Table of Contents
Advertisement
address to replace its own BSR address and no longer assumes itself to be the BSR, and the winner
retains its own BSR address and continues assuming itself to be the BSR.
Configuring a legal range of BSR addresses enables filtering of bootstrap messages based on the
address range, to prevent a maliciously configured host from masquerading as a BSR. The same
configuration must be made on all routers in the BIDIR-PIM domain. The following are typical BSR
spoofing cases and the corresponding preventive measures:
Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP
1.
mappings. Such attacks often occur on border routers. Because a BSR is inside the network
whereas hosts are outside the network, a BSR can be protected against attacks from external hosts
after you enable the border routers to perform neighbor checks and RPF checks on bootstrap
messages and discard unwanted messages.
When a router in the network is controlled by an attacker or when an illegal router is present in the
2.
network, the attacker can configure this router as a C-BSR and make it win BSR election to control
the right of advertising RP information in the network. After being configured as a C-BSR, a router
automatically floods the network with bootstrap messages. Because a bootstrap message has a TTL
value of 1, the whole network will not be affected as long as the neighbor router discards these
bootstrap messages. Therefore, with a legal BSR address range configured on all routers in the
entire network, all these routers will discard bootstrap messages from out of the legal address
range.
The preventive measures can partially protect the security of BSRs in a network. However, if a legal BSR
is controlled by an attacker, the mentioned problem will still occur.
Follow these steps to configure a C-BSR:
To do...
Enter system view
Enter public network PIM view
or VPN instance PIM view
Configure an interface as a C-
BSR
Configure a legal BSR address
range
NOTE:
Because a large amount of information needs to be exchanged between a BSR and the other devices
•
in the BIDIR-PIM domain, a relatively large bandwidth should be provided between the C-BSRs and
the other devices in the BIDIR-PIM domain.
For C-BSRs interconnected through a GRE tunnel, multicast static routes need to be configured to
•
ensure that the next hop to a C-BSR is a Tunnel interface. For more information about multicast static
routes, see the chapter "Multicast routing and forwarding configuration."
Use the command...
system-view
pim [ vpn-instance vpn-instance-
name ]
c-bsr interface-type interface-number
[ hash-length [ priority ] ]
bsr-policy acl-number
148
Remarks
—
—
Required
No C-BSRs are configured by
default.
Optional
No restrictions on BSR address
range by default
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
