GTSM

Prerequisites

• All routing protocol peer relationships are established between neighboring or adjacent routers.

• The TTL value cannot be easily changed during packet forwarding.

Implementation

As a universal technology, the GTSM uses TTL to defend against attacks. The major means by which the GTSM is implemented are as follows:

• For protocol peers that are directly connected, the GTSM sets the TTL field of the protocol packet to be sent to 255. The forwarding plane of the GTSM-enabled peer drops the protocol packets whose TTL field is not 255, thereby defending the control plane against TTL-based attacks.

• For the multi-hop peer, a reasonable TTL range, such as 251 to 255 can be defined. The forwarding plane of the peer drops protocol packets whose TTL field is out of the set range, thereby defending the control plane against TTL-based attacks.

Application Scope

The GTSM supports BGP, OSPF, and LDP, and its application scope is as follows:

• The GTSM is equally applicable to both TTL (IPv4) and Hop Limit (IPv6).

  From the perspective of the GTSM, TTL and Hop Limit have identical semantics.

• The GTSM is applicable to unicast packets.

  

  The TTL field of multicast packets can be only 255; therefore, GTSM is not needed to defend against multicast packets.

Processing Procedure

GTSM protects CPU resources. Before being sent to the CPU, the protocol packets sent from the forwarding plane to the device are processed as follows:

• If the GTSM is enabled, the device checks whether the packets match the GTSM policy.

  • If the packets match the GTSM policy, the device determines whether the TTL value of the packets is within the valid value range.
    • If so, the device takes the default action to process the packets.
    • If not, the device discards the packets.
  • If the packets do not match the GTSM policy, the device takes the default action to process the packets.

• If the GTSM is not enabled, the device sends the packets directly to the control plane.