Designated Router (ID) 2.2.2.1, Interface address 100.10.10.2
Backup Designated router (ID) 1.1.1.1, Interface address 100.10.10.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:02
Index 3/3, flood queue length 0
Next 0(0)/0(0)
Last flood scan length is 2, maximum is 16
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 1.1.1.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Keychain-based authentication enabled
Key id used is 3
Multi-area interface Count is 0
The following example shows output for configured keys that are active:
show key chain ospf_intf_1
Key-chain: ospf_intf_1/ -
Key 1 -- text "0700325C4836100B0314345D"
cryptographic-algorithm -- MD5
Send lifetime: 11:30:30, 01 May 2007 - (Duration) 600
Accept lifetime: Not configured
Key 2 -- text "10411A0903281B051802157A"
cryptographic-algorithm -- MD5
Send lifetime: 11:40:30, 01 May 2007 - (Duration) 600
Accept lifetime: Not configured
Key 3 -- text "06091C314A71001711112D5A"
cryptographic-algorithm -- MD5
Send lifetime: 11:50:30, 01 May 2007 - (Duration) 600 [Valid now]
Accept lifetime: Not configured
Key 4 -- text "151D181C0215222A3C350A73"
cryptographic-algorithm -- MD5
Send lifetime: 12:00:30, 01 May 2007 - (Duration) 600
Accept lifetime: Not configured
Key 5 -- text "151D181C0215222A3C350A73"
cryptographic-algorithm -- MD5
Send lifetime: 12:10:30, 01 May 2007 - (Duration) 600
Accept lifetime: Not configured
GTSM TTL Security Mechanism for OSPF
OSPF is a link state protocol that requires networking devices to detect topological changes in the network,
flood Link State Advertisement (LSA) updates to neighbors, and quickly converge on a new view of the
topology. However, during the act of receiving LSAs from neighbors, network attacks can occur, because
there are no checks that unicast packets are originating from a neighbor that is one hop away or multiple hops
away over virtual links.
For virtual links, OSPF packets travel multiple hops across the network; hence, the TTL value can be
decremented several times. For these type of links, a minimum TTL value must be allowed and accepted for
multiple-hop packets.
To filter network attacks originating from invalid sources traveling over multiple hops, the Generalized TTL
Security Mechanism (GTSM), RFC 3682, is used to prevent the attacks. GTSM filters link-local addresses
Routing Configuration Guide for Cisco NCS 5500 Series Routers, IOS XR Release 6.3.x
98
Implementing OSPF
GTSM TTL Security Mechanism for OSPF
To Next Page
Loading...
