DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th June 2016
OpenBSDDragon OpenBSDDragon is offline
New User
 
Join Date: Jun 2016
Location: Austria, Vienna
Posts: 7
Default BPDU protection on OpenBSD Bridge

Hy everybody, I am new in this Forum

Configuring BPDU Protection on Edge Interfaces under OpenBSD Bridge!
Is this possible?

If yes how?

Thank you in advance
OpenBSDDragon
Reply With Quote
  #2   (View Single Post)  
Old 30th June 2016
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by OpenBSDDragon View Post
Configuring BPDU Protection on Edge Interfaces under OpenBSD Bridge!
Is this possible?
I will be corrected if I am wrong, but I am not finding anything in the CVS commit messages indicating that completed work has been checked into the repository.

For those interested, BPDU packets are used in spanning tree protocols to ascertain the switch topology within a network. This is important to prune the paths packets take to ensure they do not endlessly travel about any cycles present. Spoofed BPDU packets could potentially degrade network performance by confusing the standard algorithms used to prevent topological cycles..

From limited research spent to answer this question, it appears that the major commercial players in the market -- Cisco, Juniper, & HP have switch features which monitor this & provide SNMP hooks which can alert administrators. It is also notable that I don't find any RFC describing this feature. I suspect that each vendor is implementing protection in their own manner, & the results may not be portable across different vendors. If this is true, I can then understand why BPDU protection is not yet available on OpenBSD.
Reply With Quote
  #3   (View Single Post)  
Old 30th June 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Hello, and welcome!

The bridge(4) man page states that the driver follows IEEE 802.1D-2004, and BDPUs are defined in Section 9.3 of that standard. But I do not see BPDU mentioned in that man page, nor are they mentioned in the ifconfig(8) man page, nor is the acronym mentioned in the change log.

The source code may mention BPDUs, but I currently do not have access to the source tree from behind the Great Corporate Firewall (TM) we have at $DAYJOB.
Reply With Quote
  #4   (View Single Post)  
Old 30th June 2016
OpenBSDDragon OpenBSDDragon is offline
New User
 
Join Date: Jun 2016
Location: Austria, Vienna
Posts: 7
Default

This is my Bridge (BPDU) config under OpenBSD.

In principle, this would be right. I think so. But I'm not sure.
Code:
$ cat /etc/hostname.bridge0
add vr0
add vr1
edge vr0
edge vr1
spanpriority 0
proto rstp
ptp vr0
ptp vr1
up
$

Last edited by ocicat; 30th June 2016 at 10:28 PM. Reason: Please use [code] & [/code] tags when posting file contents.
Reply With Quote
  #5   (View Single Post)  
Old 30th June 2016
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by OpenBSDDragon View Post
This is my Bridge (BPDU) config under OpenBSD.
This appears to match the information found in ifconfig(8) for configuring edge switches. However, this does not confirm any support for BPDU protection.

If you do not choose to search through the source code advocated by jggimi, you may want to post to the project's misc@ mailing list. Information on subscribing can be found at the following:

http://www.openbsd.org/mail.html
Reply With Quote
  #6   (View Single Post)  
Old 1st July 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I'm home, and have looked through the CVS logs in actuality. My access to them when at work is via marc.info, and they are incomplete.

Looking through the CVS changelogs, I found this entry, which may be of interest:
Code:
Module name:    src
Changes by:     mpf@cvs.openbsd.org     2012/09/20 08:10:18

Modified files:
        sys/net        : bridgestp.c if_bridge.c if_bridge.h 

    Log message:
    Don't filter spanning tree BPDUs. Either process, or forward them.
    Even though this violates IEEE 802.1D, we'd rather avoid bridging loops
    by not getting in the way of STP.
    OK henning, camield, reyk
Reply With Quote
  #7   (View Single Post)  
Old 1st July 2016
OpenBSDDragon OpenBSDDragon is offline
New User
 
Join Date: Jun 2016
Location: Austria, Vienna
Posts: 7
Smile

Quote:
Originally Posted by jggimi View Post
I'm home, and have looked through the CVS logs in actuality. My access to them when at work is via marc.info, and they are incomplete.

Looking through the CVS changelogs, I found this entry, which may be of interest:
Code:
Module name:    src
Changes by:     mpf@cvs.openbsd.org     2012/09/20 08:10:18

Modified files:
        sys/net        : bridgestp.c if_bridge.c if_bridge.h 

    Log message:
    Don't filter spanning tree BPDUs. Either process, or forward them.
    Even though this violates IEEE 802.1D, we'd rather avoid bridging loops
    by not getting in the way of STP.
    OK henning, camield, reyk
Thank you, but I'm now even more confused about BPDU.
Reply With Quote
  #8   (View Single Post)  
Old 1st July 2016
OpenBSDDragon OpenBSDDragon is offline
New User
 
Join Date: Jun 2016
Location: Austria, Vienna
Posts: 7
Default

Quote:
Originally Posted by ocicat View Post
This appears to match the information found in ifconfig(8) for configuring edge switches. However, this does not confirm any support for BPDU protection.

If you do not choose to search through the source code advocated by jggimi, you may want to post to the project's misc@ mailing list. Information on subscribing can be found at the following:

http://www.openbsd.org/mail.html
Thank you
Reply With Quote
  #9   (View Single Post)  
Old 1st July 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by OpenBSDDragon View Post
Thank you, but I'm now even more confused about BPDU.
The OpenBSD system administrator does not have provisioning control of BPDU messages.

If you are interested in how OpenBSD forwards or processes BPDU messages, those three source code modules in sys/net are where to begin your research.
Reply With Quote
Old 1st July 2016
OpenBSDDragon OpenBSDDragon is offline
New User
 
Join Date: Jun 2016
Location: Austria, Vienna
Posts: 7
Default

Thank you, I'm doing this
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
LAN-WAN Bridge is not routing martincho OpenBSD General 2 16th May 2014 03:47 AM
BSD and the Ivy Bridge chipsets: H77; Z77; Q77 alikzus General Hardware 3 4th January 2013 04:36 AM
Protection against Fingerprinting magnesik OpenBSD Security 0 6th February 2010 12:12 AM
bridge no such directory hehehehe OpenBSD General 1 15th December 2009 02:55 AM
Virus & Rootkit protection jaymax FreeBSD Ports and Packages 1 18th June 2008 02:46 PM


All times are GMT. The time now is 08:38 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick