142 CHAPTER 6: MULTICAST PROTOCOL
Only the register messages matching the ACL permit clause can be accepted by
the RP. Specifying an undefined ACL will make the RP deny all register messages.
Limiting the Range of Legal BSR
In the PIM SM network using BSR (bootstrap router) mechanism, every router can
set itself as C-BSR (candidate BSR) and take the authority to advertise RP
information in the network once it wins in the contention. To prevent malicious
BSR proofing in the network, the following two measures need to be taken:
■ Prevent the router from being spoofed by hosts though faking legal BSR
messages to modify RP mapping. BSR messages are of multicast type and their
TTL is 1, so these types of attacks often hit edge routers. Fortunately, BSRs are
inside the network, while assaulting hosts are outside, therefore neighbor and
RPF checks can be used to stop these types of attacks.
■ If a router in the network is manipulated by an attacker, or an illegal router is
accessed into the network, the attacker may set itself as C-BSR and try to win
the contention and gain authority to advertise RP information among the
network. Since the router configured as C-BSR shall propagate BSR messages,
which are multicast messages sent hop by hop with TTL as 1, among the
network, then the network cannot be affected as long as the peer routers do
not receive these BSR messages. One way is to configure bsr-policy on each
router to limit legal BSR range, for example, only 1.1.1.1/32 and 1.1.1.2/32 can
be BSR, thus the routers cannot receive or forward BSR messages other than
these two. Even legal BSRs cannot contest with them.
Perform the following configuration in PIM view.
For detailed information of the bsr-policy command, see the Switch 7750
Command Reference Guide.
Limiting the Range of Legal C-RP
In the PIM SM network, using BSR mechanism, every router can set itself as the
C-RP (candidate rendezvous point) servicing particular groups. If elected, a C-RP
becomes the RP servicing the current group.
In the BSR mechanism, a C-RP router unicasts C-RP messages to the BSR, which
then propagates the C-RP messages among the network by BSR message. To
prevent C-RP spoofing, you need to configure
crp-policy on the BSR to limit
legal C-RP range and their service group range. Since each C-BSR has the chance
to become BSR, you must configure the same filtering policy on each C-BSR
router.
Perform the following configuration in PIM view.
Table 153 Limiting the Range of Legal BSR
Operation Command
Limit the legal BSR range bsr-policy acl-number
Restore to the default setting undo bsr-policy
Table 154 Limiting the Range of Legal C-RP
Operation Command
Limit the legal C-RP range crp-policy acl-number