3Com 10014298 - page 142

142 CHAPTER 6: MULTICAST PROTOCOL

Only the register messages matching the ACL permit clause can be accepted by

the RP. Specifying an undefined ACL will make the RP deny all register messages.

Limiting the Range of Legal BSR

In the PIM SM network using BSR (bootstrap router) mechanism, every router can

set itself as C-BSR (candidate BSR) and take the authority to advertise RP

information in the network once it wins in the contention. To prevent malicious

BSR proofing in the network, the following two measures need to be taken:

■Prevent the router from being spoofed by hosts though faking legal BSR

messages to modify RP mapping. BSR messages are of multicast type and their

TTL is 1, so these types of attacks often hit edge routers. Fortunately, BSRs are

inside the network, while assaulting hosts are outside, therefore neighbor and

RPF checks can be used to stop these types of attacks.

■If a router in the network is manipulated by an attacker, or an illegal router is

accessed into the network, the attacker may set itself as C-BSR and try to win

the contention and gain authority to advertise RP information among the

network. Since the router configured as C-BSR shall propagate BSR messages,

which are multicast messages sent hop by hop with TTL as 1, among the

network, then the network cannot be affected as long as the peer routers do

not receive these BSR messages. One way is to configure bsr-policy on each

router to limit legal BSR range, for example, only 1.1.1.1/32 and 1.1.1.2/32 can

be BSR, thus the routers cannot receive or forward BSR messages other than

these two. Even legal BSRs cannot contest with them.

Perform the following configuration in PIM view.

For detailed information of the bsr-policy command, see the Switch 7750

Command Reference Guide.

Limiting the Range of Legal C-RP

In the PIM SM network, using BSR mechanism, every router can set itself as the

C-RP (candidate rendezvous point) servicing particular groups. If elected, a C-RP

becomes the RP servicing the current group.

In the BSR mechanism, a C-RP router unicasts C-RP messages to the BSR, which

then propagates the C-RP messages among the network by BSR message. To

prevent C-RP spoofing, you need to configure crp-policy on the BSR to limit

legal C-RP range and their service group range. Since each C-BSR has the chance

to become BSR, you must configure the same filtering policy on each C-BSR

router.

Perform the following configuration in PIM view.

Tabl e 153 Limiting the Range of Legal BSR

Operation Command

Limit the legal BSR range bsr-policy acl-number

Restore to the default setting undo bsr-policy

Tabl e 154 Limiting the Range of Legal C-RP

Operation Command

Limit the legal C-RP range crp-policy acl-number