sham-link (OSPF area view)

Use sham-link to create an OSPF sham link.

Use undo sham-link to remove an OSPF sham link or restore the defaults of specified parameters for an OSPF sham link.

Syntax

sham-link source-ip-address destination-ip-address [ cost cost-value | dead dead-interval | hello hello-interval | { { hmac-md5 | md5 } key-id { cipher | plain } string | keychain keychain-name | simple { cipher | plain } string } | retransmit retrans-interval | trans-delay delay | ttl-security hops hop-count ] *

undo sham-link source-ip-address destination-ip-address [ cost | dead | hello | { { hmac-md5 | md5 } key-id | keychain | simple } | retransmit | trans-delay | ttl-security ] *

Default

No OSPF sham links exist.

Views

OSPF area view

Predefined user roles

network-admin

Parameters

source-ip-address: Specifies the source IP address of the sham link.

destination-ip-address: Specifies the destination IP address of the sham link.

cost cost-value: Specifies the cost of the sham link, in the range of 1 to 65535. The default cost is 1.

dead dead-interval: Specifies the dead interval in the range of 1 to 32768 seconds. The default is 40 seconds. The dead interval configured on the two ends of the sham link must be identical, and it must be at least four times the hello interval.

hello hello-interval: Specifies the interval for sending hello packets, in the range of 1 to 8192 seconds. The default is 10 seconds. The hello interval configured on the two ends of the sham link must be identical.

hmac-md5: Enables HMAC-MD5 authentication.

md5: Enables MD5 authentication.

simple: Enables simple authentication.

key-id: Specifies a key ID in the range of 1 to 255.

cipher: Specifies a key in encrypted form.

plain: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive.

keychain: Enables keychain authentication.

keychain-name: Specifies a keychain by its name. A keychain name is a case-sensitive string of 1 to 63 characters.

retransmit retrans-interval: Specifies the interval for retransmitting LSAs, in the range of 1 to 3600 seconds. The default is 5 seconds.

trans-delay delay: Specifies the delay interval before the interface sends an LSA, in the range of 1 to 3600 seconds. The default is 1 second.

ttl-security hops hop-count: Enables OSPF GTSM and specifies the maximum number of hops to the sham link neighbor. The value range for the hop-count argument is 1 to 254. By default, OSPF GTSM is disabled.

Usage guidelines

When a backdoor link exists between the two sites of a VPN, traffic is forwarded through the backdoor link. To forward VPN traffic over the backbone, you can create a sham link between PEs. A sham link is considered an OSPF intra-area route.

This command can configure MD5/HMAC-MD5 or simple authentication for the sham link, but not both. For MD5/HMAC-MD5 authentication, you can configure multiple keys by executing this command multiple times, but a key-id can correspond with only one key.

To modify the MD5/HMAC-MD5 authentication key of a sham link, perform the following tasks:

  1. Configure a new key for the sham link on the local device. If the neighbor on the sham link has not been configured with the new key, this configuration triggers a key rollover process, during which, OSPF advertises both the new and old keys so the neighbor can pass authentication and the neighbor relationship is maintained.

  2. Configure the same key for the sham link on the neighbor. After the local device receives a packet carrying the new key from the neighbor, it quits the key rollover process.

  3. Execute the undo sham-link command on the local device and the neighbor to remove the old key. This operation can avoid attacks to the sham link that uses the old key and reduce bandwidth consumption by key rollover.

When keychain authentication is configured for an OSPF sham link, OSPF performs the following operations before sending a packet:

  1. Obtains a valid send key from the keychain.

    OSPF does not send the packet if it fails to obtain a valid send key.

  2. Uses the key ID, authentication algorithm, and key string of the send key to authenticate the packet.

    If the key ID is greater than 255, OSPF does not send the packet.

When keychain authentication is configured for an OSPF sham link, OSPF performs the following operations before accepting a received a packet:

  1. Uses the key ID carried in the packet to obtain a valid accept key from the keychain.

    OSPF discards the packet if it fails to obtain a valid accept key.

  2. Uses the authentication algorithm and key string of the accept key to authenticate the packet.

    If the authentication fails, OSPF discards the packet.

OSPF supports the MD5 and HMAC-MD5 authentication algorithms. The ID of keys used for authentication can only be in the range of 0 to 255.

OSPF GTSM protects the device from being attacked by CPU-utilization attacks. When OSPF GTSM is enabled for a sham link, the device compares the TTL value of an OSPF packet received from the sham link against the valid TTL range. If the TTL value is within the valid TTL range, the packet is accepted. If not, the packet is discarded. The valid TTL range is from "255 – the configured hop count + 1" to 255. For packets sent to the sham link, the device sets the packet TTL value to 255.

You cannot configure a sham link with the same source and destination IP address for multiple OSPF processes in a VPN instance.

For an OSPF neighbor relationship to be successfully established, the sham links configured on the local and remote PEs must be in the same OSPF area.

To use GTSM, you must configure GTSM on both the local and peer devices. You can specify different hop-count values on the devices.

Examples

# Create a sham link with the source address 1.1.1.1 and destination address 2.2.2.2.

<Sysname> system-view
[Sysname] ospf
[Sysname-ospf-1] area 0
[Sysname-ospf-1-area-0.0.0.0] sham-link 1.1.1.1 2.2.2.2

Related commands

display ospf sham-link