393
Configuring a legal range of BSR addresses enables filtering of bootstrap messages based on the
address range, thereby preventing a maliciously configured host from masquerading as a BSR. You must
make the same configuration on all routers in the IPv6 PIM-SM domain. Typical BSR spoofing cases and
the corresponding preventive measures are as follows:
• Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP
mappings. Such attacks often occur on border routers. Because a BSR is inside the network whereas
hosts are outside the network, you can protect a BSR against attacks from external hosts by enabling
the border routers to perform neighbor checks and RPF checks on bootstrap messages and to
discard unwanted messages.
• If an attacker controls a router in the network or if the network contains an illegal router, the attacker
can configure this router as a C-BSR and make it win BSR election to control the right of advertising
RP information in the network. After you configure a router as a C-BSR, the router automatically
floods the network with bootstrap messages. Because a bootstrap message has a hop limit value of
1, the whole network will not be affected as long as the neighbor router discards these bootstrap
messages. Therefore, with a legal BSR address range configured on all routers in the entire network,
all these routers will discard bootstrap messages from out of the legal address range.
These preventive measures can partially protect the security of BSRs in a network. However, if an attacker
controls a legal BSR, the problem will still occur.
IMPORTANT:
Because a lar
e amount of information needs to be exchan
ed between a BSR and the other devices in the
IPv6 PIM-SM domain, a relatively large bandwidth should be provided between the C-BSR and the other
devices in the IPv6 PIM-SM domain.
To configure a C-BSR:
Ste
Command Remarks
1. Enter system view.
system-view N/A
2. Enter IPv6 PIM view.
pim ipv6 N/A
3. Configure an interface as a
C-BSR.
c-bsr ipv6-address
[ hash-length [ priority ] ]
No C-BSRs are configured by default.
4. Configure a legal BSR
address range.
bsr-policy acl6-number
Optional.
No restrictions by default.
Configuring an IPv6 PIM domain border
As the administrative core of an IPv6 PIM-SM domain, the BSR sends the collected RP-set information in
the form of bootstrap messages to all routers in the IPv6 PIM-SM domain.
An IPv6 PIM domain border is a bootstrap message boundary. Each BSR has its specific service scope.
IPv6 PIM domain border interfaces partition a network into different IPv6 PIM-SM domains. Bootstrap
messages cannot cross a domain border in either direction.
Perform the following configuration on routers that you want to configure as an IPv6 PIM domain border.
To Next Page
Loading...
