R3166-R3206-HP High-End Firewalls Network Management Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

451

452

453

454

455

456

457

458

459

460

446

To do... Use the command... Remarks

Configure C-RP timeout time

c-rp holdtime interval

Optional

150 seconds by default

NOTE:

For the configuration of other timers in PIM-SM, see “Configuring PIM common timers.”

Configuring a BSR

A PIM-SM domain can have only one BSR, but must have at least one C-BSR. Any router can be

configured as a C-BSR. Elected from C-BSRs, the BSR is responsible for collecting and advertising RP

information in the PIM-SM domain.

1. Configuring a C-BSR

C-BSRs should be configured on routers in the backbone network. When configuring a router as a C-BSR,

be sure to specify a PIM-SM-enabled interface on the router. The BSR election process is summarized as

follows:

• Initially, every C-BSR assumes itself to be the BSR of this PIM-SM domain, and uses its interface IP

address as the BSR address to send bootstrap messages.

• When a C-BSR receives the bootstrap message of another C-BSR, it first compares its own priority

with the other C-BSR’s priority carried in message. The C-BSR with a higher priority wins. If there is

a tie in the priority, the C-BSR with a higher IP address wins. The loser uses the winner’s BSR address

to replace its own BSR address and no longer assumes itself to be the BSR, while the winner retains

its own BSR address and continues assuming itself to be the BSR.

Configuring a legal range of BSR addresses enables filtering of bootstrap messages based on the

address range, thus to prevent a maliciously configured host from masquerading as a BSR. The same

configuration needs to be made on all routers in the PIM-SM domain. The following are typical BSR

spoofing cases and the corresponding preventive measures:

• Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP

mappings. Such attacks often occur on border routers. Because a BSR is inside the network whereas

hosts are outside the network, you can protect a BSR against attacks from external hosts by enabling

the border routers to perform neighbor checks and RPF checks on bootstrap messages and discard

unwanted messages.

• When a router in the network is controlled by an attacker or when an illegal router is present in the

network, the attacker can configure this router as a C-BSR and make it win BSR election to control

the right of advertising RP information in the network. After being configured as a C-BSR, a router

automatically floods the network with bootstrap messages. As a bootstrap message has a TTL value

of 1, the whole network will not be affected as long as the neighbor router discards these bootstrap

messages. Therefore, with a legal BSR address range configured on all routers in the entire network,

all these routers will discard bootstrap messages from out of the legal address range.

The above-mentioned preventive measures can partially protect the security of BSRs in a network.

However, if a legal BSR is controlled by an attacker, the above-mentioned problem will still occur.

Follow these steps to configure a C-BSR:

To do... Use the command... Remarks

Enter system view

system-view —

Enter public instance

pim —