|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
BPDU protection on OpenBSD Bridge
Hy everybody, I am new in this Forum
Configuring BPDU Protection on Edge Interfaces under OpenBSD Bridge! Is this possible? If yes how? Thank you in advance OpenBSDDragon |
|
|||
Quote:
For those interested, BPDU packets are used in spanning tree protocols to ascertain the switch topology within a network. This is important to prune the paths packets take to ensure they do not endlessly travel about any cycles present. Spoofed BPDU packets could potentially degrade network performance by confusing the standard algorithms used to prevent topological cycles.. From limited research spent to answer this question, it appears that the major commercial players in the market -- Cisco, Juniper, & HP have switch features which monitor this & provide SNMP hooks which can alert administrators. It is also notable that I don't find any RFC describing this feature. I suspect that each vendor is implementing protection in their own manner, & the results may not be portable across different vendors. If this is true, I can then understand why BPDU protection is not yet available on OpenBSD. |
|
|||
This is my Bridge (BPDU) config under OpenBSD.
In principle, this would be right. I think so. But I'm not sure. Code:
$ cat /etc/hostname.bridge0 add vr0 add vr1 edge vr0 edge vr1 spanpriority 0 proto rstp ptp vr0 ptp vr1 up $ Last edited by ocicat; 30th June 2016 at 10:28 PM. Reason: Please use [code] & [/code] tags when posting file contents. |
|
|||
This appears to match the information found in ifconfig(8) for configuring edge switches. However, this does not confirm any support for BPDU protection.
If you do not choose to search through the source code advocated by jggimi, you may want to post to the project's misc@ mailing list. Information on subscribing can be found at the following: http://www.openbsd.org/mail.html |
|
||||
I'm home, and have looked through the CVS logs in actuality. My access to them when at work is via marc.info, and they are incomplete.
Looking through the CVS changelogs, I found this entry, which may be of interest: Code:
Module name: src Changes by: mpf@cvs.openbsd.org 2012/09/20 08:10:18 Modified files: sys/net : bridgestp.c if_bridge.c if_bridge.h Log message: Don't filter spanning tree BPDUs. Either process, or forward them. Even though this violates IEEE 802.1D, we'd rather avoid bridging loops by not getting in the way of STP. OK henning, camield, reyk |
|
|||
Quote:
|
|
|||
Quote:
|
|
||||
The OpenBSD system administrator does not have provisioning control of BPDU messages.
If you are interested in how OpenBSD forwards or processes BPDU messages, those three source code modules in sys/net are where to begin your research. |
|
|||
Thank you, I'm doing this
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
LAN-WAN Bridge is not routing | martincho | OpenBSD General | 2 | 16th May 2014 03:47 AM |
BSD and the Ivy Bridge chipsets: H77; Z77; Q77 | alikzus | General Hardware | 3 | 4th January 2013 04:36 AM |
Protection against Fingerprinting | magnesik | OpenBSD Security | 0 | 6th February 2010 12:12 AM |
bridge no such directory | hehehehe | OpenBSD General | 1 | 15th December 2009 02:55 AM |
Virus & Rootkit protection | jaymax | FreeBSD Ports and Packages | 1 | 18th June 2008 02:46 PM |