The bsr-policy command specifies the range of valid bootstrap router (BSR) addresses so that the device discards BSR messages sent from addresses out of this range. This prevents BSR spoofing.
The undo bsr-policy command restores the default configuration.
By default, the range of BSR addresses is not limited, and all BSR packets are considered valid.
| Parameter | Description | Value |
|---|---|---|
| basic-acl6-number | Specifies the basic ACL number. The ACL defines the filtering policy for the range of source addresses of BSR packets. | The value is an integer that ranges from 2000 to 2999. |
Usage Scenario
On a PIM-SM network that applies the BSR mechanism, you can configure any switch as a C-BSR to take part in the BSR election. Once a switch is elected as the BSR, it is responsible for advertising RP information in the network. To prevent the valid BSR from being maliciously replaced, take the following measures:
Attacking hosts change the RP mapping to spoof the switch by forging BSR packets.
Solution: Such attacks often occur on edge devices because a BSR packet is a multicast packet with TTL value of 1. As the BSR is inside the network and hosts are outside the network, the switches can perform neighbor check and RPF check on the received BSR packets to prevent the attacks.
A switch is controlled by an attacker or an authorized switch is connected to the network. The attacker configures the switch as a C-BSR and makes the switch win the BSR election, so as to obtain the right of advertising RP information in the network.
Solution: After the switch is configured as a C-BSR, it spreads multicast BSR packets in the network. The BSR packets have a TTL value of 1 and are forwarded hop by hop. As long as the neighboring device does not accept the BSR packets, the packets will not spread in the entire network. The solution is to use the bsr-policy command on every device in the network to specify the valid BSR range. For example, you can configure a policy to allow only switches with addresses FC00:0:0:2001::1/62 and FC00:0:0:2001::2/64 to function as BSRs. Then switches will not accept or forward BSR packets with addresses out of this range.
The two countermeasures mentioned above can partially protect BSRs in the network. If attackers control a valid BSR, it also brings problems to the network.
Prerequisites
IPv6 multicast routing has been enabled globally using the multicast ipv6 routing-enable command in the system view.
Configuration Impact
After the bsr-policy command is run, the switch accepts only BSR messages matching the configured policy.
Precautions
The bsr-policy command and the acl ipv6 (system view) command are used together. In the ACL view, you can set the source address range for BSR packets by specifying the source parameter in the rule (basic ACL6 view) command.
<HUAWEI> system-view [HUAWEI] acl ipv6 2001 [HUAWEI-acl6-basic-2001] rule permit source fc00:0:0:2001:: 64 [HUAWEI-acl6-basic-2001] quit [HUAWEI] multicast ipv6 routing-enable [HUAWEI] pim-ipv6 [HUAWEI-pim6] bsr-policy 2001