102
All routers use the same hash algorithm to get an RP for a specific multicast group.
Configuring a legal BSR address range enables filtering of BSMs based on the address range, which
prevents a maliciously configured host from masquerading as a BSR. The same configuration must be
made on all routers in the PIM-SM domain. The following describes the typical BSR spoofing cases and
the corresponding preventive measures:
• Some maliciously configured hosts can forge BSMs to fool routers and change RP mappings. Such
attacks often occur on border routers. A BSR is inside the network and hosts are outside the network.
To protect a BSR against external attacks, you can enable the border routers to do the following:
{ Perform neighbor checks and RPF checks on BSMs.
{ Discard unwanted messages.
• When an attacker controls a router on the network, the attacker can configure the router as a C-BSR
to win the BSR election. Through this router, the attacker controls the advertising of RP information.
For security purposes, you can configure a legal BSR address range on all routers on the network.
All routers will discard BSMs that are out of the legal address range.
These preventive measures can partially protect the BSR in a network. However, if an attacker controls a
legal BSR, the problem still exists.
When you configure a C-BSR, reserve a relatively large bandwidth between the C-BSR and the other
devices in the PIM-SM domain.
When C-BSRs connect to other PIM routers through tunnels, static multicast routes must be configured to
make sure the next hop to a C-BSR is a tunnel interface. Otherwise, RPF check is affected. For more
information about static multicast routes, see "Configuring multicast routing and forwarding."
To
configure a C-BSR:
Ste
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enter PIM view.
pim [ vpn-instance
vpn-instance-name ]
N/A
3. Configure a C-BSR.
c-bsr ip-address [ scope
group-address { mask-length |
mask } ] [ hash-length hash-length
| priority priority ] *
By default, no C-BSR is configured.
4. (Optional.) Configure a legal
BSR address range.
bsr-policy acl-number
By default, no restrictions are
defined.
Configuring a PIM domain border
As the administrative core of a PIM-SM domain, the BSR sends the collected RP-set information in the form
of bootstrap messages to all routers in the PIM-SM domain.
A PIM domain border is a bootstrap message boundary. Each BSR has its specific service scope. A
number of PIM domain border interfaces partition a network into different PIM-SM domains. Bootstrap
messages cannot cross a domain border in either direction.
Perform the following configuration on routers that you want to configure as a PIM domain border.
To configure a PIM domain border:
To Next Page
Loading...
