Manualshelf

R3303-HP HSR6800 Routers Layer 3 - IP Routing Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6804 Router Chassis
391392393394395396397398399400
380
Create an IPsec proposal.
Create an IPsec policy.
For more information about IPsec policy configuration, see Security Configuration Guide.
Configuration procedure
An IPsec policy used for IPv6 BGP can be only in manual mode. For more information, see Security
Configuration Guide.
To apply an IPsec policy to a peer or peer group
Ste
p
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enter BGP view.
bgp as-number N/A
3. Enter IPv6 address
family view.
ipv6-family N/A
4. Apply an IPsec policy to
a peer or peer group.
peer { group-name | ip-address } ipsec-policy
policy-name
Not configured by default.
Configuring GTSM for IPv6 BGP
If an attacker continuously sends forged IPv6 BGP packets or TCP packets (used to acknowledge the
sending and receiving of IPv6 BGP packets) to a device, the device directly delivers these packets to the
CPU without checking their validity. As a result, the CPU utilization is very high. You can configure the
Generalized TTL Security Mechanism (GTSM) to avoid such CPU-utilization based attacks.
The GTSM feature allows you to configure a hop-count value to get a valid hop limit range
[255-hop-count+1, 255]. Upon receiving a packet from the specified peer, the device checks whether the
Hop Limit in the IP header falls into the specified range. If yes, the packet is delivered to the CPU;
otherwise, the packet is discarded.
In addition, with GTSM configured, the device will send packets with hop limit 255. Therefore, GTSM
provides the best protection for directly connected EBGP peers because the TTL of packets exchanged
between non-direct EBGP peers or IBGP peers can be modified by other devices.
To configure GTSM for IPv6 BGP:
Ste
p
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enter BGP view.
bgp as-number N/A
3. Enter IPv6 address
family view.
ipv6-family N/A
4. Configure GTSM to
check IPv6 packets from
the specified IPv6 BGP
peer or peer group.
peer { group-name | ipv6-address }
ttl-security hops hop-count
Not configured by default.