Build securer STP network by network partitioning

Abstract

Spanning tree protocol (STP) running in the switch is a common solution to build a loop-free topology in the Layer 2 network. However, the pitfalls of STP are dangerous, such as lack of authentication in BPDU, slow convergence or root role not fully monitored. Current solution mainly contributed by Cisco, Root Guard or BPDU Guard fixes the location of Root but destroy the flexibility of STP. Here is the answer to build a securer STP network --- network partitioning. The main purpose of network partitioning is to maintain a stable and robust topology in the network infrastructure region with hide real STP information in this region from the rest of network. With the minimum change of other network devices, NI-switch is designed as boundary switch to separate network to achieve this goal. These boundary switches will on one hand participate in the normal STP operations of both tiers of networks. On the other hand, the modified STP operations inside the boundary switches actually partition the STP operations into a network infrastructure region and a lower tier network region. NI-switch is implemented on the Linux based computer and broadband router. Some experiments are conducted to validate the protection against all common STP attacks provided by network partitioning.