ospf valid-ttl-hops

Function

The ospf valid-ttl-hops command enables OSPF GTSM and sets a TTL value to be checked.

The undo ospf valid-ttl-hops command disables OSPF GTSM.

By default, OSPF GTSM is disabled.

Format

ospf valid-ttl-hops hops [ nonstandard-multicast ] [ vpn-instance vpn-instance-name ]

undo ospf valid-ttl-hops [ hops [ nonstandard-multicast ] ] [ vpn-instance vpn-instance-name ]

Parameters

Parameter	Description	Value
hops	Specifies a TTL value to be checked.	The value is an integer that ranges from 1 to 255. The default value is 255.
nonstandard-multicast	Specifies the GTSM configuration is also valid for multicast packets. When the nonstandard-multicast parameter is configured: The TTL values of the multicast packets which will be sent are set as 255. The received multicast packets will be checked for the TTL value 1 or in the range of [ 255-hops+1, 255 ].	-
vpn-instance vpn-instance-name	Specifies the name of a VPN instance. If the parameter is specified, only the TTL value of the packets in the specified VPN instance needs to be checked.	The value must be an existing VPN instance name.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In a network demanding higher security, you can enable GTSM to improve the security of the OSPF network. GTSM defends against attacks by checking the TTL value. If an attacker simulates and keeps sending OSPF unicast packets to a switch, the switch receives and directly sends the packets to the main control board for OSPF processing, without checking the validity of the packets. In this case, the switch is busy processing these packets, causing high CPU usage. GTSM protects the switches and enhances the system security by checking whether the TTL value in the IP packet header is within a pre-defined range.

The ospf valid-ttl-hops command is used to enable OSPF GTSM. To check the TTL value of packets that match the GTSM policy, the vpn-instance parameter must be specified in the command.

For example, running the ospf valid-ttl-hops command enables OSPF GTSM on both the public network and the private network. If you run the ospf valid-ttl-hops 5 vpn-instance vpn1 command:

OSPF GTSM is enabled on both the public network and the private network.
The TTL value of OSPF packets in the VPN instance named vpn1 is detected.
The default action is performed for packets that are from the public network and other VPN instances and do not match the GTSM policy.

Precautions

If a VPN instance is specified in the ospf valid-ttl-hops command and the interface is bound to the VPN instance, all the unicast packets sent to this interface are dropped when the set number of TTL hops is smaller than the actual number of hops on the network.
If a virtual link or sham link is configured, the actual TTL value and the configured TTL value must be the same. That means that the number of virtual links or sham links that pass through the switch is calculated. Otherwise, packets sent from neighbors of a virtual link or a sham link will be dropped.
GTSM only checks the TTL values of the packets that match the GTSM policy. If the packets do not match the GTSM policy, you can set the pass parameter or drop parameter in the gtsm default-action command to pass or drop these packets.
If only a private or public network policy is configured, run the gtsm default-action command to set the default behavior for processing the packets unmatched with the GTSM policy to pass to prevent the OSPF packets of other instances from being discarded.

Example

# Enable OSPF GTSM. Set the maximum number of TTL hops to 5 for the packets that can be received from the public network.

<HUAWEI> system-view

[HUAWEI] ospf valid-ttl-hops 5