Configuring BGP GTSM

BGP GTSM must be configured on both peers.

Usage Scenario

GTSM prevents attacks through TTL detection. An attacker simulates real BGP packets and sends the packets in a large quantity to the router. After receiving the packets, an interface board of the router directly sends the packets to the BGP module of the control plane if the interface board finds that the packets are sent by the local router, without checking the validity of the packets. The control plane of the router needs to process the "legal" packets. As a result, the system becomes abnormally busy and the CPU usage is high.

GTSM protects the router by checking whether the TTL value in an IP packet header is within a pre-defined range to enhance the system security.

GTSM supports only unicast addresses; therefore, GTSM must be configured on all the routers configured with routing protocols.

Pre-configuration Tasks

Before configuring the BGP GTSM, complete the following task:

Configuring Basic BGP Functions

Perform the following steps on both BGP peers:

Procedure

Configure the basic BGP GTSM functions.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run peer { group-name | ipv4-address } valid-ttl-hops [ hops ]
  The BGP GTSM is configured.
  
  The valid TTL range of detected packets is [255 - hops + 1, 255]. For example, for an EBGP direct route, the number of hops is 1, that is, the valid TTL value is 255
  - When being configured in the BGP view, GTSM is also applicable to MP-BGP VPNv4 extensions because they use the same TCP connection.
  - The GTSM and EBGP-MAX-HOP functions both affect the TTL values of sent BGP messages and they conflict with each other. Thus, for a peer or a peer group, you can use only either of them.
  A BGP router that is enabled with GTSM checks the TTL values in all BGP packets. As required by the actual networking, packets whose TTL values are not within the specified range are discarded. If GTSM is not configured on a BGP router, the received BGP packets are forwarded if the BGP peer configuration is matched. Otherwise, the received BGP packets are discarded. This prevents bogus BGP packets from consuming CPU resources.
4. Run commit
  The configuration is committed.
Set the default action for packets that do not match the GTSM policy.
GTSM only checks the TTL values of packets that match the GTSM policy. Packets that do not match the GTSM policy can be allowed or dropped. If "drop" is set as the default GTSM action for packets, you need to configure TTL values for all the packets sent from valid peers in the GTSM policy. If TTL values are not configured for the packets sent from a peer, the device will discard the packets sent from the peer and cannot establish a connection to the peer. Therefore, GTSM enhances security but reduces the ease of use.

You can enable the log function to record packet drop for troubleshooting.

Perform the following configurations on the GTSM-enabled router:
1. Run system-view
  The system view is displayed.
2. Run gtsm default-action { drop | pass }
  The default action for packets that do not match the GTSM policy is configured.
  
  If the default action is configured but no GTSM policy is configured, GTSM does not take effect.
  
  This command is supported only on the Admin-VS and cannot be configured in other VSs. This command takes effect on all VSs.
3. Run commit
  The configuration is committed.

Checking the Configurations

Run the following command to check the previous configurations.

Run the display gtsm statistics { slot-id | all } command to check the statistics about GTSM.

In VS mode, this command is supported only by the admin VS.