3Com 5500-SI Configuration Manual page 345

Perform the following configuration in PIM view.
Table 357 Configuring RP to filter the register messages sent by DR
Operation
Configure RP to filter the register messages sent by DR register-policy acl_number
Cancel the configured filter of messages
If an entry of a source group is denied by the ACL, or the ACL does not define
operation to it, or there is no ACL defined, the RP will send RegisterStop messages to
the DR to prevent the register process of the multicast data stream.
Only the register messages matching the ACL
RP. Specifying an undefined ACL will make the RP to deny all register messages.
Limiting the Range of Legal BSR
In the PIM SM network using BSR (bootstrap router) mechanism, every router can set
itself as C-BSR (candidate BSR) and take the authority to advertise RP information in
the network once it wins in the contention. To prevent malicious BSR proofing in the
network, the following two measures need to be taken:
Prevent the router from being spoofed by hosts though faking legal BSR messages
■
to modify RP mapping. BSR messages are of multicast type and their TTL is 1, so
this type of attacks often hit edge routers. Fortunately, BSRs are inside the
network, while assaulting hosts are outside, therefore neighbor and RPF checks
can be used to stop this type of attack.
If a router in the network is manipulated by an attacker, or an illegal router is
■
accessed into the network, the attacker may set itself as C-BSR and try to win the
contention and gain authority to advertise RP information among the network.
Since the router configured as C-BSR shall propagate BSR messages, which are
multicast messages sent hop by hop with TTL as 1, among the network, then the
network cannot be affected as long as the peer routers do not receive these BSR
messages. One way is to configure
range, for example, only 1.1.1.1/32 and 1.1.1.2/32 can be BSR, thus the routers
cannot receive or forward BSR messages other than these two. Even legal BSRs
cannot contest with them.
Perform the following configuration in PIM View.
Table 358 Limiting the range of legal BSR
Operation
Set the legal BSR range limit
Restore to the default setting
For detailed information of
Limiting the Range of Legal C-RP
In the PIM-SM network using BSR mechanism, every router can set itself as C-RP
(candidate rendezvous point) servicing particular groups. If elected, a C-RP becomes
the RP servicing the current group.
Command
undo register-policy
permit
bsr-policy
Command
bsr-policy acl_number
undo bsr-policy
, please refer to the command manual.
bsr-policy
PIM-SM Overview 345
clause can be accepted by the
on each router to limit legal BSR