https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/OPNFLWPLUG-361 OpenFlowPlugin <p>It has been reported that it is possible for an attacker to spoof network topology via LLDP. Details are in this paper:</p> <p><a href="http://www.internetsociety.org/sites/default/files/10_4_2.pdf" class="external-link" target="_blank" rel="nofollow noopener">http://www.internetsociety.org/sites/default/files/10_4_2.pdf</a></p> <p>Two fixes are proposed:</p> <p>1) Implement nonces for the LLDP messages, although this leaves a problem with MITM attacks where a host can copy LLDP from one point in the topology to other point. That would create a fake link between two OpenFlow switches.</p> <p>2) Implement a mechanism that somehow warns administrator about unexpected topology changes.</p> <p>MITRE has been contacted requesting a CVE name for this issue.</p> <p>Operating System: All<br/> Platform: All</p> OPNFLWPLUG-361

[SECURITY] Topology spoofing via LLDP

Bug Resolved Done Jozef Gloncak David Jorm Mon, 16 Feb 2015 00:51:27 +0000 Mon, 27 Sep 2021 09:01:25 +0000 Wed, 3 Jun 2015 08:48:23 +0000 General Mon, 16 Mar 2015 00:00:00 +0000 0 8 <p>Michal,</p> <p>Can you look into this? I will catch up with you over IRC sometime. There is also a security advisory on this:<br/> <a href="https://wiki.opendaylight.org/view/Security_Advisories#.5BModerate.5D_CVE-TBD_openflowplugin:_topology_spoofing_via_LLDP" class="external-link" target="_blank" rel="nofollow noopener">https://wiki.opendaylight.org/view/Security_Advisories#.5BModerate.5D_CVE-TBD_openflowplugin:_topology_spoofing_via_LLDP</a></p> <p>Thanks,<br/> Abhijit</p> <p>CVE-2015-1611 and CVE-2015-1612 have been assigned to this issue. On the TSC list it has been suggested that an SR3 release is shipped on 3/30. Would it be possible to include a fix for this issue in SR3?</p> <p><a href="https://git.opendaylight.org/gerrit/#/c/16193/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/16193/</a></p> <p>Above patch did not contain JUnit test, but we merged it because today is SR3 cut off date and we don't have enough time to add junit tests. Please keep this bug open till we include the junit tests.</p> <p>merged</p> <p><a href="https://git.opendaylight.org/gerrit/#/c/16208" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/16208</a></p> <p>I have updated the security advisories page to reflect the availability of a patch commit: <a href="https://wiki.opendaylight.org/view/Security_Advisories#.5BModerate.5D_CVE-2015-1611_CVE-2015-1612_openflowplugin:_topology_spoofing_via_LLDP" class="external-link" target="_blank" rel="nofollow noopener">https://wiki.opendaylight.org/view/Security_Advisories#.5BModerate.5D_CVE-2015-1611_CVE-2015-1612_openflowplugin:_topology_spoofing_via_LLDP</a></p> <p>Do we also need a patch for master to ensure this issue remains fixed in Lithium?</p> <p>merged</p> <p>(In reply to David Jorm from comment #7)<br/> &gt; I have updated the security advisories page to reflect the availability of a<br/> &gt; patch commit:<br/> &gt; <a href="https://wiki.opendaylight.org/view/Security_Advisories#.5BModerate.5D_CVE-" class="external-link" target="_blank" rel="nofollow noopener">https://wiki.opendaylight.org/view/Security_Advisories#.5BModerate.5D_CVE-</a><br/> &gt; 2015-1611_CVE-2015-1612_openflowplugin:_topology_spoofing_via_LLDP<br/> &gt; <br/> &gt; Do we also need a patch for master to ensure this issue remains fixed in<br/> &gt; Lithium?</p> <p>Yes,<br/> we need to cherrypick <a href="https://jira.opendaylight.org/browse/CONTROLLER-1196" title="Impossible to add more than one TLVs with type 127" class="issue-link" data-issue-key="CONTROLLER-1196"><del>CONTROLLER-1196</del></a> and this one into master in order to have the same functionality in lithium.</p> <p>openflowplugin<br/> ==============<br/> Merged on stable/lithium, stable/helium, master<br/> Change-Id: I234305e827817aef2dcec820869bddca91fc2b33 - LLDPSpeaker<br/> Change-Id: Ic8f50c88e7d8e3722d8d83a01ffa94a96bde313f - hash check in topology-discovery</p> <p>controller<br/> ==========<br/> Merged on stable/lithium, stable/helium, master<br/> Change-Id: I5d0c6b9a9e29213d3f25aa99ff7edd5b30e6c7a8 - LLDP refactor<br/> Change-Id: Ifa1cab17206e1be37022bc8b49f7990649cbd356 - problem to add second TLV with type 127. (for stable/lithium was changed to squashing commit which contained changes for all changes necessary in controller. The reason was that &gt;LLDP refactor&lt; was merged in controller before &gt;LLDP TLV support and testing&lt; and &gt;problem to add second TLV&lt;</p> <p>Merged on: stable/helium, master<br/> Change-Id: I56c807b46d889266fc43cdc9b35d00bf17bb4d09 - LLDP TLV support and testing</p> Blocks CONTROLLER-1196 Development External issue ID 2723 External issue URL ODL SR Target Milestone Rank 0|i030of: