Configuring OSPF GTSM

To apply OSPF GTSM functions, enable GTSM on the two ends of the OSPF connection.

Usage Scenario

The GTSM prevents attacks through TTL detection. If an attacker simulates real OSPF unicast packets and keeps sending them to the router, an interface board on the router receives the packets and directly sends them to the control plane for OSPF processing, without checking the validity of the packets. The control plane of the router needs to process the "legal" packets. As a result, the system becomes abnormally busy and the CPU usage is high.

The GTSM protects the router by checking whether the TTL value in an IP header is within a pre-defined range to enhance the system security.

Pre-configuration Tasks

Before configuring the OSPF GTSM, complete the following task:

Procedure

  1. Configure basic OSPF GTSM functions.

    To apply the GTSM, you need to enable GTSM on both ends of the OSPF connection.

    The valid TTL range of detected packets is [255 - hops + 1, 255].

    Perform the following steps on the GTSM routers at the two ends of the virtual link or sham link:

    1. Run system-view

      The system view is displayed.

    2. Run ospf valid-ttl-hops ttl [ nonstandard-multicast ] [ vpn-instance vpn-instance-name ]

      The OSPF GTSM is configured.

      • The ospf valid-ttl-hops command has two functions: enabling the OSPF GTSM and configuring the TTL value to be detected. The vpn-instance parameter is valid only for the latter function.

      • The valid TTL range of detected packets is [255 - hops + 1, 255].

    3. Run commit

      The configuration is committed.

  2. Set the default action for packets that do not match the GTSM policy.

    GTSM only checks the TTL values of packets that match the GTSM policy. Packets that do not match the GTSM policy can be allowed or dropped.

    You can enable the log function to record packet drop for troubleshooting.

    Perform the following configurations on the GTSM-enabled router:

    1. Run system-view

      The system view is displayed.

    2. Run gtsm default-action { drop | pass }

      The default action for packets that do not match the GTSM policy is configured.

      If the default action is configured but no GTSM policy is configured, GTSM does not take effect.

      This command is supported only on the Admin-VS and cannot be configured in other VSs. This command takes effect on all VSs.

    3. Run commit

      The configuration is committed.

Checking the Configurations

Run the following commands to check the previous configurations.

  • Run the display gtsm statistics { slot-id | all } command to view the statistics about the GTSM.

    In VS mode, this command is supported only by the admin VS.

Parent Topic: GTSM Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >