![]() ![]() Note that this document does not prescribe further restrictions thatĪ router may apply to the packets not matching the GTSM filtering (e.g., queues, processing quotas) for differently classified The router supports a method to use separate resource pools Use of GTSM is OPTIONAL, and can be configured on a per-peerĥ. Is desired, such filtering is necessary as described inģ. Service providers may or may not configure strict ingressįiltering on non-trusted links. The vast majority of protocol peerings are between adjacentĢ. GTSM is predicated upon the following assumptions:ġ. "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in thisĭocument are to be interpreted as described in RFC 2119. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", This document the term "TTL" is used to refer to both TTL or Hop In particular, it does not secure against insider on-the-wireĪttacks, such as packet spoofing or replay.įinally, the GTSM mechanism is equally applicable to both TTL (IPv4)Īnd Hop Limit (IPv6), and from the perspective of GTSM, TTL and Hop However, that GTSM is not a substitute for authentication mechanisms. Simple and reasonably robust defense from infrastructure attacksīased on forged protocol packets from outside the network. Impossible, a mechanism based on an expected TTL value can provide a ![]() Protocol peerings are either directly between connected interfaces orĪt the worst case, are between loopback and loopback, with static GTSM is based on the fact that the vast majority of protocol peeringsĪre established between routers that are adjacent. That the same technique protects against other scarce-resourceĪttacks involving a router's CPU, such as attacks against processor. Prevented by the simple mechanism described in this document. Variety of attacks, many attacks based on CPU overload can be In particular, while cryptographic techniques can protect the router-īased infrastructure (e.g., BGP, ) from a wide The Generalized TTL Security Mechanism (GTSM) is designed to protectĪ router's IP based control plane from CPU-utilization based attacks. Intellectual Property and Copyright Statements. This document obsoletes Experimental RFC 3682.ġ. To verify whether the packet was originated by an adjacent node on aĬonnected link has been used in many recent protocols. The use of a packet's Time to Live (TTL) (IPv4) or Hop Limit (IPv6) This Internet-Draft will expire on December 27, 2007. The list of Internet-Draft Shadow Directories can be accessed at The list of current Internet-Drafts can be accessed at Material or to cite them other than as "work in progress." It is inappropriate to use Internet-Drafts as reference Internet-Drafts are draft documents valid for a maximum of six monthsĪnd may be updated, replaced, or obsoleted by other documents at any Other groups may also distribute working documents as Internet. ![]() Task Force (IETF), its areas, and its working groups. Internet-Drafts are working documents of the Internet Engineering Have been or will be disclosed, and any of which he or she becomesĪware will be disclosed, in accordance with Section 6 of BCP 79. The Generalized TTL Security Mechanism (GTSM) draft-ietf-rtgwg-rfc3682bis-10.txtīy submitting this Internet-Draft, each author represents that anyĪpplicable patent or other IPR claims of which he or she is aware ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |