3com 8807 Reference Guide
36
PIM C
ONFIGURATION
C
OMMANDS
PIM Configuration
Commands
Commands
bsr-policy
Syntax
bsr-policy acl-number
undo bsr-policy
View
PIM view
Parameter
acl-number: ACL number imported in BSR filtering policy, in the range of 2000 to
2999.
2999.
Description
Use the bsr-policy command to limit the range of legal BSRs to prevent BSR
proofing.
proofing.
Use the undo bsr-policy command to restore the default setting, that is, no range
limit is set and all received messages are taken as legal.
limit is set and all received messages are taken as legal.
In the PIM SM network using BSR (bootstrap router) mechanism, every router can
set itself as C-BSR (candidate BSR) and take the authority to advertise RP
information in the network once it wins in the contention. To prevent the legal
BSR from being replaced maliciously in the network, the following two measures
need to be taken:
set itself as C-BSR (candidate BSR) and take the authority to advertise RP
information in the network once it wins in the contention. To prevent the legal
BSR from being replaced maliciously in the network, the following two measures
need to be taken:
■
Prevent the router from being spoofed by hosts though faking legal BSR
messages to modify RP mapping. BSR messages are of multicast type and their
TTL is 1, so this type of attacks often hit edge routers. Fortunately, BSRs are
inside the network, while assaulting hosts are outside, therefore neighbor and
RPF checks can be used to stop this type of attacks.
messages to modify RP mapping. BSR messages are of multicast type and their
TTL is 1, so this type of attacks often hit edge routers. Fortunately, BSRs are
inside the network, while assaulting hosts are outside, therefore neighbor and
RPF checks can be used to stop this type of attacks.
■
If a router in the network is manipulated by an attacker, or an illegal router is
accessed into the network, the attacker may set itself as C-BSR and try to win
the contention and gain authority to advertise RP information among the
network. Since the router configured as C-BSR shall propagate BSR messages,
which are multicast messages sent hop by hop with TTL as 1, among the
network, then the network cannot be affected as long as the peer routers do
not receive these BSR messages. One way is to configure bsr-policy on each
router to limit legal BSR range, for example, only 1.1.1.1/32 and 1.1.1.2/32 can
accessed into the network, the attacker may set itself as C-BSR and try to win
the contention and gain authority to advertise RP information among the
network. Since the router configured as C-BSR shall propagate BSR messages,
which are multicast messages sent hop by hop with TTL as 1, among the
network, then the network cannot be affected as long as the peer routers do
not receive these BSR messages. One way is to configure bsr-policy on each
router to limit legal BSR range, for example, only 1.1.1.1/32 and 1.1.1.2/32 can