Post on 18-Nov-2014
description
Linux BridgingLinux Bridging
Teaching an Old Dog New TricksTeaching an Old Dog New Tricks
Stephen HemmingerStephen Hemmingershemminger@vyatta.com
TopicsTopics
● Background● Tunneling● Security● Status
Bridge HistoryBridge History
1985 1990
EthernetBridgingInvented
IEEE 802.1d1998
1998
IEEE 802.1d
2000 2004 2005 2012
LinuxBridge
2001
IEEE 802.1d2004
RSTP SPB802.1aq
MSTP802.1s
IGMPSnooping
Bridge ForwardingBridge Forwarding
Destination?
ForwardingTable
Output
Flood
Multicast?
IGMPtable
Disabled
Root Leaf
Spanning Tree ProtocolSpanning Tree Protocol
BPDU
BPDU
Edge
TunnelsTunnels
VXLAN2
GuestA
GuestB
GuestC
GuestD
VXLAN1
Bridge1 Bridge2 Bridge1 Bridge2
Cloud Tunneling ProtocolsCloud Tunneling Protocols
● VxLan– Arista, Broadcom, Cisco, Vmware, Red Hat
● NVGRE– Microsoft, Intel, Dell, Broadcom, Emulex
● STT– Niciria
API flavor'sAPI flavor's
● Ioctl– Compatibility– non-extensible
● Sysfs– Text based
● Netlink– Notifications– TLV format
Hw offloadHw offload
● Common netlink API– Forwarding table– monitoring
SecuritySecurity
● BPDU guard● BPDU filter● Root port protect● Port locking
STP Security IssuesSTP Security Issues
Bridge(core)
Bridge(edge)
GuestVM
Bridge(core)
BPDU
Core Bridge
UntrustedHost
BPDU blockedNot sent or received
BPDU FilterBPDU Filter
BPDU
Core Bridge
UntrustedHost/Bridge
BPDU
Rogue BPDU!
Link disabled
BPDU GuardBPDU Guard
BPDU
Core Bridge
Semi-trustedHost/Bridge
BPDU
BPDUAllowed if
Priority < Root
Root Port ProtectRoot Port Protect
Core Bridge
UntrustedGuest
Source AddressMust match
Port lockPort lock
Spanning TreeSpanning Tree
● Current– Kernel – 802.1d 1998– Userspace – RSTP daemon
● Goal– Kernel – 802.1d/802.1s– Userspace – SPB or TRILL?
StatusStatus
● VXLAN – 3.7● Security – 3.8?● STP update – 3.9??
Bridge vs OpenvswitchBridge vs Openvswitch
Ethernet Bridge– Plug and Play– Firewall rules– Integrated
Openvswitch– Table driven– Flexible– Management agent
Thank youThank you