Table of Contents

1 IP Performance Optimization Configuration· 1-1

IP Performance Optimization Overview· 1-1

Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network· 1-1

Enabling Reception of Directed Broadcasts to a Directly Connected Network· 1-1

Enabling Forwarding of Directed Broadcasts to a Directly Connected Network· 1-2

Configuration Example· 1-2

Configuring TCP Attributes· 1-3

Enabling the SYN Cookie Feature· 1-3

Enabling Protection Against Naptha Attacks· 1-4

Configuring TCP Optional Parameters· 1-5

Configuring ICMP to Send Error Packets· 1-6

Displaying and Maintaining IP Performance Optimization· 1-7

 

When optimizing IP performance, go to these sections for information you are interested in:

l          IP Performance Optimization Overview

l          Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network

l          Configuring TCP Attributes

l          Configuring ICMP to Send Error Packets

l          Displaying and Maintaining IP Performance Optimization

IP Performance Optimization Overview

In some network environments, you can adjust the IP parameters to achieve best network performance. IP performance optimization configuration includes:

l          Enabling the device to receive and forward directed broadcasts

l          Enabling the SYN Cookie feature and protection against Naptha attacks

l          Configuring TCP timers

l          Configuring the TCP buffer size

l          Enabling ICMP error packets sending

Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network

Directed broadcast packets are broadcast on a specific network. In the destination IP address of a directed broadcast, the network ID is a network ID identifies the target network, and the host ID is all-one. If a device is allowed to forward directed broadcasts to a directly connected network, hackers may mount attacks to the network.

Enabling Reception of Directed Broadcasts to a Directly Connected Network

Follow these steps to enable the device to receive directed broadcasts:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable the device to receive directed broadcasts	ip forward-broadcast	Optional By default, the device is enabled from receiving directed broadcasts.

 

 

Enabling Forwarding of Directed Broadcasts to a Directly Connected Network

Follow these steps to enable the device to forward directed broadcasts:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter interface view	interface interface-type interface-number	—
Enable the interface to forward directed broadcasts	ip forward-broadcast [ acl acl-number ]	Required By default, the device is disabled from forwarding directed broadcasts.

 

 

Configuration Example

Network requirements

As shown in Figure 1-1, the host’s interface and VLAN-interface 3 of Switch A are on the same network segment (1.1.1.0/24). VLAN-interface 2 of Switch A and VLAN-interface 2 of Switch B are on another network segment (2.2.2.0/24). The default gateway of the host is VLAN-interface 3 (IP address 1.1.1.2/24) of Switch A. Configure a static route on Switch B to enable the reachability between host and Switch B.

It is required that directed broadcasts from the host to IP address 2.2.2.255 be received by Switch B.

Figure 1-1 Network diagram for forwarding directed broadcasts

 

Configuration procedure

l          Configure Switch A

<SwitchA> system-view.

[SwitchA] interface vlan-interface 3

[SwitchA-Vlan-interface3] ip address 1.1.1.2 24

[SwitchA-Vlan-interface3] quit

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ip address 2.2.2.2 24

# Enable VLAN-interface 2 to forward directed broadcasts.

[SwitchA-Vlan-interface2] ip forward-broadcast

l          Configure Switch B

<SwitchB> system-view

# Configure a static route to the host.

[SwitchB] ip route-static 1.1.1.1 24 2.2.2.2

# Configure an IP address for VLAN-interface 2.

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ip address 2.2.2.1 24

After the above configurations, if you ping the subnet broadcast address (2.2.2.255) of VLAN-interface 2 of Switch A on the host, the ping packets can be received by VLAN-interface 2 of Switch B.

Configuring TCP Attributes

Enabling the SYN Cookie Feature

As a general rule, the establishment of a TCP connection involves the following three handshakes:

1)        The request originator sends a SYN message to the target server.

2)        After receiving the SYN message, the target server establishes a TCP connection in the SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.

3)        After receiving the SYN ACK message, the originator returns an ACK message. Thus, the TCP connection is established.

Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large number of SYN messages to the server to establish TCP connections, but they never make any response to SYN ACK messages. As a result, a large amount of incomplete TCP connections are established, resulting in heavy resource consumption and making the server unable to handle services normally.

The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. Only after receiving an ACK message from the client can the server establish a connection, and then enter the ESTABLISHED state. In this way, large amounts of incomplete TCP connections could be avoided to protect the server against SYN Flood attacks.

Follow these steps to enable the SYN Cookie feature:

To do...	Use the command...	Remarks
Enter system view	system-view	—
Enable the SYN Cookie feature	tcp syn-cookie enable	Required Disabled by default.

 

 

Enabling Protection Against Naptha Attacks

Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood attacks by using only the SYN_RECEIVED state.

Naptha attackers control a huge amount of hosts to establish TCP connections with the server, keep these connections in the same state (any of the six), and request for no data so as to exhaust the memory resource of the server. As a result, the server cannot process normal services.

Protection against Naptha attacks reduces the risk of such attacks by accelerating the aging of TCP connections in a state. After the feature is enabled, the device periodically checks the number of TCP connections in each state. If it detects that the number of TCP connections in a state exceeds the maximum number, it will accelerate the aging of TCP connections in this state.

Follow these steps to enable the protection against Naptha attack:

To do...	Use the command...	Remarks
Enter system view	system-view	—
Enable the protection against Naptha attack	tcp anti-naptha enable	Required Disabled by default.
Configure the maximum of TCP connections in a state	tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number number	Optional 5 by default. If the maximum number of TCP connections in a state is 0, the aging of TCP connections in this state will not be accelerated.
Configure the TCP state check interval	tcp timer check-state timer-value	Optional 30 seconds by default.

 

 

Configuring TCP Optional Parameters

TCP optional parameters that can be configured include:

l          synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packet is received within the synwait timer interval, the TCP connection cannot be created.

l          finwait timer: When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started. If no FIN packets is received within the timer interval, the TCP connection will be terminated. If a FIN packet is received, the TCP connection state changes to TIME_WAIT. If a non-FIN packet is received, the system restarts the timer upon receiving the last non-FIN packet. The connection is broken after the timer expires.

l          Size of TCP receive/send buffer

Follow these steps to configure TCP optional parameters:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Configure the TCP synwait timer	tcp timer syn-timeout time-value	Optional 75 seconds by default.
Configure the TCP finwait timer	tcp timer fin-timeout time-value	Optional 675 seconds by default.
Configure the size of TCP receive/send buffer	tcp window window-size	Optional 8 KB by default.

 

 

Configuring ICMP to Send Error Packets

Sending error packets is a major function of ICMP. In case of network abnormalities, ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate control and management.

Advantages of sending ICMP error packets

There are three kinds of ICMP error packets: redirect packets, timeout packets and destination unreachable packets. Their sending conditions and functions are as follows.

1)        Sending ICMP redirect packets

A host may have only a default route to the default gateway in its routing table after startup. The default gateway will send ICMP redirect packets to the source host, telling it to reselect a correct next hop to send the subsequent packets, if the following conditions are satisfied:

l          The receiving and forwarding interfaces are the same.

l          The selected route has not been created or modified by ICMP redirect packet.

l          The selected route is not the default route of the device.

l          There is no source route option in the packet.

ICMP redirect packets function simplifies host administration and enables a host to gradually establish a sound routing table to find out the best route.

2)        Sending ICMP timeout packets

If the device received an IP packet with a timeout error, it drops the packet and sends an ICMP timeout packet to the source.

The device will send an ICMP timeout packet under the following conditions:

l          If the device finds the destination of a packet is not itself and the TTL field of the packet is 1, it will send a “TTL timeout” ICMP error message.

l          When the device receives the first fragment of an IP datagram whose destination is the device itself, it starts a timer. If the timer times out before all the fragments of the datagram are received, the device will send a “reassembly timeout” ICMP error packet.

3)        Sending ICMP destination unreachable packets

If the device receives an IP packet with the destination unreachable, it will drop the packet and send an ICMP destination unreachable error packet to the source.

Conditions for sending this ICMP packet:

l          If neither a route nor the default route for forwarding a packet is available, the device will send a “network unreachable” ICMP error packet.

l          If the destination of a packet is local while the transport layer protocol of the packet is not supported by the local device, the device sends a “protocol unreachable” ICMP error packet to the source.

l          When receiving a packet with the destination being local and transport layer protocol being UDP, if the packet’s port number does not match the running process, the device will send the source a “port unreachable” ICMP error packet.

l          If the source uses “strict source routing" to send packets, but the intermediate device finds that the next hop specified by the source is not directly connected, the device will send the source a “source routing failure” ICMP error packet.

l          When forwarding a packet, if the MTU of the sending interface is smaller than the packet but the packet has been set “Don’t Fragment”, the device will send the source a “fragmentation needed and Don’t Fragment (DF)-set” ICMP error packet.

Disadvantages of sending ICMP error packets

Although sending ICMP error packets facilitates network control and management, it still has the following disadvantages:

l          Sending a lot of ICMP packets will increase network traffic.

l          If a device receives a lot of malicious packets that cause it to send ICMP error packets, its performance will be reduced.

l          As the redirection function increases the routing table size of a host, the host’s performance will be reduced if its routing table becomes very large.

l          If a host sends malicious ICMP destination unreachable packets, end users may be affected.

To prevent such problems, you can disable the device from sending ICMP error packets.

Follow these steps to enable sending of ICMP error packets:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable sending of ICMP redirect packets	ip redirects enable	Required Disabled by default.
Enable sending of ICMP timeout packets	ip ttl-expires enable	Required Disabled by default.
Enable sending of ICMP destination unreachable packets	ip unreachables enable	Required Disabled by default.

 

 

Displaying and Maintaining IP Performance Optimization

To do…	Use the command…	Remarks
Display current TCP connection state	display tcp status	Available in any view
Display TCP connection statistics	display tcp statistics	Available in any view
Display UDP statistics	display udp statistics	Available in any view
Display statistics of IP packets	display ip statistics	Available in any view
Display ICMP statistics	display icmp statistics	Available in any view
Display socket information	display ip socket [ socktype sock-type ] [ task-id socket-id ]	Available in any view
Display FIB information	display fib [ | { begin | include | exclude } regular-expression | acl acl-number | ip-prefix ip-prefix-name ]	Available in any view
Display FIB information matching the specified destination IP address	display fib ip-address [ mask | mask-length ]	Available in any view
Clear statistics of IP packets	reset ip statistics	Available in user view
Clear statistics of TCP connections	reset tcp statistics	Available in user view
Clear statistics of UDP traffic	reset udp statistics	Available in user view