< Home

bsr-policy (IPv4)

Function

The bsr-policy command specifies the range of valid bootstrap router (BSR) addresses. Then the switch drops the BSR messages sent from the addresses out of this range to defend against BSR spoofing.

The undo bsr-policy command restores the default configuration.

By default, the range of BSR addresses is not limited, and all BSR packets are considered valid.

Format

bsr-policy basic-acl-number

undo bsr-policy

Parameters

Parameter Description Value
basic-acl-number Specifies the basic ACL number. The ACL defines the filtering policy for the range of source addresses of BSR packets. This parameter corresponds to basic-acl-number in the acl command. The value is an integer that ranges from 2000 to 2999.

Views

PIM view of public network instance or PIM view of VPN instance

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On a PIM-SM network that applies the BSR mechanism, you can configure any switch as a C-BSR to take part in BSR election. Once a switch is elected as the BSR, the switch is responsible for advertising RP information in the network. To prevent the valid BSR from being maliciously replaced, take the following measures:

  • Certain hosts try changing the RP mapping to spoof the switch by forging BSR packets.

    Solution: The attack often occurs on edge switches because the BSR packet is a multicast packet with the TTL value of 1. As the BSR is inside the network and hosts are outside the network, the switches can perform neighbor checks and RPF checks on the received BSR packets to prevent the attack.

  • Certain attackers control the switch on the network, or the switch accesses the network. The attackers configure the switch as a C-BSR, and help the switch win the BSR election. The attackers obtain the right of advertising RP information in the network.

    Solution: After the switch is configured as a C-BSR, the switch spreads multicast BSR packets in the network. The BSR packets have a TTL value of 1 and are forwarded hop by hop. As long as the neighboring switch cannot receive the packets, the packets are not spread in the entire network. The solution is to use the bsr-policy command on every switch in the network to limit the valid BSR range. For example, only switches 10.1.1.1/32 and 10.1.1.2/32 are elected as BSRs; therefore, the switches do not receive or forward other BSR packets.

The two countermeasures mentioned above can partially protect BSRs in the network. However, if attackers control a valid BSR, problems can still be caused on the network.

Prerequisites

IP multicast routing has been enabled using the multicast routing-enable command.

Configuration Impact

After the bsr-policy command is run, the switch accepts only BSR messages matching the configured policy.

Precautions

The bsr-policy command and the acl command are used together. In the ACL view, you can set the source address range for BSR packets by specifying the source parameter in the rule command.

Example

# In the public network instance PIM view, configure address 10.1.1.0/24 as the valid BSR address range.
<HUAWEI> system-view
[HUAWEI] acl number 2001
[HUAWEI-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255
[HUAWEI-acl-basic-2001] quit
[HUAWEI] pim
[HUAWEI-pim] bsr-policy 2001
Parent Topic: IPv4 PIM Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >