200 CHAPTER 7: MULTICAST PROTOCOL
Only the register messages matching the ACL permit clause can be accepted by
the RP. Specifying an undefined ACL will make the RP to deny all register
messages.
Limiting the Range of Legal BSR
In the PIM SM network using BSR (bootstrap router) mechanism, every router can
set itself as C-BSR (candidate BSR) and take the authority to advertise RP
information in the network once it wins in the contention. To prevent malicious
BSR proofing in the network, the following two measures need to be taken:
■ Prevent the router from being spoofed by hosts though faking legal BSR
messages to modify RP mapping. BSR messages are of multicast type and their
TTL is 1, so this type of attacks often hit edge routers. Fortunately, BSRs are
inside the network, while assaulting hosts are outside, therefore neighbor and
RPF checks can be used to stop this type of attack.
■ If a router in the network is manipulated by an attacker, or an illegal router is
accessed into the network, the attacker may set itself as C-BSR and try to win
the contention and gain authority to advertise RP information among the
network. Since the router configured as C-BSR shall propagate BSR messages,
which are multicast messages sent hop by hop with TTL as 1, among the
network, then the network cannot be affected as long as the peer routers do
not receive these BSR messages. One way is to configure
bsr-policy on each
router to limit legal BSR range, for example, only 1.1.1.1/32 and 1.1.1.2/32 can
be BSR, thus the routers cannot receive or forward BSR messages other than
these two. Even legal BSRs cannot contest with them.
Perform the following configuration in PIM View.
For detailed information of bsr-policy, please refer to the command manual.
Limiting the Range of Legal C-RP
In the PIM-SM network using BSR mechanism, every router can set itself as C-RP
(candidate rendezvous point) servicing particular groups. If elected, a C-RP
becomes the RP servicing the current group.
In BSR mechanism, a C-RP router unicasts C-RP messages to the BSR, which then
propagates the C-RP messages among the network by BSR message. To prevent
C-RP spoofing, you need to configure
crp-policy on the BSR to limit legal C-RP
range and their service group range. Since each C-BSR has the chance to become
BSR, you must configure the same filtering policy on each C-BSR router.
Table 219 Limiting the range of legal BSR
Operation Command
Set the legal BSR range limit bsr-policy
acl_number
Restore to the default setting undo bsr-policy
To Next Page