In computer networks set up by a spanning tree protocol (STP), it is important to protect the network configuration which has been set up during a bootstrapping phase from malicious attackers. In case that such a malicious attacker interrupts a link between two neighboring bridges, e.g. by unplugging/cutting the cable or jamming the radio link, some or even all of the terminals (in case there is a redundant path) may be able to continue communicating. However, when an attacker injects forged STP messages, typically bridge protocol data units (BPDUs), the communication throughout the entire bridged network may be blocked by causing a reconfiguration of the spanning tree.
Thus, an attacker with access to a single link may not only interfere with the datagram transmission on that particular link, e.g., jamming the link, but may also impact the performance of the entire network. Similar effects may be produced when an attacker transmits forged BPDUs with the same root ID as the actual root, but with significantly lower root path costs, thus causing a major reconfiguration of the spanning tree as well.
In US 2006/0092862 A1, a process known as “STP root guard” is described which allows keeping the location of the root bridge in a core network by preventing bridge ports of bridges which are connected to external networks from being selected as root ports. However, such a process cannot prevent attacks on links of the core network itself.
In theory, it would also be possible to cryptographically sign all BPDUs such that the receiving bridge could verify the authenticity of the BPDU by checking the cryptographic signature. However, cryptographic protection of BPDUs would require significant configuration/management overhead as well as considerable computational resources in each bridge.