301
1. Initially, each C-BSR regards itself as the BSR of the IPv6 BIDIR-PIM domain and sends BSMs to
other routers in the domain.
2. When a C-BSR receives the BSM from another C-BSR, it compares its own priority with the priority
carried in the message. The C-BSR with a higher priority wins the BSR election. If a tie exists in the
priority, the C-BSR with a higher IPv6 address wins. The loser uses the winner's BSR address to
replace its own BSR address and no longer regards itself as the BSR. The winner retains its own
BSR address and continues to regard itself as the BSR.
In an IPv6 BIDIR-PIM domain, the BSR does the following:
• Collects C-RP information from the received advertisement messages from the C-RPs.
• Encapsulates the C-RP information in the RP-set information.
• Distributes the RP-set information to all routers in the IPv6 BIDIR-PIM domain.
All routers use the same hash algorithm to get an RP for a specific IPv6 multicast group.
Configuring a legal BSR address range enables filtering of BSMs based on the address range, which
prevents a maliciously configured host from masquerading as a BSR. The same configuration must be
made on all routers in the IPv6 BIDIR-PIM domain. The following describes typical BSR spoofing cases
and the corresponding preventive measures:
• Some maliciously configured hosts can forge BSMs to fool routers and change RP mappings. Such
attacks often occur on border routers. A BSR is inside the network and hosts are outside the network.
To protect a BSR against external attacks, you can enable the border routers to do the following:
{ Perform neighbor checks and RPF checks on BSMs.
{ Discard unwanted messages.
• When an attacker controls a router on the network, the attacker can configure the router as a C-BSR
to win the BSR election. Through this router, the attacker controls the advertising of RP information.
For security purposes, you can configure a legal BSR address range on all routers on the network.
All routers will discard BSMs that are out of the legal address range.
These preventive measures can partially protect the BSR in a network. However, if an attacker controls a
legal BSR, the problem still exists.
To configure a C-BSR:
Ste
Command Remarks
1. Enter system view.
system-view N/A
2. Enter IPv6 PIM view.
ipv6 pim [ vpn-instance
vpn-instance-name ]
N/A
3. Configure a C-BSR.
c-bsr ipv6-address [ scope
scope-id ] [ hash-length hash-length
| priority priority ] *
By default, no C-BSR is
configured.
4. (Optional.) Configure a legal
BSR address range.
bsr-policy acl6-number
By default, no restrictions are
defined.
Configuring an IPv6 PIM domain border
As the administrative core of an IPv6 BIDIR-PIM domain, the BSR sends the collected RP-set information
in the bootstrap messages to all routers in the IPv6 BIDIR-PIM domain.
To Next Page
Loading...
