You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
netifd defaults the STP forward_delay lower than the minimum allowed by the protocol, causing the BPDU packets to be ignored by conforming implementations, risking bridge loops.
The relevant limits are set in IEEE 802.1D-1998 section 8.10.2 Table 8-3: the allowable forward_delay range is 4 - 30 seconds. netifd sets the initial default to 2 seconds.
I tested this with several of my Netgear managed switches; they ignore the invalid "2 second" STP packets. Correcting the forward_delay to within limits (4s) results in the router accepting the OpenWRT STP as the root bridge (since it has a lower bridge-id).
netifd should definitely not be defaulting to invalid values (even if it, and the kernel, allow the values to be set).
Here's a patch to fix the default: --- a/bridge.c
+++ b/bridge.c
@@ -875,7 +875,7 @@ bridge_apply_settings(struct bridge_state *bst, struct blob
_attr **tb)
Specifically, the packet is invalid as it fails the Spanning Tree Algorithm in section A.9, step 17c.
NOTE: Since the 1998 version of the standard requires subscribing to IEEE, you can also find the limits in the "free to download" updated 802.1D-2004 standard, section 17.14, Table 17-1 for the RSTP (which has the same forward delay limits as STP).
On the subject of "additional possible fixes".... (only suggestions)
The very low Forward Delay of 4 seconds still results in "non-conforming" behavior by OpenWRT, but at least no longer "breaking" behavior. Section 8.10.2 of 802.1D-1998 states:
A Bridge shall enforce the following relationships:
2 × (Bridge_Forward_Delay – 1.0 seconds) >= Bridge_Max_Age
... so even if the default Forward Delay is increased to 4 seconds, the default Max Age should also also be reduced to 6 seconds (kernel currently defaults to 20 seconds).
Also the minimum value for Forward Delay of 4 seconds is calculated (in section B.4.5) based on a Hello Time of 1 second, so that value should also be set (kernel currently defaults to 2 seconds).
Neither of these updates are critical (they work at their current defaults), but would just create "sensible" timers for STP.
The text was updated successfully, but these errors were encountered:
sshambar:
netifd defaults the STP forward_delay lower than the minimum allowed by the protocol, causing the BPDU packets to be ignored by conforming implementations, risking bridge loops.
The relevant limits are set in IEEE 802.1D-1998 section 8.10.2 Table 8-3: the allowable forward_delay range is 4 - 30 seconds. netifd sets the initial default to 2 seconds.
I tested this with several of my Netgear managed switches; they ignore the invalid "2 second" STP packets. Correcting the forward_delay to within limits (4s) results in the router accepting the OpenWRT STP as the root bridge (since it has a lower bridge-id).
netifd should definitely not be defaulting to invalid values (even if it, and the kernel, allow the values to be set).
Here's a patch to fix the default:
--- a/bridge.c
+++ b/bridge.c
@@ -875,7 +875,7 @@ bridge_apply_settings(struct bridge_state *bst, struct blob
_attr **tb)
Specifically, the packet is invalid as it fails the Spanning Tree Algorithm in section A.9, step 17c.
NOTE: Since the 1998 version of the standard requires subscribing to IEEE, you can also find the limits in the "free to download" updated 802.1D-2004 standard, section 17.14, Table 17-1 for the RSTP (which has the same forward delay limits as STP).
On the subject of "additional possible fixes".... (only suggestions)
The very low Forward Delay of 4 seconds still results in "non-conforming" behavior by OpenWRT, but at least no longer "breaking" behavior. Section 8.10.2 of 802.1D-1998 states:
A Bridge shall enforce the following relationships:
2 × (Bridge_Forward_Delay – 1.0 seconds) >= Bridge_Max_Age
... so even if the default Forward Delay is increased to 4 seconds, the default Max Age should also also be reduced to 6 seconds (kernel currently defaults to 20 seconds).
Also the minimum value for Forward Delay of 4 seconds is calculated (in section B.4.5) based on a Hello Time of 1 second, so that value should also be set (kernel currently defaults to 2 seconds).
Neither of these updates are critical (they work at their current defaults), but would just create "sensible" timers for STP.
The text was updated successfully, but these errors were encountered: