Configuring LDP GTSM
To configure LDP GTSM, you need to configure both LDP peers.
Usage Scenario
The GTSM prevents attacks through TTL detection. An attacker simulates real LDP unicast packets and keeps sending them to the router. After receiving the packets, an interface board of the router directly sends the packets to LDP of the control plane if the interface board finds that the packets are sent to the local router, without checking the validity of the packets. The control plane of the router needs to process the "legal" packets; therefore, the system becomes abnormally busy and the CPU usage is high.
The GTSM protects the router by checking whether the TTL value in the LDP packet header is within a pre-defined range to improve the system security.
Pre-configuration Tasks
Before configuring the LDP GTSM, complete the following task:
Enable MPLS and MPLS LDP.
Procedure
- Run system-view
The system view is displayed.
- Run mpls ldp
The MPLS LDP view is displayed.
- Run gtsm peer ip-address valid-ttl-hops hops
The LDP GTSM is configured.
If the value of hops is set to the maximum number of valid hops permitted by the GTSM, when the TTL values carried in the packets sent by an LDP peer are within the range [255 - hops + 1, 255], the packets are accepted; otherwise, the packets are discarded.
The valid TTL range is from 1 to 255 or from 1 to 64, depending on the specific vendor. If a Huawei device is connected to a non-Huawei device, set hops to a value in a valid range that both devices support; otherwise, the Huawei device will discard packets sent by the non-Huawei device, resulting in LDP session interruption.
- Run commit
The configuration is committed.
Checking the Configurations
Run the following command to check the previous configurations.
Run the display gtsm statistics { slot-id | all } command to view the statistics about the GTSM.
In VS mode, this command is supported only by the admin VS.