3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

571

572

573

574

575

576

577

578

579

580

580 CHAPTER 42: PIM CONFIGURATION

message. The C-BSR with a higher priority wins. If there is a tie in the priority,

the C-BSR with a higher IP address wins. The loser uses the winner’s BSR

address to replace its own BSR address and no longer assumes itself to be the

BSR, while the winner keeps its own BSR address and continues assuming itself

to be the BSR.

Configuring a legal range of BSR addresses enables filtering of BSR messages

based on the address range, thus to prevent malicious hosts from initiating attacks

by disguising themselves as legitimate BSRs. To protect legitimate BSRs from being

maliciously replaced, preventive measures are taken specific to the following two

situations:

1 Some malicious hosts intend to fool routers by forging BSR messages and

change the RP mapping relationship. Such attacks often occur on border

devices. Because a BSR is inside the network whereas hosts are outside the

network, you can protect a BSR against attacks from external hosts by

enabling border devices to perform neighbor check and RPF check on BSR

messages and discard unwanted messages.

2 When a device in the network is controlled by an attacker or when an

illegal device is present in the network, the attacker can configure such a

device to be a C-BSR and make it win BSR election so as to gain the right of

advertising RP information in the network. After being configured as a

C-BSR, a device automatically floods the network with BSR messages. As a

BSR message has a TTL value of 1, the whole network will not be affected

as long as the neighbor device discards these BSR messages. Therefore, if a

legal BSR address range is configured on all devices in the entire network,

all devices will discard BSR messages from out of the legal address range,

and thus this kind of attacks can be prevented.

The above-mentioned preventive measures can partially protect the security of

BSRs in a network. However, if a legal BSR is controlled by an attacker, the

above-mentioned problem will also occur.

Follow these steps to complete basic C-BSR configuration:

Since a large amount of information needs to be exchanged between a BSR and

the other devices in the PIM-SM domain, a relatively large bandwidth should be

provided between the C-BSR and the other devices in the PIM-SM domain.

Configuring a global-scope C-BSR

Follow these steps to configure a global-scope C-BSR:

To do... Use the command... Remarks

Enter system view system-view -

Enter PIM view pim -

Configure an interface as a

C-BSR

c-bsr interface-type

interface-number [

hash-length [ priority ] ]

Required

No C-BSR is configured by

default

Configure a legal BSR address

range

bsr-policy acl-number Optional

No restrictions on BSR address

range by default