Linux BridgingLinux Bridging

Teaching an Old Dog New TricksTeaching an Old Dog New Tricks

Stephen HemmingerStephen Hemmingershemminger@vyatta.com

TopicsTopics

● Background● Tunneling● Security● Status

Bridge HistoryBridge History

1985 1990

EthernetBridgingInvented

IEEE 802.1d1998

1998

IEEE 802.1d

2000 2004 2005 2012

LinuxBridge

2001

IEEE 802.1d2004

RSTP SPB802.1aq

MSTP802.1s

IGMPSnooping

Bridge ForwardingBridge Forwarding

Destination?

ForwardingTable

Output

Flood

Multicast?

IGMPtable

Disabled

Root Leaf

Spanning Tree ProtocolSpanning Tree Protocol

BPDU

BPDU

Edge

TunnelsTunnels

VXLAN2

GuestA

GuestB

GuestC

GuestD

VXLAN1

Bridge1 Bridge2 Bridge1 Bridge2

Cloud Tunneling ProtocolsCloud Tunneling Protocols

● VxLan– Arista, Broadcom, Cisco, Vmware, Red Hat

● NVGRE– Microsoft, Intel, Dell, Broadcom, Emulex

● STT– Niciria

API flavor'sAPI flavor's

● Ioctl– Compatibility– non-extensible

● Sysfs– Text based

● Netlink– Notifications– TLV format

Hw offloadHw offload

● Common netlink API– Forwarding table– monitoring

SecuritySecurity

● BPDU guard● BPDU filter● Root port protect● Port locking

STP Security IssuesSTP Security Issues

Bridge(core)

Bridge(edge)

GuestVM

Bridge(core)

BPDU

Core Bridge

UntrustedHost

BPDU blockedNot sent or received

BPDU FilterBPDU Filter

BPDU

Core Bridge

UntrustedHost/Bridge

BPDU

Rogue BPDU!

Link disabled

BPDU GuardBPDU Guard

BPDU

Core Bridge

Semi-trustedHost/Bridge

BPDU

BPDUAllowed if

Priority < Root

Root Port ProtectRoot Port Protect

Core Bridge

UntrustedGuest

Source AddressMust match

Port lockPort lock

Spanning TreeSpanning Tree

● Current– Kernel – 802.1d 1998– Userspace – RSTP daemon

● Goal– Kernel – 802.1d/802.1s– Userspace – SPB or TRILL?

StatusStatus

● VXLAN – 3.7● Security – 3.8?● STP update – 3.9??

Bridge vs OpenvswitchBridge vs Openvswitch

Ethernet Bridge– Plug and Play– Firewall rules– Integrated

Openvswitch– Table driven– Flexible– Management agent

Thank youThank you