Manualshelf

Command Reference Guide

ManualsBrandsHP ManualsRoutersHP 5000 Router Series
1761176217631764176517661767176817691770
6bsr-policy 3Com Router 5000 Family and Router 6000 Family
Command Reference
bsr-policy
Purpose Use the bsr-policy command to restrict the range for valid BSR, preventing BSR
spoofing.
Use the undo bsr-policy command to restore the normal state without any
range restriction and regard all the messages received are valid.
Syntax bsr-policy acl-number
undo bsr-policy
Parameters acl-number
ACL number used by BSR filter policy. Valid values are
2000 to 2999.
Example Configure BSR filter policy on a router. Only permit 1.1.1.1/32 to act as BSR and
regard others are invalid.
[3Com-pim] bsr-policy 2001
[3Com-pim] quit
[3Com] acl number 2001
[3Com-acl-basic-2001] rule 0 permit source 1.1.1.1 0
View This command can be used in the following views:
PIM view
Description In PIM SM network which uses BSR mechanism, any router can set itself as C-BSR and
will take charge of the authority of advertising BP information in the network if it
succeeds in competition. To prevent the valid BSR in the network from being
maliciously replaced, the following two measures should be taken:
Change RP mapping relationship to prevent the host from spoofing the router by
counterfeiting valid BSR packet. BSR packet is multicast packet with TTL of 1, so this
kind of attack usually takes place on the edge router. BSR is in the internal network
and the host is in the external network, therefore, performing neighbor check and
RPF check to BSR packet can prevent this kind of attack.
If a router in the network is controlled by an attacker or an illegal router accesses the
network, the attacker can set the router to C-BSR and make it succeed in competition
and control the authority of advertising RP information in the network. The router,
after being configured as C-BSR, will automatically advertise BSR information to the
whole network. BSR packet is the multicast packet which is forwarded hop by hop
with TTL of 1. The whole network will not be affected if the neighbor router does not
receive the BSR information. The solution is to configure bsr-policy on each
router in the whole network to restrict the range for legal BSR. For example, if only
1.1.1.1/32 and 1.1.1.2/32 are permitted as BSR, the router will not receive and
forward other BSR information and legal BSR will not compete with it.