136
1.
Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP
mappings. Such attacks often occur on border routers. Because a BSR is inside the network
whereas hosts are outside the network, a BSR can be protected against attacks from external hosts
after you enable the border routers to perform neighbor checks and RPF checks on bootstrap
messages and to discard unwanted messages.
2. If an attacker controls a router in the network or if an illegal router is present in the network, the
attacker can configure this router as a C-BSR and make it win the BSR election to control the right of
advertising RP information in the network. After a router is configured as a C-BSR, it automatically
floods the network with bootstrap messages. Because a bootstrap message has a TTL value of 1,
the entire network will not be affected as long as the neighbor router discards these bootstrap
messages. Therefore, with a legal BSR address range configured on all routers in the entire
network, all these routers will discard bootstrap messages from out of the legal address range.
These preventive measures can partially protect the security of BSRs in a network. However, if an
attacker controls a legal BSR, the problem will still occur.
Follow these steps to configure a C-BSR:
To do… Use the command… Remarks
Enter system view
system-view —
Enter public network PIM view
or VPN instance PIM view
pim [ vpn-instance vpn-instance-
name ]
—
Configure an interface as a C-
BSR
c-bsr interface-type interface-number
[ hash-length [ priority ] ]
Required
No C-BSRs are configured by
default.
Configure a legal BSR address
range
bsr-policy acl-number
Optional
No restrictions on BSR address
range by default.
NOTE:
Because a lar
e amount of information needs to be exchan
ed between a BSR and the other devices in
the PIM-SM domain, a relatively large bandwidth should be provided between the C-BSRs and the
other devices in the PIM-SM domain.
Configuring a PIM domain border
As the administrative core of a PIM-SM domain, the BSR sends the collected RP-set information in the
form of bootstrap messages to all routers in the PIM-SM domain.
A PIM domain border is a bootstrap message boundary. Each BSR has its specific service scope. A
number of PIM domain border interfaces partition a network into different PIM-SM domains. Bootstrap
messages cannot cross a domain border in either direction.
Perform the following configuration on routers that can become a PIM domain border.
Follow these steps to configure a PIM domain border:
To do… Use the command… Remarks
Enter system view
system-view —
Enter interface view
interface interface-type interface-
number
—
To Next Page
Loading...
Need help?
General
