[OPNFLWPLUG-619] LLDP spoof warning in 3-node cluster Created: 11/Feb/16  Updated: 27/Sep/21  Resolved: 06/May/16

Status: Resolved
Project: OpenFlowPlugin
Component/s: General
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: Anil Vishnoi Assignee: Anil Vishnoi
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All


Issue Links:
Duplicate
is duplicated by INFRAUTILS-4 dummy Resolved
External issue ID: 5327
Priority: High

 Description   

Openflowplugin has an application (lldp speaker) that sends LLDP packet out of the controller to the switch and once it receive it back from other switch, it determine that there is a link between two switches.

In this scenario, there is a possibility that any other controller can connect to the switch and spoof the LLDP packets and controller can learn wrong link. This is a security vulnerability, which was fixed in the last release.

To fix this security vulnerability we added few checks when controller receives packet from switch to make sure that this packet was sent by the same controller. To make sure of that controller internally generate hash using the string value return by RuntimeMXBean.
ManagementFactory.getRuntimeMXBean().getName() (this basically returns the string – pid@hostname e.g 123@of-node-1)
https://github.com/opendaylight/openflowplugin/blob/master/applications/topology-lldp-discovery/src/main/java/org/opendaylight/openflowplugin/applications/topology/lldp/utils/LLDPDiscoveryUtils.java#L130

So this works perfectly fine in the single node cluster.

Now in the 3 node cluster environment, there is a possibility that two switches (Switch 1 & Switch 2) will be owned by two different node in the cluster. So if controller 1 sends LLDP packet to switch1 and it goes to Switch 2, switch 2 will send that packet to controller 2 (master of switch 2). Both controller will internally call
RuntimeMXBean().getName() and each cluster node will get different string name (given that controllers are running on different VM and VMs has different host name and the pid of the java process is different for each cluster node) and the check will fail, and both the controller will assume that it's a security attack, because that LLDP packet was not sent by it.

To fix this there are two options (1) Provide a key string through configuration file or config subsystem that each controller will use internally to generate the hash value and this will make sure that each controller will generate the same hash.
(2) Clustering can provide a cluster wide unique ID (cluster id) that application can use to generate this hash value and use it for authenticity across different cluster node.
Option (2) is more secure option because it generates the unique id at run time and it's more difficult to spoof it compare to (1). But (1) is as good as the current fix we have.



 Comments   
Comment by Anil Vishnoi [ 11/Feb/16 ]

master : https://git.opendaylight.org/gerrit/#/c/34503/
stable/beryllium : https://git.opendaylight.org/gerrit/#/c/34501/1

Comment by A H [ 12/Feb/16 ]

Anil Vishnoi, have we verified the fix against Beryllium SR?

Comment by Anil Vishnoi [ 12/Feb/16 ]

I verified it against Stable/Beryllium but not RC2.3. Do i need to verify it against RC2.3?

Comment by A H [ 12/Feb/16 ]

Okay if it has been verified, then I will update the spreadsheet accordingly. Thanks Anil Vishnoi.

Generated at Wed Feb 07 20:32:57 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.