Configuring a bsr, Configuring a c-bsr – H3C Technologies H3C SecPath F1000-E User Manual

856

Step

Command

Remarks

4.

Configure C-RP timeout time. c-rp holdtime interval

Optional.
150 seconds by default.

For more information about the configuration of other timers in IPv6 PIM-SM, see "

Configuring IPv6 PIM

common timers

."

Configuring a BSR

An IPv6 PIM-SM domain can have only one BSR, but must have at least one C-BSR. Any router can be

configured as a C-BSR. Elected from C-BSRs, the BSR is responsible for collecting and advertising RP
information in the IPv6 PIM-SM domain.

Configuring a C-BSR

You should configure C-BSRs on routers in the backbone network. When you configure a router as a

C-BSR, be sure to specify the IPv6 address of an IPv6 PIM-SM-enabled interface on the router. The BSR
election process is as follows:

•

Initially, every C-BSR assumes itself to be the BSR of this IPv6 PIM-SM domain, and uses its interface
IPv6 address as the BSR address to send bootstrap messages.

•

When a C-BSR receives the bootstrap message of another C-BSR, it first compares its own priority
with the other C-BSR’s priority carried in the message. The C-BSR with a higher priority wins. If a tie

exists in the priority, the C-BSR with a higher IPv6 address wins. The loser uses the winner’s BSR

address to replace its own BSR address and no longer assumes itself to be the BSR, and the winner
keeps its own BSR address and continues assuming itself to be the BSR.

Configuring a legal range of BSR addresses enables filtering of bootstrap messages based on the

address range, in order to prevent a maliciously configured host from masquerading as a BSR. You must

make the same configuration on all routers in the IPv6 PIM-SM domain. The following are typical BSR

spoofing cases and the corresponding preventive measures:

1.

Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP
mappings. Such attacks often occur on border routers. Because a BSR is inside the network

whereas hosts are outside the network, you can protect a BSR against attacks from external hosts

by enabling the border routers to perform neighbor checks and RPF checks on bootstrap messages

and discard unwanted messages.

2.

If an attacker controls a router in the network or if the network contains an illegal router, the

attacker can configure this router as a C-BSR and make it win BSR election to control the right of
advertising RP information in the network. After you configure a router as a C-BSR, the router

automatically floods the network with bootstrap messages. Because a bootstrap message has a

hop limit value of 1, the whole network will not be affected as long as the neighbor router discards

these bootstrap messages. Therefore, with a legal BSR address range configured on all routers in
the entire network, all these routers will discard bootstrap messages from out of the legal address

range.

The preventive measures can partially protect the security of BSRs in a network. However, if an attacker

controls a legal BSR, the preceding problem will also occur.
To complete basic BSR configuration: