HP A6600 Configuration Manual page 125

address to replace its own BSR address and no longer assumes itself to be the BSR, and the winner
retains its own BSR address and continues assuming itself to be the BSR.
Configuring a legal range of BSR addresses enables filtering of bootstrap messages based on the
address range, thus to prevent a maliciously configured host from masquerading as a BSR. The same
configuration must be made on all routers in the PIM-SM domain. The following are typical BSR spoofing
cases and the corresponding preventive measures:
Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP
1.
mappings. Such attacks often occur on border routers. Because a BSR is inside the network whereas
hosts are outside the network, you can protect a BSR against attacks from external hosts by enabling
the border routers to perform neighbor checks and RPF checks on bootstrap messages and discard
unwanted messages.
When an attacker controls a router in the network or when an illegal router is present in the network,
2.
the attacker can configure this router as a C-BSR and make it win BSR election to control the right of
advertising RP information in the network. After a router is configured as a C-BSR, it automatically
floods the network with bootstrap messages. Because a bootstrap message has a TTL value of 1, the
whole network will not be affected as long as the neighbor router discards these bootstrap
messages. Therefore, with a legal BSR address range configured on all routers in the entire network,
all these routers will discard bootstrap messages from out of the legal address range.
The preventive measures can partially protect the security of BSRs in a network. However, if an attacker
controls a legal BSR, the preceding problem will still occur.
To do...
1. Enter system view.
2. Enter public network PIM
viewor VPN instance PIM
view.
3. Configure an interface as a
C-BSR.
4. Configure a legal BSR
address range.
Because a large amount of information needs to be exchanged between a BSR and the other devices in
the PIM-SM domain, a relatively large bandwidth should be provided between the C-BSRs and the other
devices in the PIM-SM domain.
For C-BSRs interconnected via a GRE tunnel, multicast static routes need to be configured to ensure that
the next hop to a C-BSR is a tunnel interface. For more information about multicast static routes, see
"Configuring multicast routing and
Configuring a PIM domain border
As the administrative core of a PIM-SM domain, the BSR sends the collected RP-set information in the form
of bootstrap messages to all routers in the PIM-SM domain.
A PIM domain border is a bootstrap message boundary. Each BSR has its specific service scope. A
number of PIM domain border interfaces partition a network into different PIM-SM domains. Bootstrap
messages cannot cross a domain border in either direction
Perform the following configuration on routers that you want to configure as a PIM domain border.
Use the command...
system-view
pim [ vpn-instance
vpn-instance-name ]
c-bsr interface-type
interface-number [ hash-length
[ priority ] ]
bsr-policy acl-number
forwarding."
114
Remarks
—
—
Required.
No C-BSRs are configured by
default.
Optional.
No restrictions on BSR address
range by default.