Gitiles
Code Review Sign In
gerrit.onosproject.org / onos / 31e16f57b10ebb5c0f98d8dbf779774df342ed03^! / . / providers / lldpcommon / src / main / java / org / onosproject / provider / lldpcommon / LinkDiscovery.java
commit31e16f57b10ebb5c0f98d8dbf779774df342ed03[log] [tgz]
authorSamuel Jero <samuel.jero@ll.mit.edu>Fri Sep 21 10:34:28 2018 -0400
committerThomas Vachuska <tom@opennetworking.org>Wed Oct 17 15:59:31 2018 +0000
treea7ba8ab671228eb24f9e3ec6218bd9ac80f72131
parente8b28db08622accdb1d1ff503a7084f067d60fc8 [diff] [blame]
Secure LLDP-based Topology Detection

Current LLDP/BDDP-based Topology Detection is vulnerable to the
creation of fake links via forged, modified, or replayed LLDP packets.
This patch fixes this vulnerability by authenticating LLDP/BDDP packets
using a Message Authentication Code and adding a timestamp to prevent
replay. We use HMAC with SHA-256 has our Messge Authentication Code and
derive the key from the config/cluster.json file via the
ClusterMetadata class.

Change-Id: I01dd6edc5cffd6dfe274bcdb97189f2661a6c4f1

diff --git a/providers/lldpcommon/src/main/java/org/onosproject/provider/lldpcommon/LinkDiscovery.java b/providers/lldpcommon/src/main/java/org/onosproject/provider/lldpcommon/LinkDiscovery.java
index 317fda8..3d69235 100644
--- a/providers/lldpcommon/src/main/java/org/onosproject/provider/lldpcommon/LinkDiscovery.java
+++ b/providers/lldpcommon/src/main/java/org/onosproject/provider/lldpcommon/LinkDiscovery.java

@@ -173,6 +173,12 @@
             } else {
                 lt = eth.getEtherType() == Ethernet.TYPE_LLDP ?
                         Type.DIRECT : Type.INDIRECT;
+
+                /* Verify MAC in LLDP packets */
+                if (!ONOSLLDP.verify(onoslldp, context.lldpSecret(), context.maxDiscoveryDelay())) {
+                    log.warn("LLDP Packet failed to validate!");
+                    return true;
+                }
             }
 
             PortNumber srcPort = portNumber(onoslldp.getPort());
@@ -269,7 +275,8 @@
     }
 
     private ONOSLLDP getLinkProbe(Long portNumber, String portDesc) {
-        return ONOSLLDP.onosLLDP(device.id().toString(), device.chassisId(), portNumber.intValue(), portDesc);
+        return ONOSLLDP.onosSecureLLDP(device.id().toString(), device.chassisId(), portNumber.intValue(), portDesc,
+                                       context.lldpSecret());
     }
 
     private void sendProbes(Long portNumber, String portDesc) {