3Com MSR 50 Series Configuration Manual page 1251

perform neighbor check and RPF check on BSR messages and discard unwanted
messages.
2 When a router in the network is controlled by an attacker or when an illegal router
is present in the network, the attacker can configure such a router to be a C-BSR
and make it win BSR election so as to gain the right of advertising RP information
in the network. After being configured as a C-BSR, a router automatically floods
the network with BSR messages. As a BSR message has a hop limit value of 1, the
whole network will not be affected as long as the neighbor router discards these
BSR messages. Therefore, if a legal BSR address range is configured on all routers
in the entire network, all routers will discard BSR messages from out of the legal
address range, and thus this kind of attacks can be prevented.
The above-mentioned preventive measures can partially protect the security of
BSRs in a network. However, if a legal BSR is controlled by an attacker, the
above-mentioned problem will also occur.
Follow these steps to complete basic BSR configuration:
To do...
Enter system view
Enter IPv6 PIM view
Configure an interface as a
C-BSR
Configure a legal BSR address
range
n
Since a large amount of information needs to be exchanged between a BSR and
the other devices in the IPv6 PIM-SM domain, a relatively large bandwidth should
be provided between the C-BSR and the other devices in the IPv6 PIM-SM domain.
Configuring a BSR admin-scope region boundary
A BSR has its specific service scope. A number of BSR boundary interfaces divide a
network into different BSR admin-scope regions. Bootstrap messages cannot cross
the admin-scope region boundary, while other types of IPv6 PIM messages can.
Follow these steps to configure a BSR admin-scope region boundary:
To do...
Enter system view
Enter interface view
Configuring a BSR
Admin-scope Region
Boundary
Configuring global C-BSR parameters
The BSR election winner advertises its own IPv6 address and RP-Set information
throughout the region it serves through bootstrap messages. The BSR floods
bootstrap messages throughout the network periodically. Any C-BSR that receives
Use the command...
system-view
pim ipv6
c-bsr ipv6-address
[ hash-length [ priority ] ]
bsr-policy acl6-number
Use the command...
system-view
interface interface-type
interface-number
pim ipv6 bsr-boundary
Configuring IPv6 PIM-SM
Remarks
-
-
Optional
No C-BSRs are configured by
default.
Optional
No restrictions by default
Remarks
-
-
Required
No BSR admin-scope region
boundary by default
1251