Configuring Ldp Gtsm; Establishing The Configuration Task - Huawei Quidway S9300 series Configuration Manual
Terabit routing switch; mpls
Hide thumbs
Also See for Quidway S9300 series:
- Configuration manual - network management (630 pages) ,
- Configuration manual (603 pages) ,
- Configuration manual - multicast (262 pages)
Table of Contents
Advertisement
Quidway S9300 Terabit Routing Switch
Configuration Guide - MPLS
Procedure
l
l
l
----End
Example
l
l
2.10 Configuring LDP GTSM
By configuring LDP GTSM, you can detect TTLs to prevent attacks.
2.10.1 Establishing the Configuration Task
Before configuring LDP GTSM, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.
Applicable Environment
The Generalized TTL Security Mechanism (GTSM) prevents attacks by using the TTL detection.
An attacker simulates real LDP unicast packets and sends the packets in a large quantity to a
node. After receiving the packets, an interface of the LSR directly sends the packets to LDP of
the control plane if the interface finds that the packets are sent by the local node, without checking
the validity of the packets. Because the control plane of the node needs to process the "legal"
packets, the system becomes abnormally busy and CPU usage is high.
GTSM protects the node by checking whether the TTL value in the IP packet header is within
a pre-defined range, and thus enhances the system security.
Pre-configuration Tasks
Before configuring basic LDP GTSM functions, complete the following tasks:
l
Data Preparation
To configure the basic LDP GTSM functions, you need the following data.
Issue 04 (2011-12-26)
Run the display ospf ldp-sync interface { all | interface-type interface-number } command
to check information about synchronization between LDP and OSPF on the interface.
Run the display isis [ process-id | vpn-instance vpn-instance-name ] ldp-sync interface
command to check information about synchronization between LDP and IS-IS on the
interface.
Run the display rm interface [ interface-type interface-number | vpn-instance vpn-
instance-name ] command to check information about the route management.
If the configurations succeed, run the display ospf ldp-sync or display isis ldp-sync
command, and you can view that the status of the interface configured with synchronization
between LDP and IGP is Sync-Achieved.
Run the display rm interface command, you can view that the LDP-ISIS or LDP-OSPF
is enabled.
Enabling MPLS and MPLS LDP
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 MPLS LDP Configuration
78
Advertisement
Table of Contents
