Friday 22 June 2012

Spanning Tree Protocol : Why BPDU Validation is not done properly in various implementations? ?

In Spanning tree protocol if a root bridge receives a better root BID, it will stop advertising its own values and consider the other bridge as superior and starts advertising the values which it got from new bridge.

Lets say

                 PC1---Switch A----SwitchB----PC2

The one who has better BID will become root bridge lets say A.

Now consider this scenario , i capture one packet in wireshark, modify its BID such that it becomes root bridge and put all invalid timer values as 0x FF FF i.e. 255 for hello timer, forward delay and message age.

So what will happen if i send this packet from PC1 to switch A ?

1) Switch A will not accept this packet .

2) Switch A will accept this packet and become designated bridge?

Well, the answer is even if the BPDU has all the invalid values of timer, still the bridge/switch will not consider it as invalid packet and accept it as it is, and start advertising these invalid values to all other switches.

Why is it so? In 802.1D-1998 standard there is no mandatory validation  for received BPDU. So what is actually happening is, it depends on vendor whether they are applying this validation check or not.

In Linux this validation check is not present and when i raised this question in forum i got two reason for not fixing it:

1) STP is not secure protocol , so it accepts and treats every received  BPDU as valid

2) In linux PC bridges, everything has to be done in CPU , adding all these validations for all protocols will just add  an overhead and waste of CPU cycles.

What will be affect if we don't do these validations:

Any one in small lan who knows about this flaw can insert root bridge and propagate invalid timer values. It results in change in convergence time which can lead in formation of loops.

Who does these validation and who doesn't?

I have tested in Linux, Cisco, Netgear and Dlink switches. I wont give model no and version as this is only for information purposes. Cisco has all type of validations so it wont accept the BPDU. Linux, Netgear and DLink all are not doing any validation. So if you are in testing team of any of these, please raise it as a bug and see if gets fixed, even if they say native OS has this issue. Let me know if you could get this bug fixed so that eventually it comes to Linux.

Brocade switches does these validation, as i came to know but not tested on it.

If you are working on any other make of switch/ bridge let me know this issue is fixed or not in your platform.