Security

Reply
New Contributor
Posts: 1
Registered: ‎11-25-2016

LLDP Spoofing?

 

We are looking at rolling out AAA authentication on our network. We use Aruba MAS switches and Aruba APs with Avaya IP phones. I was looking at setting up override conditions on the AAA Profile for the phones and APs to get diverted to a corporate access vlan and skip CPPM role assignment. for the APs I was planning to use a device-group ap profile to override the interface-group AAA profile. Similar to this:

 

device-group ap
  enable

  switching-profile "AP"

 

For the phones I was looking at setting a derivation rule on the AAA profile similar to this:

 

aaa derivation-rules user test
  set vlan condition device-type equals "phone" set-value XXX

 

My question is how secure is this setup? Can the proprietary LLDP TLVs be spoofed easily so that a hacker PC could mimic a phone or AP and get diverted straight into a corporate access vlan bypassing the rest of the AAA profile role assignment conditions?

 

 

 

Aruba Employee
Posts: 370
Registered: ‎11-04-2011

Re: LLDP Spoofing?

LLDP can be easily spoofed (as can CDP). Tools to do so, like VoipHopper (CDP) and LLDP Generator (LLDP) are publicly available.

 

Example with LLDP Generator:

./tool.py -p lldp -tlv sys-name "FakePhone" -tlv sys-desc "See, I can spoof LLDP" -tlv chid -ipv4 "123.45.67.89"

Will show on your switch like:

HPE-Aruba-Lab3810# show lldp info remote-device 4

 LLDP Remote Device Information Detail

  Local Port   : 4
  ChassisType  : network-address     
  ChassisId    : 123.45.67.89             
  PortType     : mac-address                            PortId       : 30 85 a9 aa aa aa                      SysName      : FakePhone                       
  System Descr : See, I can spoof LLDP                  PortDescr    :                                        Pvid         :                          
  System Capabilities Supported  : 
  System Capabilities Enabled    : 
  Remote Management Address

I did not take the time so spoof the system capabilities, but that should not be that hard to fake your Avaya Phone. So it is okay to use LLDP as a convenience feature, probably not to use it as a securlty feature as there is no protection whatsoever in the protocol.

 

The more secure solution would be to really authenticate the phone with 802.1X; the required securlty level depends on what is acceptable in your environment and was the outcome of the security assessment.

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Search Airheads
Showing results for 
Search instead for 
Did you mean: