Configuring an ipv6 pim domain border – H3C Technologies H3C S10500 Series Switches User Manual

379

1.

Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP

mappings. Such attacks often occur on border routers. Because a BSR is inside the network

whereas hosts are outside the network, you can protect a BSR against attacks from external hosts
by enabling the border routers to perform neighbor checks and RPF checks on bootstrap messages

and to discard unwanted messages.

2.

If an attacker controls a router in the network or if the network contains an illegal router, the
attacker can configure this router as a C-BSR and make it win BSR election to control the right of

advertising RP information in the network. After you configure a router as a C-BSR, the router

automatically floods the network with bootstrap messages. Because a bootstrap message has a

hop limit value of 1, the whole network will not be affected as long as the neighbor router discards

these bootstrap messages. Therefore, with a legal BSR address range configured on all routers in
the entire network, all these routers will discard bootstrap messages from out of the legal address

range.

These preventive measures can partially protect the security of BSRs in a network. However, if an attacker

controls a legal BSR, the problem will still occur.
Follow these steps to complete basic BSR configuration:

To do...

Use the command...

Remarks

Enter system view

system-view

—

Enter IPv6 PIM view

pim ipv6

—

Configure an interface as a C-BSR

c-bsr ipv6-address
[ hash-length [ priority ] ]

Required
No C-BSRs are configured by default.

Configure a legal BSR address
range

bsr-policy acl6-number

Optional
No restrictions by default

NOTE:

Because a large amount of information needs to be exchanged between a BSR and the other devices in the
IPv6 PIM-SM domain, a relatively large bandwidth should be provided between the C-BSR and the other

devices in the IPv6 PIM-SM domain.

Configuring an IPv6 PIM domain border

As the administrative core of an IPv6 PIM-SM domain, the BSR sends the collected RP-set information in
the form of bootstrap messages to all routers in the IPv6 PIM-SM domain.
An IPv6 PIM domain border is a bootstrap message boundary. Each BSR has its specific service scope.

IPv6 PIM domain border interfaces partition a network into different IPv6 PIM-SM domains. Bootstrap

messages cannot cross a domain border in either direction.
Perform the following configuration on routers that you want to configure as an IPv6 PIM domain border.
Follow these steps to configure an IPv6 PIM border domain:

To do...

Use the command...

Remarks

Enter system view

system-view

—

Enter interface view

interface interface-type
interface-number

—

Configure an IPv6 PIM domain
border

pim ipv6 bsr-boundary

Required
No IPv6 PIM domain border is
configured by default