Command Manual – MulticastH3C S3600 Series Ethernet Switches-Release 1510 Chapter 6 PIM Configuration Commands6-1Chapter 6 PIM Configuration Commands6.1 PIM Configuration Commands6.1.1 bsr-policySyntaxbsr-policy acl-numberundo bsr-policyViewPIM viewParameteracl-number: ACL number imported in BSR filtering policy, in the range of 2000 to 2999.DescriptionUse the bsr-policy command to limit the range of legal BSRs to prevent BSR spoofing.Use the undo bsr-policy command to restore the default setting; that is, no range limitis set and all received messages are taken as legal.In the PIM SM network using BSR (bootstrap router) mechanism, every router can setitself as C-BSR (candidate BSR) and take the authority to advertise RP information inthe network once it wins in the contention. To prevent malicious BSR spoofing in thenetwork, the following two measures need to be taken:z Prevent the router from being spoofed by hosts though faking legal BSRmessages to modify RP mapping. BSR messages are of multicast type and theirTTL is 1, so this type of attacks often hit edge routers. Fortunately, BSRs areinside the network, while assaulting hosts are outside; therefore, neighbor andRPF checks can be used to stop this type of attacks.z If a router in the network is manipulated by an attacker, or an illegal router gainedaccess to the network, the attacker may set itself as C-BSR and try to win thecontention and obtain authority to advertise RP information in the network. Sincethe router configured as C-BSR propagate BSR messages, which are multicastmessages sent hop by hop with TTL as 1, in the network, then the network cannotbe affected as long as the peer routers do not receive these BSR messages. Oneway is to configure the bsr-policy command on each router to limit the legal BSRrange. For example, only 1.1.1.1/32 and 1.1.1.2/32 can be BSR. Thus, the routerscannot receive or forward BSR messages other than these two. Even legal BSRscannot contend with them.