Configuring GTSM for RIP
To apply RIP GTSM functions, enable GTSM on the two ends of the RIP connection.
Context
During network attacks, attackers may simulate RIP packets and continuously send them to a router. If the packets are destined for the router, it directly forwards them to the control plane for processing without validating them. As a result, the increased processing workload on the control plane results in high CPU usage. Generalized TTL Security Mechanism (GTSM) defends against attacks by checking whether the time to live (TTL) value in each IP packet header is within a pre-defined range.
Pre-configuration Tasks
Before configuring the RIP GTSM, complete the following task:
Perform the following operations on the peers at both ends:
Procedure
- Run system-view
The system view is displayed.
- Run rip valid-ttl-hops valid-ttl-hops-value [ vpn-instance vpn-instance-name ]
GTSM is configured for RIP.
The valid TTL range of the detected packets is [ 255 -valid-ttl-hops-value + 1, 255 ].
- Run commit
The configuration is committed.
- Set the default action for packets that do not match the GTSM
policy.
GTSM only checks the TTL values of packets that match the GTSM policy. Packets that do not match the GTSM policy can be allowed or dropped.
You can enable the log function to record packet drop for troubleshooting.
Perform the following configurations on the GTSM-enabled router:
- Run gtsm default-action { drop | pass }
The default action for packets that do not match the GTSM policy is configured.
If the default action is configured but no GTSM policy is configured, GTSM does not take effect.
This command is supported only on the Admin-VS and cannot be configured in other VSs. This command takes effect on all VSs.
- Run gtsm default-action { drop | pass }
Checking the Configurations
Run the following commands to check the previous configurations.
Run the display gtsm statistics { slot-id | all } command to view the statistics about the GTSM.
In VS mode, this command is supported only by the admin VS.