HP A6600 Configuration Manual page 329

Configuring a C-BSR
You should configure C-BSRs on routers in the backbone network. When you configure a router as a
C-BSR, be sure to specify the IPv6 address of an IPv6 PIM-SM-enabled interface on the router. The BSR
election process is as follows:
Initially, every C-BSR assumes itself to be the BSR of this IPv6 PIM-SM domain, and uses its interface
•
IPv6 address as the BSR address to send bootstrap messages.
When a C-BSR receives the bootstrap message of another C-BSR, it first compares its own priority
•
with the other C-BSR's priority carried in the message. The C-BSR with a higher priority wins. If a tie
exists in the priority, the C-BSR with a higher IPv6 address wins. The loser uses the winner's BSR
address to replace its own BSR address and no longer assumes itself to be the BSR, and the winner
keeps its own BSR address and continues assuming itself to be the BSR.
Configuring a legal range of BSR addresses enables filtering of bootstrap messages based on the
address range, in order to prevent a maliciously configured host from masquerading as a BSR. You must
make the same configuration on all routers in the IPv6 PIM-SM domain. The following are typical BSR
spoofing cases and the corresponding preventive measures:
Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP
1.
mappings. Such attacks often occur on border routers. Because a BSR is inside the network whereas
hosts are outside the network, you can protect a BSR against attacks from external hosts by enabling
the border routers to perform neighbor checks and RPF checks on bootstrap messages and discard
unwanted messages.
When an attacker controls a router in the network or when the network contains an illegal router,
2.
the attacker can configure this router as a C-BSR and make it win BSR election to control the right of
advertising RP information in the network. After you configure a router as a C-BSR, the router
automatically floods the network with bootstrap messages. Because a bootstrap message has a hop
limit value of 1, the whole network will not be affected as long as the neighbor router discards these
bootstrap messages. Therefore, with a legal BSR address range configured on all routers in the
entire network, all these routers will discard bootstrap messages from out of the legal address range.
The preventive measures can partially protect the security of BSRs in a network. However, if an attacker
controls a legal BSR, the preceding problem will also occur.
To do...
1. Enter system view.
2. Enter IPv6 PIM view.
3. Configure an interface as a
C-BSR.
4. Configure a legal BSR
address range.
Because a large amount of information needs to be exchanged between a BSR and the other devices in
the IPv6 PIM-SM domain, a relatively large bandwidth should be provided between the C-BSR and the
other devices in the IPv6 PIM-SM domain.
Configuring an IPv6 PIM domain border
As the administrative core of an IPv6 PIM-SM domain, the BSR sends the collected RP-set information in
the form of bootstrap messages to all routers in the IPv6 PIM-SM domain.
Use the command...
system-view
pim ipv6
c-bsr ipv6-address [ hash-length
[ priority ] ]
bsr-policy acl6-number
318
Remarks
—
—
Required.
No C-BSRs are configured by
default.
Optional.
No restrictions by default.