The bsr-policy command limits the range of valid BootStrap router (BSR) addresses to prevent BSR spoofing.
The undo bsr-policy command restores the default configuration.
| Parameter | Description | Value |
|---|---|---|
| basic-acl-number | Specifies the basic ACL number. The ACL defines the filtering policy for the range of source addresses of BSR packets. | The value is an integer that ranges from 2000 to 2999. |
By default, the range of BSR addresses is not limited. That is, all BSR packets are considered valid.
In a PIM-SM network that applies the BSR mechanism, any FW can be configured as a C-BSR to elect the BSR. Once a FW is elected as the BSR, the FW is responsible for advertising RP information in the network. To prevent the legal BSR from being maliciously replaced, the following measures must be used:
Certain hosts try changing the RP mapping to spoof the FW by forging BSR packets.
Solution: The attack often occurs on edge FWs because the BSR packet is a multicast packet and the TTL value of the BSR packet is 1. The BSR is inside the network, and hosts are outside the network. The FWs can thus perform neighbor check and RPF check on the received BSR packets to prevent the attack.
Certain attackers control a FW in the network, or a FW illegally accesses the network. The attackers configure the FW as a C-BSR, and help the FW win the BSR election. The attackers thus obtain the right of advertising RP information in the network.
Solution: After the FW is configured as a C-BSR, the FW spreads BSR packets in the network. The BSR packets are multicast packets. The TTL value of BSR packets is 1. The BSR packets are forwarded hop by hop. As long as the neighboring FW cannot receive the packets, the packets are not spread in the entire network. The solution is to use the bsr-policy command on every FW in the network to limit the legal BSR range. For example, only FWs 10.1.1.1/32 and 10.1.1.2/32 are elected as BSRs; therefore, the FWs do not receive or forward other BSR packets. This type of attack is thus prevented.
The two countermeasures mentioned above can partially protect BSRs in the network. If attackers control a legal BSR, it also brings problems to the network.
You must run the multicast routing-enable command to enable the multicast function before using the command.
The bsr-policy command and the acl command can be used together. Set rule to define the range of the source addresses for BSR packets, and source to import BSR addresses.
# In the public network instance, configure address 10.1.1.0/24 for the legal BSR.
<sysname> system-view [sysname] acl number 2001 [sysname-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255 [sysname-acl-basic-2001] quit [sysname] multicast routing-enable [sysname] pim [sysname-pim] bsr-policy 2001