Upload
clara
View
49
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Layer 2 Network Security. Outline. How Layer 2 Switches Work ? Virtual LAN Security IEEE 802.1Q : Virtual Bridged LANs VLAN hopping Spanning Tree Security IEEE 802.1D: Spanning Tree Algorithm STP manipulation CAM table overflow MAC address spoofing DHCP starvation. - PowerPoint PPT Presentation
Citation preview
1
Layer 2 Network Security
2
Outline How Layer 2 Switches Work ? Virtual LAN Security
IEEE 802.1Q : Virtual Bridged LANs VLAN hopping
Spanning Tree Security IEEE 802.1D: Spanning Tree Algorithm STP manipulation
CAM table overflow MAC address spoofing DHCP starvation
3
Layer 2 switch uses store and forward scheme to forward or filter incoming frames. MAC Address Learning (Filtering Database) MAC Address Lookup Engine Forward frame into the port x if the destination
MAC is found in the Filtering DB with port x. Otherwise, broadcast to all ports.
Broadcast all multicast/broadcast frames Ether-Switch Architecture with switching Fabric
ASICs Each pair of Ethernets can have a transmission
simultaneously. Wire-speed design Gbps, 10Gbps, 100Gbps, … Plug-and-Play Are L2 switches secure ?
How Layer 2 Switches Work ?
4
Ethernet Switch ASIC (24+4)
Typical Architecture for Ethernet Switch ASIC (24+4)
5
8-Port Gigabit Ethernet Switch ASIC
Typical Architecture for Ethernet Switch ASIC (8 GE)
6
Security Issues for L2 Switch
VLAN hopping attack STP manipulation attack CAM table overflow attack MAC address spoofing attack DHCP starvation attack
7
Virtual Bridged LANs(IEEE 802.1Q)
8
VLANTopolog
y H
VLANAVAB
VLANA VLANC
H H
HH
VLANB
VAB
VAB
Hybrid Link
VLANB
Access Link
VLANA
B
VLANC 802.1D BLAN
VLANC
H
H
H
H
H
B
H
H
Access Link
Access Link
Access Link H
H
Trunk Link
Spanning TreeH
Group in VLANA
H
9
Overview of Virtual LAN Virtual LAN Services in Bridged LANs. Forwarding Process required to support
VBLANs. Filtering Database needed to support
VBLANs. Protocols and Procedures required to
provide VLAN services and distribute the VLAN membership information.
Management services and Operations required to configure and administer VBLANs.
10
VLAN Aims and Benefits Easy administration of logical group of
stations. Also moves, adds, and changes in members of theses groups.
Traffic between VLANs is firewalled. The propagation of multicast and broadcast traffic between VLANs is limited.
Supported over shared and point-to-point media.
Each VLAN is uniquely identified (VID). Maintain compatibility with existing
bridges/switches and stations. In the absence of VLAN configuration,
bridges work in Plug-and-Play.
11
VLAN Architecture Overview
Based on a 3-level model: Configuration Distribution/Resolution Relay MIBs
Declaration ProtocolsReq/Resp Protocols
Ingress Rules Forwarding RulesEgress Rules
12
Configuration The VLAN configuration is
specified in the first place. Assignment of VLAN
configuration.
13
Virtual LANs Technologies
Port-based VLAN MAC-based VLAN IP-subnet based VLAN Layer-3 Protocol based VLAN
14
Port-based Virtual LANs
VLAN 1
VLAN 3 VLAN 2
Bridge/Switch 2
1 12
1 12 1 12
Bridge/Switch 1
Bridge/Switch 3
15
VLAN 1 VLAN 2 VLAN 3 VLAN 4
1 2 3 4 5 6 7 8
9 10 11 12 13 14 15 16
MAC-based Virtual LANs
Bridge/Switch 2
Bridge/Switch 1
Bridge/Switch 3
16
1 2 3 4
5
6 7 8
9 10 11 12 13 14 15 16
MAC-based Virtual LANs -- MAC5 moves
VLAN 1 VLAN 2 VLAN 3 VLAN 4
Bridge/Switch 2
Bridge/Switch 1
Bridge/Switch 3
17
VLAN 1 = IP subnet 140.114.76 VLAN 2 = IP subnet 140.114.77 VLAN 3 = IP subnet 140.114.78
1 2 3 4 5 6 7 8
9 10 11 12 13 14 15 16
140.114.76.xx
140.114.77.xx
140.114.78.xx
140.114.78.xx140.114.76.xx
140.114.77.xx
IP Subnet-based Virtual LANs
Bridge/Switch 2
Bridge/Switch 1
Bridge/Switch 3
18
VLAN 1 (IPX) VLAN 2 (IP)
1 2 3 4 5 6 7 8
9 10 11 12 13 14 15 16
Layer-3 Protocol based Virtual LANs
Bridge/Switch 2
Bridge/Switch 1
Bridge/Switch 3
19
Distribution Distribute information for
Bridges to determine on which VLAN a given packet should be forwarded.
Various possibilities exist for achieving this: Declaration Protocols for
distributing VLAN associations (such as GARP to distribute membership information among Bridges)
Request/Response protocols to request a specific VLAN association (SNMP).
20
Relay Mapping received frames to VLANs:
determined by a set of ingress rules. Where received frames should be
forwarded: determined by a set of forwarding rules.
Mapping frames for output Ports and format (tagged or untagged): determined by a set of egress rules.
VLAN frame format to carry VLAN IDs (VIDs).
The procedure to tag frames, modify tagged frames, and untag frames.
21
Relay The Port-based approach specifies
ingress, forwarding and egress rules based on VLAN membership, which allow bridges to: Classify all received untagged frames
as belonging to particular VLAN(PVID, Port VID).
Recognize the VID associated with received tagged frames.
Make use of this VID to forwarding/filtering.
Transmit frames in tagged or untagged format, as defined for a given Port/VLAN pairing.
22
Frame Tagging Implicit tagging
A frame is classified to a particular VLAN based on the data content of the frame (MAC address, Layer 3 Protocol ID, etc) and/or the receiving Port.
Explicit tagging A frame carries an
explicit identification of the VLAN to which it belongs.
DA SA
Tag (VLAN ID)
PT
N BytesC-Data
46 <= N <= 1496
FCS
23
Ingress Rules/Egress Rules
Each frame received is classified as belonging to exactly one VLAN by associating a VID with it.
The classification is achieved as follows Explicit Tagging : the VID value it carries Implicit Tagging : the PVID associated with
the port it is received. Frames shall be filtered if outgoing
port is not preset in the Member Set of the VLAN
24
Port-Based VLAN Definitions
VLAN aware devices understand VLAN membership and VLAN frame format.
VLAN unaware devices. An Access Link is a LAN segment used
to multiplex one or more VLAN unaware devices into a Port of a VLAN Bridge. All frames on an access link are implicitly
tagged. No VLAN tagged frames on an access link. Viewed as being on the edge of the
network. Can be attached to other 802.1D-
conferment Bridges (BLAN).
25
Definitions A Trunk Link is a LAN segment used to
multiplex VLANs between VLAN Bridges.
All devices connect to a Trunk Link must be VLAN aware.
All frames (including end station frames) on a Trunk Link are explicitly tagged with a VLAN ID.
A Hybrid Link is a LAN segment that has both VLAN aware and unaware devices. There can be a mix of Tagged Frames and
Untagged Frames but they must be from different VLANs.
26
VLANTopolog
y H
VLANAVAB
VLANA VLANC
H H
HH
VLANB
VAB
VAB
Hybrid Link
VLANB
Access Link
VLANA
B
VLANC 802.1D BLAN
VLANC
H
H
H
H
H
B
H
H
Access Link
Access Link
Access Link H
H
Trunk Link
Spanning TreeH
Group in VLANA
H
27
Rules for Tagging Frames For each VLAN, all frames traversing a
particular hybrid link must be tagged the same way: All implicitly tagged or All carrying the same explicit tag.
There can be a mix of implicitly and explicit tagged frames but they must be for different VLANs.
All the frames for VLANs A and B are explicit tagged on the hybrid link.
All frames for VLAN C on the hybrid link are implicitly tagged.
On the trunk link all frames are tagged.
28
Spanning Tree Eliminate loops in a bridged LAN. Improve scalability in a large network. Spanning tree formed in a virtual LAN
environment need not be identical to the topology of the VLAN(S).
Each VLAN may be overlaid on different segments or entirely separate from each other.
All VLANs are aligned along the Spanning Tree from which they are formed.
A VLAN is defined by a subset of the Spanning Tree.
The topology of the VLAN is dynamic.
29
Bridge Operation A Bridge filters frames to ensure that
traffic destined for a given VLAN is forwarded only on segments (ports) that form a path to members of that VLAN.
For each VLAN, the bridge needs to keep: Member set (Port IDs) Untagged set (Port IDs)
30
Addressing Learning Shared VLAN Learning (SVL) Independent VLAN Learning
(IVL) In most cases, SVL or IVL produces
the same result. But in some special cases, we need to specify the learning mode of bridge.
31
Server (Bridge-Router, or Connector) connecting multiple independent VLANs.
Connector and stations are VLAN unaware (untag).
Connector did not turn on spanning tree algorithm.
VLAN Red (A) <--> VLAN Blue (B) should be delivered to Connector (firewalled).
The Filtering databases should be independent. Otherwise, MAC A(B) will be learned from different ports 1,4 (2,3) alternatively.
The frames from A (B) to B(A) will be delivered in a wrong way.
IVL Example -- Multiple Independent VLANs
32
VLANBridge
PVID = Red
PVID = Red
PVID = Blue
PVID = Blue
Bridge Router
Port X Port Y
Port 4Port 3
Port 2Port 1
A B
A XB Y
MAC Port
A 1B 3
MAC PortVLAN Red
A 4B 2
MAC PortVLAN Blue
Member Set :Red - Ports 1,3Blue - Ports 2,4
Untag Set :Red - Ports 1,3Blue - Ports 2,4
Filtering DB
IVL Example -- Multiple Independent VLANs
Correct pathsFor A->B and B->A
33
PVID = Red
PVID = Red
PVID = Blue
PVID = Blue
Bridge Router
Port X Port Y
Port 4Port 3
Port 2Port 1
A B
A XB Y
MAC Port
A 4B 3
MAC PortSVL (Red, Blue)
Filtering DB
If SVL is used for this case
?
Incorrect pathFor B->A
Member Set :Red - Ports 1,3Blue - Ports 2,4
Untag Set :Red - Ports 1,3Blue - Ports 2,4
34
Server (Bridge-Router, or Connector) connecting multiple independent VLANs.
Server is VLAN aware (tagging frames) and stations are VLAN unaware.
VLAN Red : A <--> Server VLAN Blue : B <--> Server The Filtering databases should be
independent. Otherwise, MAC A(B) will be learned from different ports alternatively.
The frames from server with tag Blue or Red may be filtered.
IVL Example (2) -- Multiple Independent VLANs
35
VLANBridge
PVID = Discard
PVID = Red
PVID = Blue
Port 1
Port 3
Port 2Port 1
A B
A 1B 1
MAC Port
Shared Filtering DB (Red, Blue)
A 1B 3
MAC PortVLAN Red
A 3B 2
MAC PortVLAN Blue
B A
IVL Example (2) -- Multiple Independent VLANs
Member Set :Red - Ports 1,3Blue - Ports 2,3
Untag Set :Red - Port 1Blue - Port 2
Bridge Router
36
PVID = Discard
PVID = Red
PVID = Blue
Port 1
Port 3
Port 2Port 1
A B
A 1B 1
MAC Port
Shared Filtering DB (Red, Blue)
If SVL is used for this case
B A
A 1 <-> 3B 2 <-> 3
MAC PortSVL (Red, Blue)
Bridge Router
Member Set :Red - Ports 1,3Blue - Ports 2,3
Untag Set :Red - Port 1Blue - Port 2
37
Stations A and B use the same MAC address X.
Server is VLAN aware (tagging frames) and stations are VLAN unaware.
VLAN Red : A <--> Server VLAN Blue : B <--> Server The Filtering databases should be
independent. Otherwise, MAC X will be learned from different ports alternatively.
The frames from server with tag Blue (Red) may be forwarded to wrong destination A (B).
IVL Example (3) -- Duplicate MAC addresses
38
VLANBridge
PVID = Discard
PVID = Red
PVID = Blue
Server (VLAN-aware)
Port 3
Port 2Port 1
A B
X 1MAC PortVLAN Red
X 2MAC PortVLAN Blue
MAC X MAC X
IVL Example (3) -- Duplicate MAC addresses
Member Set :Red - Ports 1,3Blue - Ports 2,3
Untag Set :Red - Port 1Blue - Port 2
39
PVID = Discard
PVID = Red
PVID = Blue
Port 3
Port 2Port 1
A BMAC X MAC X
If SVL is used for this case
X 1 <-> 2MAC PortSVL (Red, Blue)
Incorrect pathFor Server ->A
? ?Member Set :Red - Ports 1,3Blue - Ports 2,3
Untag Set :Red - Port 1Blue - Port 2
Server (VLAN-aware)
40
Typically, two stations A and B belong to the same VLAN use the same VID to communicate.
Asymmetric VLAN: A->B and B -> A use different VIDs.
All server and stations are VLAN unaware (untagging frames)
A -> S and S->B but not A <-> B for security reason.
VLAN Purple : Server --> A or B VLAN Red : A --> Server VLAN Blue : B --> Server
Asymmetric VLAN
41
Asymmetric VLAN If the Filter databases of VLAN
Red and Purple are independent, then the frame from the server to A will be forwarded to both A and B due to A is not learned by VLAN Purple. Broadcast the frame in VLAN Purple for this case.
SVL is required for Asymmetric VLAN !!
42
PVID = Purple
PVID = Red
PVID = Blue
Server (VLAN-
unaware)
Port 3
Port 2Port 1
A B
A 1MAC Port
Member Set :Purple - Ports 1,2Red - Port 3Blue - Port 3
Untag Set :Purple - Ports 1,2Red - Port 3Blue - Port 3
B 2S 3
SVL (Purple, Red, Blue)
Red Blue
Purple Purple
Asymmetric VLAN
43
PVID = Purple
PVID = Red
PVID = Blue
Port 3
Port 2Port 1
A B
Purple Purple
If IVL is used for this caseS A or S B, but will S A and B
S 3MAC PortVLAN Purple
A 1MAC PortVLAN Red
B 2MAC Port
VLAN Bule
Server (VLAN-
unaware)
Member Set :Purple - Ports 1,2Red - Port 3Blue - Port 3
Untag Set :Purple - Ports 1,2Red - Port 3Blue - Port 3
44
Static Filtering Entry Static VLAN Registration
Entry Dynamic Filtering Entry Dynamic VLAN Registration
Entry
The Filtering Database
45
Static Filtering Entry MAC VLAN ID Port MAP
MACa 2
MACb 3
MACc 3
MACd 2
MACe 4
Control ElementIndividual MAC, Group MAC, All Group MAC, All Unregistered Group MAC Forward,
Filter, According to dynamic FD
46
Static VLAN Registration Entry
VLAN ID Port MAP
2
3
4
5
6
Control ElementGVRP Registrar Administrative Control : Registration Fixed, Forbidden, Normal.Tagged/Untagged
47
Dynamic Filtering Entry (By Learning Process)
MAC FID Port (MAP) Time
MACa 2
MACa 3
MACb 3
MACb 2
MACc 4
Individual MAC
200
120
100
250
60
48
Dynamic VLAN Registration Entry
VLAN ID Port MAP
2 3 4 5 6
Control ElementVID is registered on this port ?
49
VLAN Tag Structure Tag Protocol Identifier (TPID) Tag Control Information (TCI)
User-Priority Canonical Format Indicator VID
Ethernet-encoded TPID
TCI
SNAP-encoded TPID
TCI
3 1 12 Bits
Canonical Format IndicatorUser-Priority
VLAN Identifier (VID)
2
2
8
2
50
3 1 12 Bits
VLAN Identifier (VID)
Canonical Format Indicator (CFI)
User Priority (0-7)
Ethernet-encoded TPID (81-00) TCI LEN RIF
2 2 2 2-30 Bytes
Tag Format (Ethernet-encoded)
51
3 5 1 6 1 bit
NCFI
RC Route Descriptors
2 0-28 Bytes
RT (X) LTH D LF
Tag Format (Ethernet-encoded)
RIF
RT (Routing Type): Transparent bridges or Source-routing bridgesLength: 2 for no route descriptorsDirection:Largest Frame : <= 1470 bytesNon-canonical Format Indicator
52
SNAP Header (AA-AA-03)
SNAP-encoded TPID TCI
8 2 Bytes
Tag Format (SNAP-encoded)
SNAP PID (00-00-00)
Tag Type (81-00)
3 Bytes
3 Bytes
2 Bytes
53
VLAN Hopping Attack VLAN Hopping Attack tries to
Get frames from different VLANs
Access resources for different VLANs
Two kinds of attacksSwitch Spoofing attackDouble Tagging attack
54
VLAN Switch Spoofing Attack Usually when switches enable the VLAN
function, a link is required between switches to send the frames belong to a certain VLAN.
In the example, there are two VLANs with VID =20 and 30, and two links are established between the switches.
A trunk link is then designed to support for multiple VLANs. Then all the frames of the VLANs are forwarded via the trunk link.
Cisco switch will automatically execute Dynamic Trunk Protocol (DTP) to establish trunk link with other Cisco switch.
The attacker uses a system to employ the DTP protocol to establish a trunk link with Cisco switch to receive all frames on the trunk link.
55
Switch Spoofing Attack
56
VLAN Double Tagging Attack The frames between different VLANs are
firewalled and should be forwarded via the router.
The manager is able to set rules or policy in the router to control some resources can only be accessed by some VLANs.
The attacker sends frames with double tagging (VLAN headers) to router to pass router’s check (first VLAN header) and the frames may be forwarded to a wrong VLAN with the second VLAN header.
Most current switches only check one VLAN header.
57
Double Tagging Attack In the example, the attacker (at VLAN 20)
sends a frame with double tagging (The first VLAN ID = 20, the 2nd = 30).
The first VLAN header is removed by the first switch, and the frame is forwarded to the trunk link with 2nd VLAN header (VID = 30).
The 2nd switch forwards the frame to VLAN 30 according to the carried VLAN ID 30.
Then the frame sent by VLAN 20 is forwarded to VLAN 30.
58
VLAN Double Tagging
59
Bridges and Spanning Tree Algorithm
(IEEE 802.1D)
60
Functions of a Bridge
MAC layer device which relays frames among physically separated LANs and makes the physical LANs appear as one logical LAN to the end stations
Preamble SFD DA SA LEN LLC PAD FCS
7 1 6 6 2 4 Bytes
61
Functions of a Bridge Basic Functions:
Frame Forwarding Learning and Filtering Resolving Possible Loops in the
Topology Additional Functions:
Congestion Control (Enough Buffer) Static Filtering (Security) Translation (Multi-Bridge) Routing (Multi-Bridge) Segmentation
62
A Simple Bridge Example
Bridge
LAN A
LAN B
1 2 3
5 6 7
4
Stations
63
Design Considerations No modifications to the content or
format of the frames Contain enough buffer space to meet
peak demands Contain addressing and routing
intelligence A bridge may connect more than two
networks Why Bridged LANs (BLAN) ?
Reliability Performance Security Geography
64
Bridge Routing
The Bridges must be equipped with a routing capability
The routing decision may not always be a simple one (loop)
Topology changes have to be considered
A bridge knows all the station addresses (Filtering Database)
65
BLAN Example (Without loop)
ID=10
ID=40
Bridge 1
LAN 1
LAN 2
LAN 3
LAN 4
Bridge 4
1 2
LAN 5 LAN 6
Bridge 2ID=20
C D EF
A B
2 3
1
2
1 Bridge 3ID=30 2
1
66
Bridged LAN (BLAN) Example with Loop
4
LAN 1
Bridge 1 Bridge 2
Bridge 4 Bridge 5 Bridge 6 Bridge 7
LAN 2 LAN 3
LAN 4LAN 5
5 6
1
2 3
LAN 6
Bridge 3
Station
67
Bridge Protocol Architecture
User Data
LLC-H
MAC-H
t1, t8t2, t7
t3, t4, t5, t6 LLC-H User Data MAC-T
User Data
PHY
Bridge
Station A
LAN 1
MACPHYB CPHY
USER
LLCMAC
t1t2t3 t
4t5 t6
t7t8
Station D
LAN 2
MACMACPHY
USER
LLC
68
Spanning Tree Routing Frame Forwarding and Filtering
Use the destination MAC address (DMAC) field in each MAC frame
A bridge maintains a filtering database with entries:
[Address, Port, Time]
Address Learning Use the source MAC address (SMAC) field in each
MAC frame If the element is already in the database, the
entry is updated and the timer is reset If the element is not in the database, a new entry
is created with its own timerPreamble SFD DMAC SMAC LEN LLC PAD FCS
7 1 6 6 2 4 Bytes
69
Filtering Database Examples
LAN 2
LAN 3
Bridge 2
LAN 4
LAN 1
Bridge1 1
2
C D
E
A B
F
A 1 19 B 1 17 C 2 24 D 3 3 E 1 6 F 1 13
Filtering Database ( Bridge 2 ) 1
2 3
MAC AddrPort Time (S)A 2 20 B 2 18 C 2 25 D 2 4 E 1 5 F 1 12
Filtering Database ( Bridge 1 )
MAC Addr Port Time(S)
70
Forwarding and
Address Learning Algorithm
Frame fromPort x
Add SMAC, port (x)and Timer (0) into FDB
Forward to belonging
Port
Filter Forward to
all ports ( except port
x )
Change to port
X, reset timer
End
Y
N
Y
Y
N
N
AddressLearning
FrameForwarding
DMAC in FDB?
Belong to Port x ?
SMAC in FDB ?
71
Addresses Learning Example
1. A -> E2. B -> D3. C -> B4. D -> A5. E -> C 2
A
1
FDB FDB
Bridge X Bridge Y Bridge Z
LAN 1
LAN 2
LAN 3
LAN 4
LAN 5
MAC Port MAC Port MAC Port
B
C
D
E
12 3 1
2
72
Addresses Learning Example (AE)
2
A
1
FDB FDB
Bridge X Bridge Y Bridge Z
LAN 1
LAN 2
LAN 3
LAN 4
LAN 5
MAC Port MAC Port MAC Port
B
C
D
E
12 3 1
2
A 2
E A
E A
E A
E A
E A
A 1 A 1
73
Addresses Learning Example (BD)
2
A
1
FDB FDB
Bridge X Bridge Y Bridge Z
LAN 1
LAN 2
LAN 3
LAN 4
LAN 5
MAC Port MAC Port MAC Port
B
C
D
E
12 3 1
2
A 2A 1 A 1
BD
BD BD
BD BD
B 2 B 1B 2
74
Addresses Learning Example (CB)
2
A
1
FDB FDB
Bridge X Bridge Y Bridge Z
LAN 1
LAN 2
LAN 3
LAN 4
LAN 5
MAC Port MAC Port MAC Port
B
C
D
E
12 3 1
2
A 2A 1 A 1B 2 B 1B 2
B C
B C
C 1C 2
75
Addresses Learning Example (DA)
2
A
1
FDB FDB
Bridge X Bridge Y Bridge Z
LAN 1
LAN 2
LAN 3
LAN 4
LAN 5
MAC Port MAC Port MAC Port
B
C
D
E
12 3 1
2
A 2A 1 A 1B 2 B 1B 2C 1C 2D 3
D 1D 2
A DA D
A D
76
Addresses Learning Example (EC)
2
A
1
FDB FDB
Bridge X Bridge Y Bridge Z
LAN 1
LAN 2
LAN 3
LAN 4
LAN 5
MAC Port MAC Port MAC Port
B
C
D
E
12 3 1
2
A 2A 1 A 1B 2 B 1B 2C 1C 2D 3
D 1D 2
C E
E 3E 2
C EC E
77
Bridge X
A
B
LAN 1
Bridge Yt0
t12
21
1
LAN 2
Loop Problems and Resolution
Loops provides reliability Loops make frames duplication Loops make wrong address
learningt2
B AB A
B A B A
78
1
Bridge 1
LAN 1
LAN 2
LAN 3
LAN 4 LAN 5
Bridge 2 Bridge 3
Bridge 4
Bridge 5
2
2
1
2
2
1 1
1 2
3
Spanning Tree Example 1
79
1
1 2 3
2
43
5
4 5
1
1 2 3
2
43
5
4 5
LAN
Bridge
Spanning Tree
Graph Representation of a BLAN
80
ID=10
ID=50
Bridge 1
LAN 1
LAN 2
LAN 3
LAN 4
Bridge 2
Bridge 3Bridge 4
Bridge 5
1 2Root Bridge
1
2 1
2ID=40ID=30
ID=20
1
2
1
2 3
LAN 5
Spanning Tree Example 1 (Continued)
81
Spanning Tree Algorithm (requirements)
Bridges Each bridge is assigned a unique identifier
(8 octets): Priority part (two octets): programmable address part (six octets)
A special group MAC address for all bridges :
01-80-C2-00-00-00 (Multicast address)
10000000-00000001-01000011- Each port of a bridge has a unique port
identifier.
82
Spanning Tree Algorithm (definitions)
Root Bridge: The bridge with the lowest value of bridge identifier.
Path Cost: For each port, the cost of transmitting a frame onto a LAN.
Root Port: For each bridge, the port on the minimum-cost path to the root bridge.
Root Path Cost: For each bridge, the cost of the path to the root bridge with minimum cost.
Designated Bridge: For each LAN, the bridge that provides the minimum cost path to the root bridge. The only bridge allowed to forward frames to and from the LAN.
Designated Port: The port of the designated bridge that attaches the bridge to the LAN. All internet traffic to and from the LAN pass through the designated port.
83
Spanning Tree Example 2
Bridge 1
LAN 1
LAN 2
LAN 3
LAN 4 LAN 5Bridge 5
TC=10 1
ID=10
TC=5 2
ID=50TC: Transmission Cost
TC=10 2
Bridge 2TC=10 1
ID=20
TC=10 2
Bridge 3TC=5 1
ID=30
TC=5 2
Bridge 4TC=5 1
ID=40
TC=5 2
TC=10 1
TC=5 3
84
Spanning Tree Example 2 (continued)
D D
R
R D
R
D D
R
RPC: Root Path CostTC: Transmission CostD: Designated PortR: Root Port
LAN 1
LAN 2
LAN 3
LAN 4 LAN 5
Root Bridge
Bridge 5
TC=5 2
ID=50, RPC=10
TC=10 1
TC=5 3 Bridge 2
TC=10 1
ID=20,RPC=10
TC=10 2
Bridge 4TC=5 2
ID=40,RPC=5
TC=5 1
Bridge 3TC=5 1
ID=30,RPC=5
TC=5 2
Bridge 1
TC=10 1
ID=10, RPC=0
TC=10 2
85
Spanning Tree Algorithm Three Steps:
1. Determine the root bridge.2. Determine the root port on all
other bridges.3. Determine the designated port on
each LAN.The port with the minimum root path
cost.In the case of two or more bridges
with the same root path cost, the highest-priority bridge is selected.
If the designated bridge has two or more ports attached to this LAN, then the port with the lowest value of identifier is selected.
86
Bridge Port State Diagram
Blocking
After a forward delay time
Listening Learning Forwarding
After a forward delay time
Cancel
Selected asa D or R port
Cancel Cancel
87
Bridge Protocol Data Unit (BPDU)
Protocol ID
BPDU TypeFlag
111
8
8
4
22
222
2 Version ID
Root Bridge ID
Bridge ID
RPC
Root Port ID
Message Age Time Limit
Hello Time Forward delay
1
1
2
Bytes
Bytes
(b)Topology Change BPDU
(a)Network Configuration BPDU
Protocol ID
BPDU Type
Version ID
88
Spanning Tree Algorithm Example
LAN W
RPC = 35 7
D(W): Designated Port of LAN W
Bridge XTC=15 i
TC=10 j
RPC = 38 1
RPC = 40, R = m 12
RPC = 48, R = n, D(W) = m2
RPC = 48 3
RPC = 20 5
RPC = 35, R = i,D(W) = j
6
Bridge ZTC=10 m
TC=10 n
Bridge YTC=5 l
TC=5 k
RPC = 53, R = kRPC = 58, R = j4 4
RPC = 45, R = m 8
RPC = 40, R = k 8
RPC = 30, R = l,D(W) = k
10
RPC = 30
RPC = 35, R = i11
11
RPC = 25 9
89
LAN W
R R
R
D
D: Designated PortR: Root Port
Spanning Tree Algorithm Example (Continued)
Bridge XTC=15 i
TC=10 j
Bridge ZTC=15 m
TC=10 n
Bridge YTC=5 l
TC=5 k
90
Spanning Tree Features The spanning tree constructed by the IEEE
802.1D algorithm has the features that for each bridge, the shortest path (minimum root path cost, RPC) to the root bridge is included.
For each LAN, the shortest path (minimum root path cost, RPC) to the root bridge via the designated bridge is included.
So the spanning tree usually is not a minimum cost spanning tree.
The spanning tree of a BLAN (or switches connected network) is predictable or deterministic. Thus, given a BLAN topology (with any loops) and configuration parameters, the spanning tree of the BLAN can be calculated manually.
91
LAN 1, DPC = 20
LAN 6, DPC = 0
LAN 3,DPC = 0
LAN 5, DPC = 5
Bridge 8
Bridge 1ID=10,RPC=0
TC=5 1
TC=5 2
ID=80,RPC=5
LAN 7, DPC = 5
Bridge 3 Bridge 4
TC=15 2
ID=40,RPC=15ID=30,RPC=15
TC=15 1
LAN 2, DPC = 10
Bridge 5
ID=50,RPC=5
TC=5
1
LAN 4,DPC = 5
D
D
DD
D
R
R R
R R
R
DRD
Root Bridge
Spanning Tree Example 3
TC=10 3
TC=5 2
TC=15 2
TC=15 1
TC=10 2
TC=10 1
Bridge 2ID=20,RPC=20
TC=5 1
TC=10 2
Bridge 7ID=70,RPC=5
TC=5 1
TC=5 2
Bridge 6ID=60,RPC=10
TC=5 1
TC=5 2
92
Spanning Tree Maintenance The transmission of the configuration is
triggered by root. The root will periodically (once every Hello
time) issue a configuration BPDU on all LANs to which it is attached.
A bridge that receives a configuration BPDU on what it decides is its root port passes that information to all LANs for which it believes itself to be the designated bridge.
A cascade of configuration BPDUs throughout the spanning tree.
A bridge may change the spanning tree topology
A TCN BPDU is reliable relayed up the new spanning tree to the root bridge (bridge by bridge).
The root will set the Topology Change flag in all configuration messages transmitted for some time.
93
LAN 1, DPC = 20
LAN 6, DPC = 0
LAN 3,DPC = 0
LAN 5, DPC = 5
Bridge 8
Bridge 1ID=10,RPC=0
TC=5 1
TC=5 2
ID=80,RPC=5
LAN 7, DPC = 5
Bridge 3 Bridge 4
TC=15 2
ID=40,RPC=15ID=30,RPC=15
TC=15 1
LAN 2, DPC = 10
Bridge 5
ID=50,RPC=5
TC=5
1
LAN 4,DPC = 5
D
D
DD
D
R
R R
R R
R
DRD
Root Bridge
Spanning Tree Maintenance Example 1
TC=10 3
TC=5 2
TC=15 2
TC=15 1
TC=10 2
TC=10 1
Bridge 2ID=20,RPC=20
TC=5 1
TC=10 2
Bridge 7ID=70,RPC=5
TC=5 1
TC=5 2
Bridge 6ID=60,RPC=10
TC=5 1
TC=5 2
D
15
25
94
Spanning Tree Maintenance Example 1
Assume Bridge 60 faults. Then all the Hello BPDUs sent from root
bridge to Bridge 60 will not be forwarded to LAN 2 any more.
The Bridges 30 and 40 in LAN 2 will trigger the timeout event individually which means the Designated bridge 60 for LAN 2 was gone.
Then they will try to serve as the Designated bridge of LAN 2 by forwarding a configuration BPDU.
Assume bridge 40 sends the BPDU first with a RPC = 15.
Then bridge 30 will return another BPDU with RPC=15 since it’s priority is higher than bridge 40 (same RPC, smaller ID).
After two forwarding delays, bridge 30 will become the new Designated bridge of LAN2 and the DPC becomes 15.
95
Spanning Tree Maintenance Example 1
Also the DPC of LAN 1 is changed from 15 to 25.
Bridge 30 then sends a Topology Change Notification (TCN) BPDU to root bridge.
The root will set the Topology Change flag in all configuration messages transmitted for some time.
96
Final configuration of example 1
LAN 1, DPC = 25
LAN 6, DPC = 0
LAN 3,DPC = 0
LAN 5, DPC = 5
Bridge 8
Bridge 1ID=10,RPC=0
TC=5 1
TC=5 2
ID=80,RPC=5
LAN 7, DPC = 5
Bridge 3 Bridge 4
TC=10 2
ID=40,RPC=10ID=30,RPC=10
TC=15 1
LAN 2, DPC = 15
Bridge 5
ID=50,RPC=5
TC=5
1
LAN 4,DPC = 5
D
D
DD
D
R
R R
R R
R
DD
Root Bridge
TC=10 3
TC=5 2
TC=10 2
TC=15 1
TC=10 2
TC=10 1
Bridge 2ID=20,RPC=20
TC=5 1
TC=10 2
Bridge 7ID=70,RPC=5
TC=5 1
TC=5 2
Bridge 6ID=60
97
LAN 1, DPC = 20
LAN 6, DPC = 0
LAN 3,DPC = 0
LAN 5, DPC = 5
Bridge 8
Bridge 1ID=10,RPC=0
TC=5 1
TC=5 2
ID=80,RPC=5
LAN 7, DPC = 5
Bridge 3 Bridge 4
TC=15 2
ID=40,RPC=15ID=30,RPC=15
TC=15 1
LAN 2, DPC = 10
Bridge 5
ID=50,RPC=5
TC=5
1
LAN 4,DPC = 5
D
D
DD
D
R
R R
R R
R
DRD
Root Bridge
Spanning Tree Maintenance Example 2
TC=10 3
TC=5 2
TC=15 2
TC=15 1
TC=10 2
TC=10 1
Bridge 2ID=20,RPC=20
TC=5 1
TC=10 2
Bridge 7ID=70,RPC=5
TC=5 1
TC=5 2
Bridge 6ID=60,RPC=10
TC=5 1
TC=5 2
RR
R
00
Root Bridge
2525
98
Spanning Tree Maintenance Example 2
Assume LAN 3 faults. Then all the Hello BPDUs sent from root
bridge to LAN 3 will be lost. All the ports connected to LAN 3, including
port 2 of bridge 30, port 2 0f bridge 40, port 1 of bridge 50, and port 1 of bridge 80, will become “blocked” state from “forwarding” state.
All these bridges are now don’t have “R” port (root port) and then try to be a root bridge.
Bridges 30 and 40 still can receive the Hello BPDU from port 1, so they will change their root port to port 1.
99
Spanning Tree Maintenance Example 2
Bridges 50 and 80 will exchange BPDU to compete as a new root follow the STP protocol.
Assume bridge 80 sends the BPDU first with a RPC = 0.
Then bridge 50 will return another BPDU with RPC=0 since it’s priority is higher than bridge 80 (smaller ID).
After two forwarding delays, bridge 50 will become the new root bridge and the port 1 of bridge 80 will become a root port.
Finally, we have two separated (disconnected) spanning trees.
100
Final configuration of example 2LAN 1, DPC = 20
LAN 6, DPC = 0
LAN 3
LAN 5, DPC = 5
Bridge 8
Bridge 1ID=10,RPC=0
TC=5 1
TC=5 2
ID=80,RPC=5
LAN 7, DPC = 5
Bridge 3 Bridge 4
TC=10 2
ID=40,RPC=25ID=30,RPC=25
TC=15 1
LAN 2, DPC = 10
Bridge 5
ID=50,RPC=0
TC=5
1
LAN 4,DPC = 0
D
DD
D
R R
R R
R
DRD
Root Bridge
TC=10 3
TC=5 2
TC=10 2
TC=15 1
TC=10 2
TC=10 1
Bridge 2ID=20,RPC=20
TC=5 1
TC=10 2
Bridge 7ID=70,RPC=5
TC=5 1
TC=5 2
Bridge 6ID=60,RPC=10
TC=5 1
TC=5 2
101
STP Manipulation Attack The attacker plays as a root bridge to receive frames and
initiates man-in-the-middle attack. The attacker sends STP Configuration/Topology change
BPDUs (TCN) continuously to ask all the bridges on the STP to recalculate the STP paths. Each time may take 30-45 seconds. This is a kind of DOS (Denial of Service) attack.
In the example, switch A is the root bridge, and switches A and B exchange frames directly.
102
STP Manipulation Attack
The attacker broadcasts STP topology change BPDUs to claim that he has the highest priority.
All switches will treat the attacker as a new root bridge, and recalculate the STP paths, so that the frames between switches A and B are forwarded by the attacker.
The attacker is now able to receive frames or execute the man-in-the-middle attack.
103
CAM Table Overflow Attack For each switch there is a table (Forwarding Table) to
record all the learned MAC addresses of the broadcast domain where the switch located.
For fast table MAC address lookup, the table is built by CAM (Content Addressable Memory) to parallely compare the MAC address in the received frame with those MAC addresses in the table.
For L2 Switch, the CAM is Binary CAM, which provides exactly matching function. Each bit in the table is either 0 or 1.
For L3 Switch, the CAM is Ternary CAM (TCAM), which provide longest prefix matching. Each bit in the table can be 0,1, or x (don’t care).
The CAM table size for L2 switch is usually designed as 4k or 8k entries due to the size of a broadcast domain.
Initially, the CAM table is empty. Each time a frame is received, the SMAC address of the frame is learned into the table with the incoming port.
104
CAM Table Overflow Attack When a frame is received from port x, the DMAC address
of the frame is used to lookup the CAM table. If the DMAC is found with port x, the frame is filtered. If the DMAC is found with port y, the frame is forwarded to port y. Otherwise, the frame is forwarded to all the other ports belong to the spanning tree (except port x).
The CAM Table attack is to set the whole CAM table by all random MAC addresses (or wrong MAC addresses) so that each incoming frame is broadcasted (lookup failure).
The way to achieve this is that the attacker periodically send frames (say 4K or 8K) with random source MAC addresses.
Then the CAM table is always overflowed. And the attacker can receive all the frames sent via the attacked switch.
105
CAM Table Overflow Attack
106
MAC Table Overflow (MTO) vulnerability
Any host connected to the LAN segment can easily launch a MTO attack by sending frames with a non-existed destination MAC address and random generated source MAC address.
Then the MAC Table of the switch connecting the attacking host will be overwritten by the radom source MAC addresses. Thus, the MAC Table will be overflowed.
Since the destination MAC address of the attacking frame is not existed, the attacking frames will be forwarded to all the switches of the LAN segment.
This means that the MAC Table overflow phenomenon will be propogated to all the switches in a very short period.
When this happens, all the frames in the LAN segment will be broadcasted to all switch ports.
Consequently, the switch-based LAN is degraded to a bus-based LAN. This exposes two serious problems : slower effective bandwidth (broadcasting model) and information leaking (packets broadcasted).
107
With the MTO attack, the LAN speed chould be slowed down dramatically and the attacker can easily eavesdrop all the packets transmitted within the LAN segment.
Even worse, an end user might feel the network is just slower, but may not know that his/her critical information are stolen by unauthorized attacker.
To see how fast the MTO attack propagates within a LAN segment, an experimental test with three Cisco 2950 switches is designed.
The MAC table size of each switch is of 8k entries. There are two pairs of FTP server and client, one
pair (with client B) connects to switch 3 and the other pair (with client A) connects to switch 1, where the MTO attacker also connects to.
MAC Table Overflow (MTO) vulnerability
108
Switch 1 Switch 2 Switch 3
FTPServer
FTPServer
Client B& Sniffer
MTOAttacker
Client A& Sniffer
Switch 1 Switch 2 Switch 3
FTPServer
FTPServer
Client B& Sniffer
MTOAttacker
Client A& Sniffer
Test environment of MTO attack with three switches
MAC Table Overflow (MTO) vulnerability
109
The download speeds of clients A and B are impacted by MTO attacks.
Initially, both clients A and B receive the files with 70Mbps data rate.
The 1st MTO attack with 1000 frames was launched at around 21th second, we can see the download speed of client A was reduced and caused an oscillation, but that of client B is not affected at all.
Then the 2nd MTO attack with 3000 frames was launched at around 105th second. We can see that the download speed of client A was more seriously impacted (larger oscillation), and that of client B was impacted slightly.
Last, an MTO attack with 10000 frames was generated at around 273th second. We can see that both clients A and B were seriously impacted.
Even when the attack was stopped, the oscillation situation still remains a few minutes.
MAC Table Overflow (MTO) vulnerability
110
0
10
20
30
40
50
60
70
80
0 21 42 63 84 105
126
147
168
189
210
231
252
273
294
315
336
357
378
Client A
Time (s)
Ban
dwid
th (M
bps)
1000 frames
3000 frames10000 frames
0
10
20
30
40
50
60
70
80
0 21 42 63 84 105
126
147
168
189
210
231
252
273
294
315
336
357
378
Client A
Time (s)
Ban
dwid
th (M
bps)
1000 frames
3000 frames10000 frames
(a) Bandwidth impact of client A
0
10
20
30
40
50
60
70
80
0 21 42 63 84 105
126
147
168
189
210
231
252
273
294
315
336
357
378
Client B
Time (s)
Ban
dwid
th (M
bps)
1000 frames
3000 frames
10000 frames0
10
20
30
40
50
60
70
80
0 21 42 63 84 105
126
147
168
189
210
231
252
273
294
315
336
357
378
Client B
Time (s)
Ban
dwid
th (M
bps)
1000 frames
3000 frames
10000 frames
MAC Table Overflow (MTO) vulnerability
111
The learning-caching rate (LCR) of a switch is the upper limit of source addresses learning speed (packets per second, pps).
For a switch with LCR = N, the switch is unable to learn all the source addresses if packet input rate is larger than N.
The MTO attacker can use this feature to achieve the attacking goal with only a small amount of bandwidth.
Thus, the MTO attacker only needs to generate N packets per second to overflow the MAC table.
For example, most switches have N = 8k (MAC table size). Then the attacker can generate 8K pps of short 64-byte packets with randomized source addresses (a total bandwidth of 8192x64x8 = 4Mbps) to achieve the MTO attack.
MAC Table Overflow (MTO) vulnerability
112
To see how this attack impacts the amount of leaked messages, an experiment is conducted.
Four switches S1, S2, S3, S4 are connected, and each switch connects 20 clients. Each client downloads files from the FTP server with a rate of 2Mbps.
The 20 clients of S1 download from left FTP server and other 60 clients download from the other FTP server.
The MTO attacker connects to S1 to generate the attack packets with 4Mbps and it also receives the packets from the attached port.
Five attacks are launched by the MTO attacker, one per second.
Before attacking, the MTO attacker is not able to receive any FTP download packets as they are not destined to it.
The first attack was launched at 1st second and the 4Mbps (N = 8192) attack packets just overflows the MAC table of S1. The attacker now starts to receive the leaked “broadcast” packets of S1.
MAC Table Overflow (MTO) vulnerability
113
Switch 3 Switch 4Switch 1
20 Clients
MTOAttacker& Sniffer
…2M 2M
Switch 2
20 Clients
…2M 2M
FTPServer
20 Clients
…2M 2M
FTPServer
20 Clients
…2M 2M
Switch 3 Switch 4Switch 1
20 Clients
MTOAttacker& Sniffer
…2M 2M
Switch 2
20 Clients
…2M 2M
FTPServer
20 Clients
…2M 2M
FTPServer
20 Clients
…2M 2M
MAC Table Overflow (MTO) vulnerability
Information Leakage test environment with four switches
114
At the 2nd second, the attacker launched the 2nd attack and already received 30Mbits packets. This attack will cause both the MAC tables of S1 and S2
be overflowed, which means the packets downloaded by the clients of S2 will be forwarded and received by the attacker.
At the 3rd second, the attacker received additional 50Mbits packets for the last second. In the same time, the attacker generated the 3rd attack. This causes all the MAC tables of S1 to S3 be overflowed, which means the packets downloaded by the clients of S3 will be forwarded to S2 and S1
and finally received by the attacker. The attacker fired the 4th and 5th attacks at 4th and
5th second respectively, and we can see that at the 5th second, the attacker is able to receive leaked message at a rate of 100Mbps, the speed upper bound of the fast Ethernet.
MAC Table Overflow (MTO) vulnerability
115
This experiment depicts that by using a small bandwidth (not easy to be detected), the attacker is able to distribute the MTO attack to the entire network in a very short period, and most importantly, the attacker easily steals a large amount of messages. .
0
20
40
60
80
100
120
0 1 2 3 4 5 .Time (s)
Band
width
(Mbp
s)
The leak of data
MAC Table Overflow (MTO) vulnerability
116
MAC address Spoofing Attack The MAC address spoofing attack tries to intercept the
frames sent to the target station (say MACy). The attacker sends a frame (to port x) with a spoofed
source MAC address as that of the target station (MACy). This enforce the switch to learn the MACy belongs to port x. Then all the frames sent to MACy will be forwarded to port
x where the attacker connected. This interception will be failed as the target station sends a
frame again. So the attacker needs to send the spoofed frame
periodically.
117
MAC address Spoofing Attack
118
DHCP Starvation Attack The DHCP starvation attack is that the
attacker plays as a DHCP server to allocate the IP addresses. And inform all the stations that it is the default gateway.
The attacker sends a lot of DHCP requests (spoofed source MAC addresses) to DHCP server to get all available IP addresses. Then the real DHCP is unable to provide further service as no IP addresses are in hand.
Then the attacker then plays as a new DHCP server to allocate the IP addresses and inform that it is the default gateway.
Then all the frames sent to other LANs are forwarded to the attacker first. The attacker can initiate the man-in-the-middle attack.
119
DHCP Starvation Attack
120
Spanning Tree Example 2
Bridge 1
LAN 1
LAN 2
LAN 3
LAN 4 LAN 5Bridge 5
TC=10 1
ID=10
TC=5 2
ID=50TC: Transmission Cost
TC=10 2
Bridge 2TC=10 1
ID=20
TC=10 2
Bridge 3TC=5 1
ID=30
TC=5 2
Bridge 4TC=5 1
ID=40
TC=20 2
TC=10 1
TC=5 3
121
Spanning Tree Example 2
TC: Transmission Cost
Bridge 1
LAN 1
LAN 2
LAN 3
TC=10 1
ID=10
TC=10 2
Bridge 2TC=10 1
ID=20
TC=10 2
Bridge 3TC=5 1
ID=30
TC=5 2
Bridge 4TC=5 1
ID=40
TC=20 2
122
Spanning Tree Example 3LAN 1
LAN 6
LAN 3
LAN 5
Bridge 8
Bridge 1ID=10
TC=5 1
TC=5 2
ID=80
LAN 7
Bridge 3 Bridge 4
TC=15 2
ID=40ID=30
TC=15 1
LAN 2
Bridge 5ID=50
TC=5
1
LAN 4 TC=10 3
TC=5 2
TC=15 2
TC=15 1
TC=10 2
TC=10 1
Bridge 2ID=20
TC=5 1
TC=10 2
Bridge 7ID=70
TC=5 1
TC=5 2
Bridge 6ID=60
TC=5 1
TC=5 2
123
H
VLANAVAB
VLANA VLANC
H H
HH
VAB
VAB
Hybrid Link
VLANB
Access Link
VLANA
H
H
H
H
H
H
H
Access Link
Access Link
Access Link H
H
Trunk Link
Spanning Tree
H
VLANBH
H Access Link
VAB: VLAN Aware Bridge