Configuring a c-bsr – H3C Technologies H3C S7500E Series Switches User Manual

13-23

Configuring a C-BSR

C-BSRs should be configured on routers in the backbone network. When configuring a router

as a C-BSR, make sure to specify the IPv6 address of an IPv6 PIM-SM enabled interface on the

router. The BSR election process is summarized as follows:

z

Initially, every C-BSR assumes itself to be the BSR of this IPv6 PIM-SM domain, and uses

its interface IPv6 address as the BSR address to send bootstrap messages.

z

When a C-BSR receives the bootstrap message of another C-BSR, it first compares its own

priority with the other C-BSR’s priority carried in the message. The C-BSR with a higher

priority wins. If there is a tie in the priority, the C-BSR with a higher IPv6 address wins. The

loser uses the winner’s BSR address to replace its own BSR address and no longer

assumes itself to be the BSR, while the winner keeps its own BSR address and continues

assuming itself to be the BSR.

Configuring a legal range of BSR addresses enables filtering of bootstrap messages based on

the address range, thus to prevent a maliciously configured host from masquerading as a BSR.

The same configuration needs to be made on all routers in the IPv6 PIM-SM domain. The

following are typical BSR spoofing cases and the corresponding preventive measures:

1) Some maliciously configured hosts can forge bootstrap messages to fool routers and

change RP mappings. Such attacks often occur on border routers. Because a BSR is inside

the network whereas hosts are outside the network, you can protect a BSR against attacks

from external hosts by enabling the border routers to perform neighbor checks and RPF

checks on bootstrap messages and discard unwanted messages.

2) When a router in the network is controlled by an attacker or when an illegal router is

present in the network, the attacker can configure this router as a C-BSR and make it win

BSR election to control the right of advertising RP information in the network. After being

configured as a C-BSR, a router automatically floods the network with bootstrap messages.

As a bootstrap message has a hop limit value of 1, the whole network will not be affected

as long as the neighbor router discards these bootstrap messages. Therefore, with a legal

BSR address range configured on all routers in the entire network, all these routers will

discard bootstrap messages from out of the legal address range.

The above-mentioned preventive measures can partially protect the security of BSRs in a

network. However, if a legal BSR is controlled by an attacker, the above-mentioned problem will

also occur.

Follow these steps to complete basic BSR configuration:

To do...

Use the command...

Remarks

Enter system view

system-view

—

Enter IPv6 PIM view

pim ipv6

—

Configure an interface as a

C-BSR

c-bsr ipv6-address

[ hash-length [ priority ] ]

Required

No C-BSRs are configured by

default.

Configure a legal BSR address

range

bsr-policy acl6-number

Optional

No restrictions by default