Configuring an ipv6 bidir-pim domain border – H3C Technologies H3C S10500 Series Switches User Manual

389

•

When a C-BSR receives the bootstrap message of another C-BSR, it first compares its own priority

with the other C-BSR’s priority carried in message. The C-BSR with a higher priority wins. If a tie

exists in the priority, the C-BSR with a higher IPv6 address wins. The loser uses the winner’s BSR
address to replace its own BSR address and no longer assumes itself to be the BSR, and the winner

retains its own BSR address and continues assuming itself to be the BSR.

Configuring a legal range of BSR addresses enables filtering of bootstrap messages based on the

address range, thus to prevent a maliciously configured host from masquerading as a BSR. The same

configuration must be made on all routers in the IPv6 BIDIR-PIM domain. The following are typical BSR

spoofing cases and the corresponding preventive measures:

1.

Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP

mappings. Such attacks often occur on border routers. Because a BSR is inside the network
whereas hosts are outside the network, you can protect a BSR against attacks from external hosts

by enabling the border routers to perform neighbor checks and RPF checks on bootstrap messages

and discard unwanted messages.

2.

When a router in the network is controlled by an attacker or when an illegal router is present in the
network, the attacker can configure this router as a C-BSR and make it win BSR election to control

the right of advertising RP information in the network. After being configured as a C-BSR, a router

automatically floods the network with bootstrap messages. Because a bootstrap message has a

hop limit value of 1, the whole network will not be affected as long as the neighbor router discards
these bootstrap messages. Therefore, with a legal BSR address range configured on all routers in

the entire network, all these routers will discard bootstrap messages from out of the legal address

range.

The preventive measures can partially protect the security of BSRs in a network. However, if a legal BSR

is controlled by an attacker, the preceding problem will still occur.
Follow these steps to configure a C-BSR:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter IPv6 PIM view

pim ipv6

—

Configure an interface as a
C-BSR

c-bsr ipv6-address
[ hash-length [ priority ] ]

Required
No C-BSRs are configured by default.

Configure a legal BSR
address range

bsr-policy acl6-number

Optional
No restrictions on BSR address range by default

NOTE:

Because a large amount of information will be exchanged between a BSR and the other devices in the IPv6
BIDIR-PIM domain, a relatively large bandwidth should be provided between the C-BSRs and the other

devices in the IPv6 BIDIR-PIM domain.

Configuring an IPv6 BIDIR-PIM domain border

As the administrative core of an IPv6 BIDIR-PIM domain, the BSR sends the collected RP-Set information

in the form of bootstrap messages to all routers in the IPv6 BIDIR-PIM domain.
An IPv6 BIDIR-PIM domain border is a bootstrap message boundary. Each BSR has its specific service

scope. A number of IPv6 BIDIR-PIM domain border interfaces partition a network into different IPv6

BIDIR-PIM domains. Bootstrap messages cannot cross a domain border in either direction.