The rip valid-ttl-hops command enables RIP Generalized TTL Security Mechanism (GTSM) and sets the time to live (TTL) value to be detected.
The undo rip valid-ttl-hops command cancels the function.
By default, RIP GTSM is disabled.
| Parameter | Description | Value |
|---|---|---|
| valid-ttl-hops-value |
Specifies the number of TTL value to be detected. The valid TTL range of the detected packets is [ 255 -<ttl>. 1, 255 ]. |
The value is an integer ranging from 1 to 255. |
| vpn-instance vpn-instance-name |
Specifies the name of a VPN instance. If this parameter is used, you need only to specify the TTL value to be detected by the VPN instance. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. In addition, the VPN instance name must not be _public_. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Scenario
If an attacker simulates RIP unicast packets and keeps sending them to a device, an interface board on the device receives the packets and directly sends them to the main control board for RIP processing, without validating the packets. In this case, the device is busy processing these packets, causing high usage of the CPU. GTSM protects the devices and enhances the system security by checking whether the TTL value in the IP packet header is in a pre-defined range.
To enable RIP GTSM, run the rip valid-ttl-hops command.Precautions
GTSM must be enabled on devices at both ends.
If GTSM is enabled on a device, after the device receives a RIP packet, it checks whether the TTL value in the packet is in a pre-defined range. If the TTL value is beyond the pre-defined range, the device considers the packet as an attack packet and discards it.