HP 6125G HP Networking guide to hardening Comware-based devices - Page 20

# For more information on these two features, see "TCP" and "ICMP Attack Protection" in the Security Configuration Guide. Securing BGP Border Gateway Protocol (BGP) is the routing foundation of the Internet. As such, any organization with more than modest connectivity requirements often finds itself utilizing BGP. BGP is often targeted by attackers because of its ubiquity and the "set-and-forget" nature of BGP configurations in smaller organizations. However, there are many BGPspecific security features that can be leveraged to increase the security of a BGP configuration. The following section provides an overview of the most important BGP security features. Where appropriate, configuration recommendations are made. Generalized TTL Security Mechanism The Generalized TTL Security Mechanism (GTSM) is designed to protect a router's IP-based control plane from CPU utilization-based attacks. In particular, while cryptographic techniques can protect the router-based infrastructure from a wide variety of attacks, many attacks based on CPU overload can be prevented by GTSM. Note that the same technique protects against other scarce-resource attacks involving a router's CPU, such as attacks against processorline card bandwidth. GTSM for BGP is enabled using the ttl-security option for the peer command in BGP view. The following example illustrates the configuration of this feature: # bgp peer as-number peer ttl-security hops # When BGP packets are received, the TTL value is checked and must be greater than 255 minus the hop-count specified. For more information, see "Configuring GTSM for BGP in BGP" in the Layer-3 IP Routing Configuration Guide. BGP peer authentication with MD5 Peer authentication using MD5 creates an MD5 digest of each packet sent as part of a BGP session. Specifically, portions of the IP and TCP headers, TCP payload, and a secret key are used to generate the digest. The created digest is then stored in TCP option Kind 19, which was created specifically for this purpose by RFC 2385. The receiving BGP speaker uses the same algorithm and secret key to regenerate the message digest. If the received and computed digests are not identical, the packet is discarded. Peer authentication with MD5 is configured by using the password option in the peer command in BGP view. The use of this command is illustrated as follows: # bgp peer as-number peer password cipher # For more information, see "Enabling MD5 Authentication for TCP Connections in BGP" in the Layer-3 IP Routing Configuration Guide. Configuring maximum prefixes BGP prefixes are stored by a router in memory. The more prefixes that a router must hold results in BGP consuming more memory. In some configurations, a subset of all Internet prefixes can be stored, such as in configurations that leverage only a default route or routes for a provider's customer networks. 20