STP – Spanning Tree Protocol

../../_images/sec-stp-1.png ../../_images/sec-stp-2.png

This task checks that the Spanning Tree Protocol (STP) is not available on customer ports. If available, this protocol could be used to perform various attacks in the network, such as redirecting traffic or overloading devices.

No spanning-tree packets should be sent out on customer ports, and any spanning-tree packets received should be silently discarded.

References

The test performed conforms to SAVI section 3.2.3.

Impact

DoS, MITM

Test procedure

  1. Customer listens for BPDU packets.

  2. Customer sends BPDU packets (on STP, RSTP, PVST, and MSTP) and keeps listening on the interface if the switch responds.

Fail criteria

  • An STP BPDU packet arrives at Customer.

Parameters

General

  • Customer: A Test Agent interface acting as a customer.

  • ISP: A Test Agent interface acting as a central node on a trusted port.