3Com Switch 7750 Series
Command Reference Guide – Multicast Chapter 5 PIM Configuration Commands
5-1
Chapter 5 PIM Configuration Commands 5.1 PIM Configuration Commands
5.1.1 bsr-policy
Syntax
bsr-policy acl-number
undo bsr-policy
View
PIM view
Parameter
acl-number: ACL number imported in BSR filtering policy, in the range of 2,000 to
2,999.
Description
Use the bsr-policy command to limit the range of legal BSRs to prevent BSR proofing.
Use the undo bsr-policy command to restore the default setting, that is, no range limit
is set and all received messages are taken as legal.
In the PIM SM network using BSR (bootstrap router) mechanism, every router can set
itself as C-BSR (candidate BSR) and take the authority to advertise RP information in
the network once it wins in the contention. To prevent malicious BSR proofing in the
network, the following two measures need to be taken:
z Prevent the router from being spoofed by hosts though faking legal BSR
messages to modify RP mapping. BSR messages are of multicast type and their
TTL is 1, so this type of attacks often hit edge routers. Fortunately, BSRs are
inside the network, while assaulting hosts are outside, therefore neighbor and
RPF checks can be used to stop this type of attacks.
z If a router in the network is manipulated by an attacker, or an illegal router is
accessed into the network, the attacker may set itself as C-BSR and try to win the
contention and gain authority to advertise RP information among the network.
Since the router configured as C-BSR shall propagate BSR messages, which are
multicast messages sent hop by hop with TTL as 1, among the network, then the
network cannot be affected as long as the peer routers do not receive these BSR
messages. One way is to configure bsr-policy on each router to limit legal BSR
range, for example, only 1.1.1.1/32 and 1.1.1.2/32 can be BSR, thus the routers