Configuring a bidir-pim domain border – H3C Technologies H3C S12500 Series Switches User Manual

144

address to replace its own BSR address and no longer assumes itself to be the BSR, and the winner

retains its own BSR address and continues assuming itself to be the BSR.

Configuring a legal range of BSR addresses enables filtering of bootstrap messages based on the

address range, thus to prevent a maliciously configured host from masquerading as a BSR. The same

configuration must be made on all routers in the BIDIR-PIM domain. The following are typical BSR

spoofing cases and the corresponding preventive measures:

•

Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP
mappings. Such attacks often occur on border routers. Because a BSR is inside the network whereas

hosts are outside the network, you can protect a BSR against attacks from external hosts by enabling

the border routers to perform neighbor checks and RPF checks on bootstrap messages and discard

unwanted messages.

•

When a router in the network is controlled by an attacker or when an illegal router is present in the
network, the attacker can configure this router as a C-BSR and make it win BSR election to control
the right of advertising RP information in the network. After being configured as a C-BSR, a router

automatically floods the network with bootstrap messages. Because a bootstrap message has a TTL

value of 1, the whole network will not be affected as long as the neighbor router discards these

bootstrap messages. Therefore, with a legal BSR address range configured on all routers in the
entire network, all these routers will discard bootstrap messages that are not in the legal address

range.

The preventive measures can partially protect the security of BSRs in a network. If a legal BSR is controlled

by an attacker, the preceding problem will still occur.
Because a large amount of information needs to be exchanged between a BSR and the other devices in

the BIDIR-PIM domain, a relatively large bandwidth should be provided between the C-BSRs and the

other devices in the BIDIR-PIM domain.
For C-BSRs interconnected through a GRE tunnel, multicast static routes need to be configured to make

sure that the next hop to a C-BSR is a Tunnel interface. For more information about multicast static routes,
see "Configuring multicast routing and forwarding."
To configure a C-BSR:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter public network PIM view

or VPN instance PIM view.

pim [ vpn-instance
vpn-instance-name ]

N/A

3.

Configure an interface as a
C-BSR.

c-bsr interface-type
interface-number [ hash-length

[ priority ] ]

No C-BSRs are configured by
default.

4.

Configure a legal BSR
address range.

bsr-policy acl-number

Optional.
No restrictions on BSR address

range by default.

Configuring a BIDIR-PIM domain border

As the administrative core of a BIDIR-PIM domain, the BSR sends the collected RP-Set information in the
form of bootstrap messages to all routers in the BIDIR-PIM domain.
A BIDIR-PIM domain border is a bootstrap message boundary. Each BSR has its specific service scope.

A number of BIDIR-PIM domain border interfaces partition a network into different BIDIR-PIM domains.

Bootstrap messages cannot cross a domain border in either direction.