HP 6125XLG R2306-HP 6125XLG Blade Switch IP Multicast Configuration Guide - Page 161
Configuring an IPv6 PIM domain border
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 161 highlights
Configuring a legal BSR address range enables filtering of BSMs based on the address range, thereby preventing a maliciously configured host from masquerading as a BSR. The same configuration must be made on all routers in the IPv6 PIM-SM domain. The following describes the typical BSR spoofing cases and the corresponding preventive measures: • Some maliciously configured hosts can forge BSMs to fool routers and change RP mappings. Such attacks often occur on border routers. Because a BSR is inside the network whereas hosts are outside the network, you can protect a BSR against attacks from external hosts by enabling the border routers to perform neighbor checks and RPF checks on BSMs and to discard unwanted messages. • When an attacker controls a router in the network or when an illegal router is present in the network, the attacker can configure the router as a C-BSR and make it win the BSR election to advertise RP information in the network. After a router is configured as a C-BSR, it automatically floods the network with BSMs. Because a BSM has a hop limit value of 1, the whole network will not be affected as long as the neighbor router discards these BSMs. Therefore, with a legal BSR address range configured on all routers in the network, all these routers can discard BSMs from out of the legal address range. These preventive measures can partially protect the BSR in a network. However, if an attacker controls a legal BSR, the problem still exists. When you configure a C-BSR, reserve a relatively large bandwidth between the C-BSR and the other devices in the IPv6 PIM-SM domain. To configure a C-BSR: Step 1. Enter system view. 2. Enter IPv6 PIM view. 3. Configure a C-BSR. 4. (Optional.) Configure a legal BSR address range. Command system-view ipv6 pim c-bsr ipv6-address [ scope scope-id ] [ hash-length hash-length | priority priority ] * bsr-policy acl6-number Remarks N/A N/A By default, no C-BSR is configured. By default, no restrictions are defined. Configuring an IPv6 PIM domain border As the administrative core of an IPv6 PIM-SM domain, the BSR sends the collected RP-set information in the form of bootstrap messages to all routers in the IPv6 PIM-SM domain. An IPv6 PIM domain border is a bootstrap message boundary. Each BSR has its specific service scope. IPv6 PIM domain border interfaces partition a network into different IPv6 PIM-SM domains. Bootstrap messages cannot cross a domain border in either direction. Perform the following configuration on routers that you want to configure as an IPv6 PIM domain border. To configure an IPv6 PIM border domain: Step 1. Enter system view. 2. Enter interface view. Command system-view interface interface-type interface-number Remarks N/A N/A 154