3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

681

682

683

684

685

686

687

688

689

690

686 CHAPTER 46: IPV6 PIM CONFIGURATION

■ Initially, every C-BSR assumes itself to be the BSR of this IPv6 PIM-SM domain,

and uses its interface IPv6 address as the BSR address to send bootstrap

messages.

■ When a C-BSR receives the bootstrap message of another C-BSR, it first

compares its own priority with the other C-BSR’s priority carried in the

message. The C-BSR with a higher priority wins. If there is a tie in the priority,

the C-BSR with a higher IPv6 address wins. The loser uses the winner’s BSR

address to replace its own BSR address and no longer assumes itself to be the

BSR, while the winner keeps its own BSR address and continues assuming itself

to be the BSR.

Configuring a legal range of BSR addresses enables filtering of BSR messages

based on the address range, thus to prevent malicious hosts from initiating attacks

by disguising themselves as legitimate BSRs. To protect legitimate BSRs from being

maliciously replaced, preventive measures are taken specific to the following two

situations:

1 Some malicious hosts intend to fool devices by forging BSR messages and change

the RP mapping relationship. Such attacks often occur on border devices. Because

a BSR is inside the network whereas hosts are outside the network, you can

protect a BSR against attacks from external hosts by enabling border devices to

perform neighbor check and RPF check on BSR messages and discard unwanted

messages.

2 When a device in the network is controlled by an attacker or when an illegal

device is present in the network, the attacker can configure such a device to be a

C-BSR and make it win BSR election so as to gain the right of advertising RP

information in the network. After being configured as a C-BSR, a device

automatically floods the network with BSR messages. As a BSR message has a TTL

value of 1, the whole network will not be affected as long as the neighbor device

discards these BSR messages. Therefore, if a legal BSR address range is configured

on all devices in the entire network, all devices will discard BSR messages from out

of the legal address range, and thus this kind of attacks can be prevented.

The above-mentioned preventive measures can partially protect the security of

BSRs in a network. However, if a legal BSR is controlled by an attacker, the

aforesaid problem may also occur.

Follow these steps to complete basic BSR configuration:

Since a large amount of information needs to be exchanged between a BSR and

the other devices in the IPv6 PIM-SM domain, a relatively large bandwidth should

be provided between the C-BSR and the other devices in the IPv6 PIM-SM domain.

To do... Use the command... Remarks

Enter system view system-view -

Enter IPv6 PIM view pim ipv6 -

Configure an interface as a

C-BSR

c-bsr ipv6-address [

hash-length [ priority ] ]

Optional

No C-BSRs are configured by

default.

Configure a legal BSR address

range

bsr-policy acl6-number Optional

No restrictions by default