:2001::1.
<HUAWEI> system-view [HUAWEI] ospfv3 1 vpn-instance vrf1 [HUAWEI-ospfv3-1] area 1 [HUAWEI-ospfv3-1-area-0.0.0.1] sham-link fc00:0:0:1001::1 fc00:0:0:2001::1