Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#3752 - netifd defaults an invalid bridge STP value for forward_delay #8761

Open
openwrt-bot opened this issue Apr 25, 2021 · 0 comments
Open
Labels

Comments

@openwrt-bot
Copy link

@openwrt-bot openwrt-bot commented Apr 25, 2021

sshambar:

netifd defaults the STP forward_delay lower than the minimum allowed by the protocol, causing the BPDU packets to be ignored by conforming implementations, risking bridge loops.

The relevant limits are set in IEEE 802.1D-1998 section 8.10.2 Table 8-3: the allowable forward_delay range is 4 - 30 seconds. netifd sets the initial default to 2 seconds.

I tested this with several of my Netgear managed switches; they ignore the invalid "2 second" STP packets. Correcting the forward_delay to within limits (4s) results in the router accepting the OpenWRT STP as the root bridge (since it has a lower bridge-id).

netifd should definitely not be defaulting to invalid values (even if it, and the kernel, allow the values to be set).

Here's a patch to fix the default:
--- a/bridge.c
+++ b/bridge.c
@@ -875,7 +875,7 @@ bridge_apply_settings(struct bridge_state *bst, struct blob
_attr **tb)

    /* defaults */                                                          
    cfg->stp = false;                                                       
  •   cfg->forward_delay = 2;                                                 
    
  •   cfg->forward_delay = 4;                                                 
      cfg->robustness = 2;                                                    
      cfg->igmp_snoop = false;                                                
    

Specifically, the packet is invalid as it fails the Spanning Tree Algorithm in section A.9, step 17c.

NOTE: Since the 1998 version of the standard requires subscribing to IEEE, you can also find the limits in the "free to download" updated 802.1D-2004 standard, section 17.14, Table 17-1 for the RSTP (which has the same forward delay limits as STP).


On the subject of "additional possible fixes".... (only suggestions)

The very low Forward Delay of 4 seconds still results in "non-conforming" behavior by OpenWRT, but at least no longer "breaking" behavior. Section 8.10.2 of 802.1D-1998 states:

A Bridge shall enforce the following relationships:
2 × (Bridge_Forward_Delay – 1.0 seconds) >= Bridge_Max_Age

... so even if the default Forward Delay is increased to 4 seconds, the default Max Age should also also be reduced to 6 seconds (kernel currently defaults to 20 seconds).

Also the minimum value for Forward Delay of 4 seconds is calculated (in section B.4.5) based on a Hello Time of 1 second, so that value should also be set (kernel currently defaults to 2 seconds).

Neither of these updates are critical (they work at their current defaults), but would just create "sensible" timers for STP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant