[OPNFLWPLUG-361] [SECURITY] Topology spoofing via LLDP Created: 16/Feb/15  Updated: 27/Sep/21  Due: 16/Mar/15  Resolved: 03/Jun/15

Status: Resolved
Project: OpenFlowPlugin
Component/s: General
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: David Jorm Assignee: Jozef Gloncak
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

Issue Links:
Blocks
is blocked by CONTROLLER-1196 Impossible to add more than one TLVs ... Resolved
External issue ID: 2723

 Description   

It has been reported that it is possible for an attacker to spoof network topology via LLDP. Details are in this paper:

http://www.internetsociety.org/sites/default/files/10_4_2.pdf

Two fixes are proposed:

1) Implement nonces for the LLDP messages, although this leaves a problem with MITM attacks where a host can copy LLDP from one point in the topology to other point. That would create a fake link between two OpenFlow switches.

2) Implement a mechanism that somehow warns administrator about unexpected topology changes.

MITRE has been contacted requesting a CVE name for this issue.

 Comments   
Comment by Abhijit Kumbhare [ 16/Feb/15 ]

Michal,

Can you look into this? I will catch up with you over IRC sometime. There is also a security advisory on this:
https://wiki.opendaylight.org/view/Security_Advisories#.5BModerate.5D_CVE-TBD_openflowplugin:_topology_spoofing_via_LLDP

Thanks,
Abhijit

Comment by David Jorm [ 19/Feb/15 ]

CVE-2015-1611 and CVE-2015-1612 have been assigned to this issue. On the TSC list it has been suggested that an SR3 release is shipped on 3/30. Would it be possible to include a fix for this issue in SR3?

Comment by Michal Rehak [ 16/Mar/15 ]

https://git.opendaylight.org/gerrit/#/c/16193/

Comment by Anil Vishnoi [ 16/Mar/15 ]

Above patch did not contain JUnit test, but we merged it because today is SR3 cut off date and we don't have enough time to add junit tests. Please keep this bug open till we include the junit tests.

Comment by Michal Rehak [ 16/Mar/15 ]

merged

Comment by Michal Rehak [ 16/Mar/15 ]

https://git.opendaylight.org/gerrit/#/c/16208

Comment by David Jorm [ 17/Mar/15 ]

I have updated the security advisories page to reflect the availability of a patch commit: https://wiki.opendaylight.org/view/Security_Advisories#.5BModerate.5D_CVE-2015-1611_CVE-2015-1612_openflowplugin:_topology_spoofing_via_LLDP

Do we also need a patch for master to ensure this issue remains fixed in Lithium?

Comment by Michal Rehak [ 17/Mar/15 ]

merged

Comment by Michal Rehak [ 17/Mar/15 ]

(In reply to David Jorm from comment #7)
> I have updated the security advisories page to reflect the availability of a
> patch commit:
> https://wiki.opendaylight.org/view/Security_Advisories#.5BModerate.5D_CVE-
> 2015-1611_CVE-2015-1612_openflowplugin:_topology_spoofing_via_LLDP
>
> Do we also need a patch for master to ensure this issue remains fixed in
> Lithium?

Yes,
we need to cherrypick CONTROLLER-1196 and this one into master in order to have the same functionality in lithium.

Comment by Jozef Gloncak [ 03/Jun/15 ]

openflowplugin
==============
Merged on stable/lithium, stable/helium, master
Change-Id: I234305e827817aef2dcec820869bddca91fc2b33 - LLDPSpeaker
Change-Id: Ic8f50c88e7d8e3722d8d83a01ffa94a96bde313f - hash check in topology-discovery

controller
==========
Merged on stable/lithium, stable/helium, master
Change-Id: I5d0c6b9a9e29213d3f25aa99ff7edd5b30e6c7a8 - LLDP refactor
Change-Id: Ifa1cab17206e1be37022bc8b49f7990649cbd356 - problem to add second TLV with type 127. (for stable/lithium was changed to squashing commit which contained changes for all changes necessary in controller. The reason was that >LLDP refactor< was merged in controller before >LLDP TLV support and testing< and >problem to add second TLV<

Merged on: stable/helium, master
Change-Id: I56c807b46d889266fc43cdc9b35d00bf17bb4d09 - LLDP TLV support and testing

Generated at Wed Feb 07 20:32:16 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.