Security Policy
Switches support the following security policies:
-
Protocol Independent Multicast (PIM) neighbor filtering
ACL rules can be configured on interfaces to filter received Hello packets. Neighbor relationships can be established only after packet filtering.
When there are a large number of malicious Hello packets, ACL rules can be configured on interfaces so that the interfaces allow only specified Hello packets and discard malicious Hello packets.
-
PIM Join packet filtering
ACL rules can be configured on interfaces to filter received Join packets, preventing malicious Join packet attacks.
When there are a large number of malicious Join packets, ACL rules can be configured on interfaces so that the interfaces allow only specified Join packets and discard malicious Join packets.
-
Multicast Source Discovery Protocol (MSDP) MD5 authentication
MD5 authentication can be configured on MSDP peers to provide security protection. Both MSDP peers must be enabled with MD5 authentication and configured with the same authentication password. Then the transmitting peer sends an MD5-encrypted MSDP message to the receiving peer over a TCP connection. The receiving peer decrypts the MSDP message by following the uniform MD5 encryption rules and using the key contained in the message, and reports the message to the MSDP module for processing.
Only MSDP messages passing MD5 authentication are processed. This effectively prevents attacks conducted using malicious packets.
-
MSDP keychain authentication
Keychain and new TCP extension options enable each TCP connection to be configured with a password. Different encryption algorithms and validity periods can be configured for the passwords. In addition, the passwords can be changed at any time, significantly improving the security of encrypted packets.
Only MSDP messages passing keychain authentication are processed. This effectively prevents attacks conducted using malicious packets.
MD5 is not a secure authentication algorithm. For security purposes, you are advised to use the more secure keychain algorithm for MSDP authentication.
Configuration Method
-
Configure PIM neighbor filtering.
In a public network instance, configure a PIM neighbor relationship between VLANIF10 and the switch with the IP address of 10.4.4.4.
<HUAWEI> system-view [HUAWEI] acl number 2001 [HUAWEI-acl-basic-2001] rule permit source 10.4.4.4 0.0.0.0 [HUAWEI-acl-basic-2001] quit [HUAWEI] interface vlanif 10 [HUAWEI-Vlanif10] pim neighbor-policy 2001
-
Configure PIM Join packet filtering.
In a public network instance, configure VLANIF10 to receive Join packets within the group address range of 225.1.0.0/16.
<HUAWEI> system-view [HUAWEI] acl number 2001 [HUAWEI-acl-basic-2001] rule permit source 225.1.0.0 0.0.255.255 [HUAWEI-acl-basic-2001] quit [HUAWEI] multicast routing-enable [HUAWEI] interface vlanif 10 [HUAWEI-Vlanif10] pim join-policy asm 2001
-
Configure MSDP keychain authentication.
Configure MSDP keychain authentication with the keychain name of huawei for the MSDP peer with the IP address of 10.1.1.2.
<HUAWEI> system-view [HUAWEI] keychain huawei mode absolute [HUAWEI-keychain-huawei] key-id 1 [HUAWEI-keychain-huawei-keyid-1] algorithm sha-256 [HUAWEI-keychain-huawei-keyid-1] key-string cipher Huawei@1234 [HUAWEI-keychain-huawei-keyid-1] quit [HUAWEI-keychain-huawei] quit [HUAWEI] multicast routing-enable [HUAWEI] msdp [HUAWEI-msdp] peer 10.1.1.2 connect-interface vlanif 100 [HUAWEI-msdp] peer 10.1.1.2 keychain huawei
