H3C S5500-EI Configuration Manual page 188

Configuring a legal range of BSR addresses enables filtering of bootstrap messages based on the
address range, thus to prevent a maliciously configured host from masquerading as a BSR. The same
configuration must be made on all routers in the BIDIR-PIM domain. The following are typical BSR
spoofing cases and the corresponding preventive measures:
Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP
•
mappings. Such attacks often occur on border routers. Because a BSR is inside the network whereas
hosts are outside the network, you can protect a BSR against attacks from external hosts by enabling
the border routers to perform neighbor checks and RPF checks on bootstrap messages and discard
unwanted messages.
• When a router in the network is controlled by an attacker or when an illegal router is present in the
network, the attacker can configure this router as a C-BSR and make it win BSR election to control
the right of advertising RP information in the network. After being configured as a C-BSR, a router
automatically floods the network with bootstrap messages. Because a bootstrap message has a TTL
value of 1, the whole network will not be affected as long as the neighbor router discards these
bootstrap messages. Therefore, with a legal BSR address range configured on all routers in the
entire network, all these routers will discard bootstrap messages from out of the legal address
range.
The preventive measures can partially protect the security of BSRs in a network. If a legal BSR is controlled
by an attacker, the preceding problem will still occur.
Because a large amount of information needs to be exchanged between a BSR and the other devices in
the BIDIR-PIM domain, a relatively large bandwidth should be provided between the C-BSRs and the
other devices in the BIDIR-PIM domain.
When C-BSRs connect to other PIM routers through tunnels, static multicast routes must be configured on
the PIM routers to make sure the next hop to a C-BSR is a tunnel interface. Otherwise, RPF check is
affected. For more information about static multicast routes, see
forwarding (available only on the
To configure a C-BSR:
Step
1. Enter system view.
2. Enter public network PIM view
or VPN instance PIM view.
3. Configure an interface as a
C-BSR.
4. Configure a legal BSR
address range.
S5500-EI)."
Command
system-view
pim [ vpn-instance
vpn-instance-name ]
c-bsr interface-type
interface-number [ hash-length
[ priority ] ]
bsr-policy acl-number
169
"Configuring multicast routing and
Remarks
N/A
N/A
No C-BSRs are configured by
default.
Optional.
No restrictions on BSR address
range by default.