Configuring BGP4+ GTSM

BGP4+ GTSM must be configured on both peers.

Usage Scenario

The GTSM prevents attacks through TTL detection. An attacker simulates real BGP4+ packets and sends the packets in a large quantity to the router. After receiving the packets, an interface board of the router directly sends the packets to the BGP4+ module of the control plane if the interface board finds that the packets are sent by the local router, without checking the validity of the packets. The control plane of the router needs to process the "legal" packets. As a result, the system becomes abnormally busy and the CPU usage is high.

The GTSM protects the router by checking whether the TTL value in an IP packet header is within a pre-defined range to enhance the system security.

The GTSM supports only unicast addresses; therefore, the GTSM must be configured on all the routers configured with routing protocols.

Pre-configuration Tasks

Before configuring the BGP4+ GTSM, complete the following task:

Configuring Basic BGP4+ Functions

Perform the following steps on both BGP4+ peers:

Procedure

Configure the basic BGP4+ GTSM functions.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run peer { group-name | ipv6-address } valid-ttl-hops [ hops ]
  The BGP4+ GTSM is configured.
  
  The valid TTL range of detected packets is [255 - hops + 1, 255]. For example, for an EBGP direct route, the number of hops is 1, that is, the valid TTL value is 255.
  - When being configured in the BGP view, the GTSM is also applicable to MP-BGP VPNv4 extensions because they use the same TCP connection.
  - The GTSM and EBGP-MAX-HOP functions both affect the TTL values of sent BGP4+ messages and they conflict with each other. Thus, for a peer or a peer group, you can use only either of them.
  A BGP4+ router that is enabled with GTSM checks the TTL values in all BGP4+ packets. As required by the actual networking, packets whose TTL values are not within the specified range are discarded. If GTSM is not configured on a BGP4+ router, the received BGP4+ packets are forwarded if the BGP4+ peer configuration is matched. Otherwise, the received BGP4+ packets are discarded. This prevents bogus BGP4+ packets from consuming CPU resources.
4. Run commit
  The configuration is committed.
Set the default action for packets that do not match the GTSM policy.
GTSM only checks the TTL values of packets that match the GTSM policy. Packets that do not match the GTSM policy can be allowed or dropped. If "drop" is set as the default GTSM action for packets, you need to configure TTL values for all the packets sent from valid peers in the GTSM policy. If TTL values are not configured for the packets sent from a peer, the device will discard the packets sent from the peer and cannot establish a connection to the peer. Therefore, GTSM enhances security but reduces the ease of use.

You can enable the log function to record packet drop for troubleshooting.

Perform the following configurations on the GTSM-enabled router:
1. Run system-view
  The system view is displayed.
2. Run gtsm default-action { drop | pass }
  The default action for packets that do not match the GTSM policy is configured.
  
  If the default action is configured but no GTSM policy is configured, GTSM does not take effect.
  
  This command is supported only on the Admin-VS and cannot be configured in other VSs. This command takes effect on all VSs.
3. Run commit
  The configuration is committed.

Checking the Configurations

Run the following command to check the previous configurations.

Run the display gtsm statistics { slot-id | all } command to check the statistics about the GTSM.

In VS mode, this command is supported only by the admin VS.