Carp and STP meet switch security

Written by Henning Brauer, BS Web Services, hb at bsws dot de.

Basics

Carp and the Spanning Tree Protocol (STP) can both be used to provide firewall redundancy. Carp for routing devices (IP address failover), STP for bridging devices. Both come with security pitfalls that one should keep in mind.

Both work with announcements of available pathes/carp partners - doesn't make a difference here. Point is, a new partner with higher priority can show up and take over. That could very well be an attacker.

Spanning Tree (STP)

Spanning Tree has no support whatsoever to prevent that kind of attack. The annoucements (BPDUs) are not authenticated in any way. As soon as an attacker has physical access to a network segment that is using STP, he can send BPDUs and take over.

The only way to prevent this attack is to filter out BPDUs on all switchports ports NOT facing the intended bridges. These are usually switch interconnects and ports attached to your OpenBSD firewalls. All other ports need the BPDUs to be filtered. Fortunately, most of the better managed switches these days support that; syntax varies. For HP Procurve 5300XL ones, you would use something like

spanning-tree all bpdu-filter
no spanning tree G1,G3 bpdu-filter
That would enable the BPDU filter on all ports except G1 and G3.

Everything said here applies to the Rapid Spanning Tree Protocol (RSTP) as well.

CARP

Carp behaves much better than STP since its announcements use a hash, partially derived from a mandantory password. The attacker has to know the password to create his own carp announcements (or break the hash function, which doesn't seem likely from today's PoV).

Unfortunately, while this is much better than just ignoring the problem like STP and friends, it still leaves room for a replay attack. There, the attacker records carp announcements and just sends them out again. If he's doing that in the right way he'll become master (this got harder after OpenBSD 4.2 - but the problem is basically unsolvable without trusting clocks to be 100% synchronized. Combined with the fact that you want to prevent multi-MASTER situations if at all possible since they really hurt, there is no solution we're aware of).

As said, the attacker needs to be able to

Carp uses multicast. The destination IP is 224.0.0.18, the destination MAC 00:00:5e:00:01:1e.

Fortunately, many switches provide facilities to filter multicast. On HP ProCurve 5300XL, you would use

filter multicast 01005e000012 drop all forward G1,G3
to filter out the carp announcements on all ports except G1 and G3.