Layer 2 Network Security

1

Layer 2 Network Security

2

Outline How Layer 2 Switches Work ? Virtual LAN Security

IEEE 802.1Q : Virtual Bridged LANs VLAN hopping

Spanning Tree Security IEEE 802.1D: Spanning Tree Algorithm STP manipulation

CAM table overflow MAC address spoofing DHCP starvation

3

Layer 2 switch uses store and forward scheme to forward or filter incoming frames. MAC Address Learning (Filtering Database) MAC Address Lookup Engine Forward frame into the port x if the destination

MAC is found in the Filtering DB with port x. Otherwise, broadcast to all ports.

Broadcast all multicast/broadcast frames Ether-Switch Architecture with switching Fabric

ASICs Each pair of Ethernets can have a transmission

simultaneously. Wire-speed design Gbps, 10Gbps, 100Gbps, … Plug-and-Play Are L2 switches secure ?

How Layer 2 Switches Work ?

4

Ethernet Switch ASIC (24+4)

Typical Architecture for Ethernet Switch ASIC (24+4)

5

8-Port Gigabit Ethernet Switch ASIC

Typical Architecture for Ethernet Switch ASIC (8 GE)

6

Security Issues for L2 Switch

VLAN hopping attack STP manipulation attack CAM table overflow attack MAC address spoofing attack DHCP starvation attack

7

Virtual Bridged LANs(IEEE 802.1Q)

8

VLANTopolog

y H

VLANAVAB

VLANA VLANC

H H

HH

VLANB

VAB

VAB

Hybrid Link

VLANB

Access Link

VLANA

B

VLANC 802.1D BLAN

VLANC

H

H

H

H

H

B

H

H

Access Link

Access Link

Access Link H

H

Trunk Link

Spanning TreeH

Group in VLANA

H

9

Overview of Virtual LAN Virtual LAN Services in Bridged LANs. Forwarding Process required to support

VBLANs. Filtering Database needed to support

VBLANs. Protocols and Procedures required to

provide VLAN services and distribute the VLAN membership information.

Management services and Operations required to configure and administer VBLANs.

10

VLAN Aims and Benefits Easy administration of logical group of

stations. Also moves, adds, and changes in members of theses groups.

Traffic between VLANs is firewalled. The propagation of multicast and broadcast traffic between VLANs is limited.

Supported over shared and point-to-point media.

Each VLAN is uniquely identified (VID). Maintain compatibility with existing

bridges/switches and stations. In the absence of VLAN configuration,

bridges work in Plug-and-Play.

11

VLAN Architecture Overview

Based on a 3-level model: Configuration Distribution/Resolution Relay MIBs

Declaration ProtocolsReq/Resp Protocols

Ingress Rules Forwarding RulesEgress Rules

12

Configuration The VLAN configuration is

specified in the first place. Assignment of VLAN

configuration.

13

Virtual LANs Technologies

Port-based VLAN MAC-based VLAN IP-subnet based VLAN Layer-3 Protocol based VLAN

14

Port-based Virtual LANs

VLAN 1

VLAN 3 VLAN 2

Bridge/Switch 2

1 12

1 12 1 12

Bridge/Switch 1

Bridge/Switch 3

15

VLAN 1 VLAN 2 VLAN 3 VLAN 4

1 2 3 4 5 6 7 8

9 10 11 12 13 14 15 16

MAC-based Virtual LANs

Bridge/Switch 2

Bridge/Switch 1

Bridge/Switch 3

16

1 2 3 4

5

6 7 8

9 10 11 12 13 14 15 16

MAC-based Virtual LANs -- MAC5 moves

VLAN 1 VLAN 2 VLAN 3 VLAN 4

Bridge/Switch 2

Bridge/Switch 1

Bridge/Switch 3

17

VLAN 1 = IP subnet 140.114.76 VLAN 2 = IP subnet 140.114.77 VLAN 3 = IP subnet 140.114.78

1 2 3 4 5 6 7 8

9 10 11 12 13 14 15 16

140.114.76.xx

140.114.77.xx

140.114.78.xx

140.114.78.xx140.114.76.xx

140.114.77.xx

IP Subnet-based Virtual LANs

Bridge/Switch 2

Bridge/Switch 1

Bridge/Switch 3

18

VLAN 1 (IPX) VLAN 2 (IP)

1 2 3 4 5 6 7 8

9 10 11 12 13 14 15 16

Layer-3 Protocol based Virtual LANs

Bridge/Switch 2

Bridge/Switch 1

Bridge/Switch 3

19

Distribution Distribute information for

Bridges to determine on which VLAN a given packet should be forwarded.

Various possibilities exist for achieving this: Declaration Protocols for

distributing VLAN associations (such as GARP to distribute membership information among Bridges)

Request/Response protocols to request a specific VLAN association (SNMP).

20

Relay Mapping received frames to VLANs:

determined by a set of ingress rules. Where received frames should be

forwarded: determined by a set of forwarding rules.

Mapping frames for output Ports and format (tagged or untagged): determined by a set of egress rules.

VLAN frame format to carry VLAN IDs (VIDs).

The procedure to tag frames, modify tagged frames, and untag frames.

21

Relay The Port-based approach specifies

ingress, forwarding and egress rules based on VLAN membership, which allow bridges to: Classify all received untagged frames

as belonging to particular VLAN(PVID, Port VID).

Recognize the VID associated with received tagged frames.

Make use of this VID to forwarding/filtering.

Transmit frames in tagged or untagged format, as defined for a given Port/VLAN pairing.

22

Frame Tagging Implicit tagging

A frame is classified to a particular VLAN based on the data content of the frame (MAC address, Layer 3 Protocol ID, etc) and/or the receiving Port.

Explicit tagging A frame carries an

explicit identification of the VLAN to which it belongs.

DA SA

Tag (VLAN ID)

PT

N BytesC-Data

46 <= N <= 1496

FCS

23

Ingress Rules/Egress Rules

Each frame received is classified as belonging to exactly one VLAN by associating a VID with it.

The classification is achieved as follows Explicit Tagging : the VID value it carries Implicit Tagging : the PVID associated with

the port it is received. Frames shall be filtered if outgoing

port is not preset in the Member Set of the VLAN

24

Port-Based VLAN Definitions

VLAN aware devices understand VLAN membership and VLAN frame format.

VLAN unaware devices. An Access Link is a LAN segment used

to multiplex one or more VLAN unaware devices into a Port of a VLAN Bridge. All frames on an access link are implicitly

tagged. No VLAN tagged frames on an access link. Viewed as being on the edge of the

network. Can be attached to other 802.1D-

conferment Bridges (BLAN).

25

Definitions A Trunk Link is a LAN segment used to

multiplex VLANs between VLAN Bridges.

All devices connect to a Trunk Link must be VLAN aware.

All frames (including end station frames) on a Trunk Link are explicitly tagged with a VLAN ID.

A Hybrid Link is a LAN segment that has both VLAN aware and unaware devices. There can be a mix of Tagged Frames and

Untagged Frames but they must be from different VLANs.

26

VLANTopolog

y H

VLANAVAB

VLANA VLANC

H H

HH

VLANB

VAB

VAB

Hybrid Link

VLANB

Access Link

VLANA

B

VLANC 802.1D BLAN

VLANC

H

H

H

H

H

B

H

H

Access Link

Access Link

Access Link H

H

Trunk Link

Spanning TreeH

Group in VLANA

H

27

Rules for Tagging Frames For each VLAN, all frames traversing a

particular hybrid link must be tagged the same way: All implicitly tagged or All carrying the same explicit tag.

There can be a mix of implicitly and explicit tagged frames but they must be for different VLANs.

All the frames for VLANs A and B are explicit tagged on the hybrid link.

All frames for VLAN C on the hybrid link are implicitly tagged.

On the trunk link all frames are tagged.

28

Spanning Tree Eliminate loops in a bridged LAN. Improve scalability in a large network. Spanning tree formed in a virtual LAN

environment need not be identical to the topology of the VLAN(S).

Each VLAN may be overlaid on different segments or entirely separate from each other.

All VLANs are aligned along the Spanning Tree from which they are formed.

A VLAN is defined by a subset of the Spanning Tree.

The topology of the VLAN is dynamic.

29

Bridge Operation A Bridge filters frames to ensure that

traffic destined for a given VLAN is forwarded only on segments (ports) that form a path to members of that VLAN.

For each VLAN, the bridge needs to keep: Member set (Port IDs) Untagged set (Port IDs)

30

Addressing Learning Shared VLAN Learning (SVL) Independent VLAN Learning

(IVL) In most cases, SVL or IVL produces

the same result. But in some special cases, we need to specify the learning mode of bridge.

31

Server (Bridge-Router, or Connector) connecting multiple independent VLANs.

Connector and stations are VLAN unaware (untag).

Connector did not turn on spanning tree algorithm.

VLAN Red (A) <--> VLAN Blue (B) should be delivered to Connector (firewalled).

The Filtering databases should be independent. Otherwise, MAC A(B) will be learned from different ports 1,4 (2,3) alternatively.

The frames from A (B) to B(A) will be delivered in a wrong way.

IVL Example -- Multiple Independent VLANs

32

VLANBridge

PVID = Red

PVID = Red

PVID = Blue

PVID = Blue

Bridge Router

Port X Port Y

Port 4Port 3

Port 2Port 1

A B

A XB Y

MAC Port

A 1B 3

MAC PortVLAN Red

A 4B 2

MAC PortVLAN Blue

Member Set ：Red - Ports 1,3Blue - Ports 2,4

Untag Set ：Red - Ports 1,3Blue - Ports 2,4

Filtering DB

IVL Example -- Multiple Independent VLANs

Correct pathsFor A->B and B->A

33

PVID = Red

PVID = Red

PVID = Blue

PVID = Blue

Bridge Router

Port X Port Y

Port 4Port 3

Port 2Port 1

A B

A XB Y

MAC Port

A 4B 3

MAC PortSVL (Red, Blue)

Filtering DB

If SVL is used for this case

?

Incorrect pathFor B->A


Untag Set ：Red - Ports 1,3Blue - Ports 2,4

34

Server (Bridge-Router, or Connector) connecting multiple independent VLANs.

Server is VLAN aware (tagging frames) and stations are VLAN unaware.

VLAN Red : A <--> Server VLAN Blue : B <--> Server The Filtering databases should be

independent. Otherwise, MAC A(B) will be learned from different ports alternatively.

The frames from server with tag Blue or Red may be filtered.

IVL Example (2) -- Multiple Independent VLANs

35

VLANBridge

PVID = Discard

PVID = Red

PVID = Blue

Port 1

Port 3

Port 2Port 1

A B

A 1B 1

MAC Port

Shared Filtering DB (Red, Blue)

A 1B 3

MAC PortVLAN Red

A 3B 2

MAC PortVLAN Blue

B A

IVL Example (2) -- Multiple Independent VLANs


Untag Set ：Red - Port 1Blue - Port 2

Bridge Router

36

PVID = Discard

PVID = Red

PVID = Blue

Port 1

Port 3

Port 2Port 1

A B

A 1B 1

MAC Port

Shared Filtering DB (Red, Blue)


B A

A 1 <-> 3B 2 <-> 3

MAC PortSVL (Red, Blue)

Bridge Router



37

Stations A and B use the same MAC address X.

Server is VLAN aware (tagging frames) and stations are VLAN unaware.

VLAN Red : A <--> Server VLAN Blue : B <--> Server The Filtering databases should be

independent. Otherwise, MAC X will be learned from different ports alternatively.

The frames from server with tag Blue (Red) may be forwarded to wrong destination A (B).

IVL Example (3) -- Duplicate MAC addresses

38

VLANBridge

PVID = Discard

PVID = Red

PVID = Blue

Server (VLAN-aware)

Port 3

Port 2Port 1

A B

X 1MAC PortVLAN Red

X 2MAC PortVLAN Blue

MAC X MAC X

IVL Example (3) -- Duplicate MAC addresses



39

PVID = Discard

PVID = Red

PVID = Blue

Port 3

Port 2Port 1

A BMAC X MAC X


X 1 <-> 2MAC PortSVL (Red, Blue)

Incorrect pathFor Server ->A

? ?Member Set ：Red - Ports 1,3Blue - Ports 2,3


Server (VLAN-aware)

40

Typically, two stations A and B belong to the same VLAN use the same VID to communicate.

Asymmetric VLAN: A->B and B -> A use different VIDs.

All server and stations are VLAN unaware (untagging frames)

A -> S and S->B but not A <-> B for security reason.

VLAN Purple : Server --> A or B VLAN Red : A --> Server VLAN Blue : B --> Server

Asymmetric VLAN

41

Asymmetric VLAN If the Filter databases of VLAN

Red and Purple are independent, then the frame from the server to A will be forwarded to both A and B due to A is not learned by VLAN Purple. Broadcast the frame in VLAN Purple for this case.

SVL is required for Asymmetric VLAN !!

42

PVID = Purple

PVID = Red

PVID = Blue

Server (VLAN-

unaware)

Port 3

Port 2Port 1

A B

A 1MAC Port

Member Set ：Purple - Ports 1,2Red - Port 3Blue - Port 3

Untag Set ：Purple - Ports 1,2Red - Port 3Blue - Port 3

B 2S 3

SVL (Purple, Red, Blue)

Red Blue

Purple Purple

Asymmetric VLAN

43

PVID = Purple

PVID = Red

PVID = Blue

Port 3

Port 2Port 1

A B

Purple Purple

If IVL is used for this caseS A or S B, but will S A and B

S 3MAC PortVLAN Purple

A 1MAC PortVLAN Red

B 2MAC Port

VLAN Bule

Server (VLAN-

unaware)

Member Set ：Purple - Ports 1,2Red - Port 3Blue - Port 3

Untag Set ：Purple - Ports 1,2Red - Port 3Blue - Port 3

44

Static Filtering Entry Static VLAN Registration

Entry Dynamic Filtering Entry Dynamic VLAN Registration

Entry

The Filtering Database

45

Static Filtering Entry MAC VLAN ID Port MAP

MACa 2

MACb 3

MACc 3

MACd 2

MACe 4

Control ElementIndividual MAC, Group MAC, All Group MAC, All Unregistered Group MAC Forward,

Filter, According to dynamic FD

46

Static VLAN Registration Entry

VLAN ID Port MAP

2

3

4

5

6

Control ElementGVRP Registrar Administrative Control : Registration Fixed, Forbidden, Normal.Tagged/Untagged

47

Dynamic Filtering Entry (By Learning Process)

MAC FID Port (MAP) Time

MACa 2

MACa 3

MACb 3

MACb 2

MACc 4

Individual MAC

200

120

100

250

60

48

Dynamic VLAN Registration Entry

VLAN ID Port MAP

2 3 4 5 6

Control ElementVID is registered on this port ?

49

VLAN Tag Structure Tag Protocol Identifier (TPID) Tag Control Information (TCI)

User-Priority Canonical Format Indicator VID

Ethernet-encoded TPID

TCI

SNAP-encoded TPID

TCI

3 1 12 Bits

Canonical Format IndicatorUser-Priority

VLAN Identifier (VID)

2

2

8

2

50

3 1 12 Bits

VLAN Identifier (VID)

Canonical Format Indicator (CFI)

User Priority (0-7)

Ethernet-encoded TPID (81-00) TCI LEN RIF

2 2 2 2-30 Bytes

Tag Format (Ethernet-encoded)

51

3 5 1 6 1 bit

NCFI

RC Route Descriptors

2 0-28 Bytes

RT (X) LTH D LF

Tag Format (Ethernet-encoded)

RIF

RT (Routing Type): Transparent bridges or Source-routing bridgesLength: 2 for no route descriptorsDirection:Largest Frame : <= 1470 bytesNon-canonical Format Indicator

52

SNAP Header (AA-AA-03)

SNAP-encoded TPID TCI

8 2 Bytes

Tag Format (SNAP-encoded)

SNAP PID (00-00-00)

Tag Type (81-00)

3 Bytes

3 Bytes

2 Bytes

53

VLAN Hopping Attack VLAN Hopping Attack tries to

Get frames from different VLANs

Access resources for different VLANs

Two kinds of attacksSwitch Spoofing attackDouble Tagging attack

54

VLAN Switch Spoofing Attack Usually when switches enable the VLAN

function, a link is required between switches to send the frames belong to a certain VLAN.

In the example, there are two VLANs with VID =20 and 30, and two links are established between the switches.

A trunk link is then designed to support for multiple VLANs. Then all the frames of the VLANs are forwarded via the trunk link.

Cisco switch will automatically execute Dynamic Trunk Protocol (DTP) to establish trunk link with other Cisco switch.

The attacker uses a system to employ the DTP protocol to establish a trunk link with Cisco switch to receive all frames on the trunk link.

55

Switch Spoofing Attack

56

VLAN Double Tagging Attack The frames between different VLANs are

firewalled and should be forwarded via the router.

The manager is able to set rules or policy in the router to control some resources can only be accessed by some VLANs.

The attacker sends frames with double tagging (VLAN headers) to router to pass router’s check (first VLAN header) and the frames may be forwarded to a wrong VLAN with the second VLAN header.

Most current switches only check one VLAN header.

57

Double Tagging Attack In the example, the attacker (at VLAN 20)

sends a frame with double tagging (The first VLAN ID = 20, the 2nd = 30).

The first VLAN header is removed by the first switch, and the frame is forwarded to the trunk link with 2nd VLAN header (VID = 30).

The 2nd switch forwards the frame to VLAN 30 according to the carried VLAN ID 30.

Then the frame sent by VLAN 20 is forwarded to VLAN 30.

58

VLAN Double Tagging

59

Bridges and Spanning Tree Algorithm

(IEEE 802.1D)

60

Functions of a Bridge

MAC layer device which relays frames among physically separated LANs and makes the physical LANs appear as one logical LAN to the end stations

Preamble SFD DA SA LEN LLC PAD FCS

7 1 6 6 2 4 Bytes

61

Functions of a Bridge Basic Functions:

Frame Forwarding Learning and Filtering Resolving Possible Loops in the

Topology Additional Functions:

Congestion Control (Enough Buffer) Static Filtering (Security) Translation (Multi-Bridge) Routing (Multi-Bridge) Segmentation

62

A Simple Bridge Example

Bridge

LAN A

LAN B

1 2 3

5 6 7

4

Stations

63

Design Considerations No modifications to the content or

format of the frames Contain enough buffer space to meet

peak demands Contain addressing and routing

intelligence A bridge may connect more than two

networks Why Bridged LANs (BLAN) ?

Reliability Performance Security Geography

64

Bridge Routing

The Bridges must be equipped with a routing capability

The routing decision may not always be a simple one (loop)

Topology changes have to be considered

A bridge knows all the station addresses (Filtering Database)

65

BLAN Example (Without loop)

ID=10

ID=40

Bridge 1

LAN 1

LAN 2

LAN 3

LAN 4

Bridge 4

1 2

LAN 5 LAN 6

Bridge 2ID=20

C D EF

A B

2 3

1

2

1 Bridge 3ID=30 2

1

66

Bridged LAN (BLAN) Example with Loop

4

LAN 1

Bridge 1 Bridge 2

Bridge 4 Bridge 5 Bridge 6 Bridge 7

LAN 2 LAN 3

LAN 4LAN 5

5 6

1

2 3

LAN 6

Bridge 3

Station

67

Bridge Protocol Architecture

User Data

LLC-H

MAC-H

t1, t8t2, t7

t3, t4, t5, t6 LLC-H User Data MAC-T

User Data

PHY

Bridge

Station A

LAN 1

MACPHYB CPHY

USER

LLCMAC

t1t2t3 t

4t5 t6

t7t8

Station D

LAN 2

MACMACPHY

USER

LLC

68

Spanning Tree Routing Frame Forwarding and Filtering

Use the destination MAC address (DMAC) field in each MAC frame

A bridge maintains a filtering database with entries:

[Address, Port, Time]

Address Learning Use the source MAC address (SMAC) field in each

MAC frame If the element is already in the database, the

entry is updated and the timer is reset If the element is not in the database, a new entry

is created with its own timerPreamble SFD DMAC SMAC LEN LLC PAD FCS

7 1 6 6 2 4 Bytes

69

Filtering Database Examples

LAN 2

LAN 3

Bridge 2

LAN 4

LAN 1

Bridge1 1

2

C D

E

A B

F

A 1 19 B 1 17 C 2 24 D 3 3 E 1 6 F 1 13

Filtering Database （ Bridge 2 ） 1

2 3

MAC AddrPort Time (S)A 2 20 B 2 18 C 2 25 D 2 4 E 1 5 F 1 12

Filtering Database （ Bridge 1 ）

MAC Addr Port Time(S)

70

Forwarding and

Address Learning Algorithm

Frame fromPort x

Add SMAC, port (x)and Timer (0) into FDB

Forward to belonging

Port

Filter Forward to

all ports （ except port

x ）

Change to port

X, reset timer

End

Y

N

Y

Y

N

N

AddressLearning

FrameForwarding

DMAC in FDB？

Belong to Port x ？

SMAC in FDB ？

71

Addresses Learning Example

1. A -> E2. B -> D3. C -> B4. D -> A5. E -> C 2

A

1

FDB FDB

Bridge X Bridge Y Bridge Z

LAN 1

LAN 2

LAN 3

LAN 4

LAN 5

MAC Port MAC Port MAC Port

B

C

D

E

12 3 1

2

72

Addresses Learning Example (AE)

2

A

1

FDB FDB


LAN 1

LAN 2

LAN 3

LAN 4

LAN 5


B

C

D

E

12 3 1

2

A 2

E A

E A

E A

E A

E A

A 1 A 1

73

Addresses Learning Example (BD)

2

A

1

FDB FDB


LAN 1

LAN 2

LAN 3

LAN 4

LAN 5


B

C

D

E

12 3 1

2

A 2A 1 A 1

BD

BD BD

BD BD

B 2 B 1B 2

74

Addresses Learning Example (CB)

2

A

1

FDB FDB


LAN 1

LAN 2

LAN 3

LAN 4

LAN 5


B

C

D

E

12 3 1

2

A 2A 1 A 1B 2 B 1B 2

B C

B C

C 1C 2

75

Addresses Learning Example (DA)

2

A

1

FDB FDB


LAN 1

LAN 2

LAN 3

LAN 4

LAN 5


B

C

D

E

12 3 1

2

A 2A 1 A 1B 2 B 1B 2C 1C 2D 3

D 1D 2

A DA D

A D

76

Addresses Learning Example (EC)

2

A

1

FDB FDB


LAN 1

LAN 2

LAN 3

LAN 4

LAN 5


B

C

D

E

12 3 1

2

A 2A 1 A 1B 2 B 1B 2C 1C 2D 3

D 1D 2

C E

E 3E 2

C EC E

77

Bridge Ｘ

A

B

LAN 1

Bridge Ｙt0

t12

21

1

LAN 2

Loop Problems and Resolution

Loops provides reliability Loops make frames duplication Loops make wrong address

learningt2

B AB A

B A B A

78

1

Bridge 1

LAN 1

LAN 2

LAN 3

LAN 4 LAN 5

Bridge 2 Bridge 3

Bridge 4

Bridge 5

2

2

1

2

2

1 1

1 2

3

Spanning Tree Example 1

79

1

1 2 3

2

43

5

4 5

1

1 2 3

2

43

5

4 5

LAN

Bridge

Spanning Tree

Graph Representation of a BLAN

80

ID=10

ID=50

Bridge 1

LAN 1

LAN 2

LAN 3

LAN 4

Bridge 2

Bridge 3Bridge 4

Bridge 5

1 2Root Bridge

1

2 1

2ID=40ID=30

ID=20

1

2

1

2 3

LAN 5

Spanning Tree Example 1 (Continued)

81

Spanning Tree Algorithm (requirements)

Bridges Each bridge is assigned a unique identifier

(8 octets): Priority part (two octets): programmable address part (six octets)

A special group MAC address for all bridges :

01-80-C2-00-00-00 (Multicast address)

10000000-00000001-01000011- Each port of a bridge has a unique port

identifier.

82

Spanning Tree Algorithm (definitions)

Root Bridge: The bridge with the lowest value of bridge identifier.

Path Cost: For each port, the cost of transmitting a frame onto a LAN.

Root Port: For each bridge, the port on the minimum-cost path to the root bridge.

Root Path Cost: For each bridge, the cost of the path to the root bridge with minimum cost.

Designated Bridge: For each LAN, the bridge that provides the minimum cost path to the root bridge. The only bridge allowed to forward frames to and from the LAN.

Designated Port: The port of the designated bridge that attaches the bridge to the LAN. All internet traffic to and from the LAN pass through the designated port.

83


Bridge 1

LAN 1

LAN 2

LAN 3

LAN 4 LAN 5Bridge 5

TC=10 1

ID=10

TC=5 2

ID=50TC: Transmission Cost

TC=10 2

Bridge 2TC=10 1

ID=20

TC=10 2

Bridge 3TC=5 1

ID=30

TC=5 2

Bridge 4TC=5 1

ID=40

TC=5 2

TC=10 1

TC=5 3

84

Spanning Tree Example 2 (continued)

D D

R

R D

R

D D

R

RPC: Root Path CostTC: Transmission CostD: Designated PortR: Root Port

LAN 1

LAN 2

LAN 3

LAN 4 LAN 5

Root Bridge

Bridge 5

TC=5 2

ID=50, RPC=10

TC=10 1

TC=5 3 Bridge 2

TC=10 1

ID=20,RPC=10

TC=10 2

Bridge 4TC=5 2

ID=40,RPC=5

TC=5 1

Bridge 3TC=5 1

ID=30,RPC=5

TC=5 2

Bridge 1

TC=10 1

ID=10, RPC=0

TC=10 2

85

Spanning Tree Algorithm Three Steps:

1. Determine the root bridge.2. Determine the root port on all

other bridges.3. Determine the designated port on

each LAN.The port with the minimum root path

cost.In the case of two or more bridges

with the same root path cost, the highest-priority bridge is selected.

If the designated bridge has two or more ports attached to this LAN, then the port with the lowest value of identifier is selected.

86

Bridge Port State Diagram

Blocking

After a forward delay time

Listening Learning Forwarding

After a forward delay time

Cancel

Selected asa D or R port

Cancel Cancel

87

Bridge Protocol Data Unit (BPDU)

Protocol ID

BPDU TypeFlag

111

8

8

4

22

222

2 Version ID

Root Bridge ID

Bridge ID

RPC

Root Port ID

Message Age Time Limit

Hello Time Forward delay

1

1

2

Bytes

Bytes

(b)Topology Change BPDU

(a)Network Configuration BPDU

Protocol ID

BPDU Type

Version ID

88

Spanning Tree Algorithm Example

LAN W

RPC = 35 7

D(W): Designated Port of LAN W

Bridge XTC=15 i

TC=10 j

RPC = 38 1

RPC = 40, R = m 12

RPC = 48, R = n, D(W) = m2

RPC = 48 3

RPC = 20 5

RPC = 35, R = i,D(W) = j

6

Bridge ZTC=10 m

TC=10 n

Bridge YTC=5 l

TC=5 k

RPC = 53, R = kRPC = 58, R = j4 4

RPC = 45, R = m 8

RPC = 40, R = k 8

RPC = 30, R = l,D(W) = k

10

RPC = 30

RPC = 35, R = i11

11

RPC = 25 9

89

LAN W

R R

R

D

D: Designated PortR: Root Port

Spanning Tree Algorithm Example (Continued)

Bridge XTC=15 i

TC=10 j

Bridge ZTC=15 m

TC=10 n

Bridge YTC=5 l

TC=5 k

90

Spanning Tree Features The spanning tree constructed by the IEEE

802.1D algorithm has the features that for each bridge, the shortest path (minimum root path cost, RPC) to the root bridge is included.

For each LAN, the shortest path (minimum root path cost, RPC) to the root bridge via the designated bridge is included.

So the spanning tree usually is not a minimum cost spanning tree.

The spanning tree of a BLAN (or switches connected network) is predictable or deterministic. Thus, given a BLAN topology (with any loops) and configuration parameters, the spanning tree of the BLAN can be calculated manually.

91

LAN 1, DPC = 20

LAN 6, DPC = 0

LAN 3,DPC = 0

LAN 5, DPC = 5

Bridge 8

Bridge 1ID=10,RPC=0

TC=5 1

TC=5 2

ID=80,RPC=5

LAN 7, DPC = 5

Bridge 3 Bridge 4

TC=15 2

ID=40,RPC=15ID=30,RPC=15

TC=15 1

LAN 2, DPC = 10

Bridge 5

ID=50,RPC=5

TC=5

1

LAN 4,DPC = 5

D

D

DD

D

R

R R

R R

R

DRD

Root Bridge


TC=10 3

TC=5 2

TC=15 2

TC=15 1

TC=10 2

TC=10 1

Bridge 2ID=20,RPC=20

TC=5 1

TC=10 2

Bridge 7ID=70,RPC=5

TC=5 1

TC=5 2


TC=5 1

TC=5 2

92

Spanning Tree Maintenance The transmission of the configuration is

triggered by root. The root will periodically (once every Hello

time) issue a configuration BPDU on all LANs to which it is attached.

A bridge that receives a configuration BPDU on what it decides is its root port passes that information to all LANs for which it believes itself to be the designated bridge.

A cascade of configuration BPDUs throughout the spanning tree.

A bridge may change the spanning tree topology

A TCN BPDU is reliable relayed up the new spanning tree to the root bridge (bridge by bridge).

The root will set the Topology Change flag in all configuration messages transmitted for some time.

93

LAN 1, DPC = 20

LAN 6, DPC = 0

LAN 3,DPC = 0

LAN 5, DPC = 5

Bridge 8

Bridge 1ID=10,RPC=0

TC=5 1

TC=5 2

ID=80,RPC=5

LAN 7, DPC = 5

Bridge 3 Bridge 4

TC=15 2


TC=15 1

LAN 2, DPC = 10

Bridge 5

ID=50,RPC=5

TC=5

1

LAN 4,DPC = 5

D

D

DD

D

R

R R

R R

R

DRD

Root Bridge

Spanning Tree Maintenance Example 1

TC=10 3

TC=5 2

TC=15 2

TC=15 1

TC=10 2

TC=10 1


TC=5 1

TC=10 2

Bridge 7ID=70,RPC=5

TC=5 1

TC=5 2


TC=5 1

TC=5 2

D

15

25

94


Assume Bridge 60 faults. Then all the Hello BPDUs sent from root

bridge to Bridge 60 will not be forwarded to LAN 2 any more.

The Bridges 30 and 40 in LAN 2 will trigger the timeout event individually which means the Designated bridge 60 for LAN 2 was gone.

Then they will try to serve as the Designated bridge of LAN 2 by forwarding a configuration BPDU.

Assume bridge 40 sends the BPDU first with a RPC = 15.

Then bridge 30 will return another BPDU with RPC=15 since it’s priority is higher than bridge 40 (same RPC, smaller ID).

After two forwarding delays, bridge 30 will become the new Designated bridge of LAN2 and the DPC becomes 15.

95


Also the DPC of LAN 1 is changed from 15 to 25.

Bridge 30 then sends a Topology Change Notification (TCN) BPDU to root bridge.

The root will set the Topology Change flag in all configuration messages transmitted for some time.

96

Final configuration of example 1

LAN 1, DPC = 25

LAN 6, DPC = 0

LAN 3,DPC = 0

LAN 5, DPC = 5

Bridge 8

Bridge 1ID=10,RPC=0

TC=5 1

TC=5 2

ID=80,RPC=5

LAN 7, DPC = 5

Bridge 3 Bridge 4

TC=10 2


TC=15 1

LAN 2, DPC = 15

Bridge 5

ID=50,RPC=5

TC=5

1

LAN 4,DPC = 5

D

D

DD

D

R

R R

R R

R

DD

Root Bridge

TC=10 3

TC=5 2

TC=10 2

TC=15 1

TC=10 2

TC=10 1


TC=5 1

TC=10 2

Bridge 7ID=70,RPC=5

TC=5 1

TC=5 2

Bridge 6ID=60

97

LAN 1, DPC = 20

LAN 6, DPC = 0

LAN 3,DPC = 0

LAN 5, DPC = 5

Bridge 8

Bridge 1ID=10,RPC=0

TC=5 1

TC=5 2

ID=80,RPC=5

LAN 7, DPC = 5

Bridge 3 Bridge 4

TC=15 2


TC=15 1

LAN 2, DPC = 10

Bridge 5

ID=50,RPC=5

TC=5

1

LAN 4,DPC = 5

D

D

DD

D

R

R R

R R

R

DRD

Root Bridge


TC=10 3

TC=5 2

TC=15 2

TC=15 1

TC=10 2

TC=10 1


TC=5 1

TC=10 2

Bridge 7ID=70,RPC=5

TC=5 1

TC=5 2


TC=5 1

TC=5 2

RR

R

00

Root Bridge

2525

98


Assume LAN 3 faults. Then all the Hello BPDUs sent from root

bridge to LAN 3 will be lost. All the ports connected to LAN 3, including

port 2 of bridge 30, port 2 0f bridge 40, port 1 of bridge 50, and port 1 of bridge 80, will become “blocked” state from “forwarding” state.

All these bridges are now don’t have “R” port (root port) and then try to be a root bridge.

Bridges 30 and 40 still can receive the Hello BPDU from port 1, so they will change their root port to port 1.

99


Bridges 50 and 80 will exchange BPDU to compete as a new root follow the STP protocol.

Assume bridge 80 sends the BPDU first with a RPC = 0.

Then bridge 50 will return another BPDU with RPC=0 since it’s priority is higher than bridge 80 (smaller ID).

After two forwarding delays, bridge 50 will become the new root bridge and the port 1 of bridge 80 will become a root port.

Finally, we have two separated (disconnected) spanning trees.

100

Final configuration of example 2LAN 1, DPC = 20

LAN 6, DPC = 0

LAN 3

LAN 5, DPC = 5

Bridge 8

Bridge 1ID=10,RPC=0

TC=5 1

TC=5 2

ID=80,RPC=5

LAN 7, DPC = 5

Bridge 3 Bridge 4

TC=10 2


TC=15 1

LAN 2, DPC = 10

Bridge 5

ID=50,RPC=0

TC=5

1

LAN 4,DPC = 0

D

DD

D

R R

R R

R

DRD

Root Bridge

TC=10 3

TC=5 2

TC=10 2

TC=15 1

TC=10 2

TC=10 1


TC=5 1

TC=10 2

Bridge 7ID=70,RPC=5

TC=5 1

TC=5 2


TC=5 1

TC=5 2

101

STP Manipulation Attack The attacker plays as a root bridge to receive frames and

initiates man-in-the-middle attack. The attacker sends STP Configuration/Topology change

BPDUs (TCN) continuously to ask all the bridges on the STP to recalculate the STP paths. Each time may take 30-45 seconds. This is a kind of DOS (Denial of Service) attack.

In the example, switch A is the root bridge, and switches A and B exchange frames directly.

102

STP Manipulation Attack

The attacker broadcasts STP topology change BPDUs to claim that he has the highest priority.

All switches will treat the attacker as a new root bridge, and recalculate the STP paths, so that the frames between switches A and B are forwarded by the attacker.

The attacker is now able to receive frames or execute the man-in-the-middle attack.

103

CAM Table Overflow Attack For each switch there is a table (Forwarding Table) to

record all the learned MAC addresses of the broadcast domain where the switch located.

For fast table MAC address lookup, the table is built by CAM (Content Addressable Memory) to parallely compare the MAC address in the received frame with those MAC addresses in the table.

For L2 Switch, the CAM is Binary CAM, which provides exactly matching function. Each bit in the table is either 0 or 1.

For L3 Switch, the CAM is Ternary CAM (TCAM), which provide longest prefix matching. Each bit in the table can be 0,1, or x (don’t care).

The CAM table size for L2 switch is usually designed as 4k or 8k entries due to the size of a broadcast domain.

Initially, the CAM table is empty. Each time a frame is received, the SMAC address of the frame is learned into the table with the incoming port.

104

CAM Table Overflow Attack When a frame is received from port x, the DMAC address

of the frame is used to lookup the CAM table. If the DMAC is found with port x, the frame is filtered. If the DMAC is found with port y, the frame is forwarded to port y. Otherwise, the frame is forwarded to all the other ports belong to the spanning tree (except port x).

The CAM Table attack is to set the whole CAM table by all random MAC addresses (or wrong MAC addresses) so that each incoming frame is broadcasted (lookup failure).

The way to achieve this is that the attacker periodically send frames (say 4K or 8K) with random source MAC addresses.

Then the CAM table is always overflowed. And the attacker can receive all the frames sent via the attacked switch.

105

CAM Table Overflow Attack

106

MAC Table Overflow (MTO) vulnerability

Any host connected to the LAN segment can easily launch a MTO attack by sending frames with a non-existed destination MAC address and random generated source MAC address.

Then the MAC Table of the switch connecting the attacking host will be overwritten by the radom source MAC addresses. Thus, the MAC Table will be overflowed.

Since the destination MAC address of the attacking frame is not existed, the attacking frames will be forwarded to all the switches of the LAN segment.

This means that the MAC Table overflow phenomenon will be propogated to all the switches in a very short period.

When this happens, all the frames in the LAN segment will be broadcasted to all switch ports.

Consequently, the switch-based LAN is degraded to a bus-based LAN. This exposes two serious problems : slower effective bandwidth (broadcasting model) and information leaking (packets broadcasted).

107

With the MTO attack, the LAN speed chould be slowed down dramatically and the attacker can easily eavesdrop all the packets transmitted within the LAN segment.

Even worse, an end user might feel the network is just slower, but may not know that his/her critical information are stolen by unauthorized attacker.

To see how fast the MTO attack propagates within a LAN segment, an experimental test with three Cisco 2950 switches is designed.

The MAC table size of each switch is of 8k entries. There are two pairs of FTP server and client, one

pair (with client B) connects to switch 3 and the other pair (with client A) connects to switch 1, where the MTO attacker also connects to.


108

Switch 1 Switch 2 Switch 3

FTPServer

FTPServer

Client B& Sniffer

MTOAttacker

Client A& Sniffer

Switch 1 Switch 2 Switch 3

FTPServer

FTPServer

Client B& Sniffer

MTOAttacker

Client A& Sniffer

Test environment of MTO attack with three switches


109

The download speeds of clients A and B are impacted by MTO attacks.

Initially, both clients A and B receive the files with 70Mbps data rate.

The 1st MTO attack with 1000 frames was launched at around 21th second, we can see the download speed of client A was reduced and caused an oscillation, but that of client B is not affected at all.

Then the 2nd MTO attack with 3000 frames was launched at around 105th second. We can see that the download speed of client A was more seriously impacted (larger oscillation), and that of client B was impacted slightly.

Last, an MTO attack with 10000 frames was generated at around 273th second. We can see that both clients A and B were seriously impacted.

Even when the attack was stopped, the oscillation situation still remains a few minutes.


110

0

10

20

30

40

50

60

70

80

0 21 42 63 84 105

126

147

168

189

210

231

252

273

294

315

336

357

378

Client A

Time (s)

Ban

dwid

th (M

bps)

1000 frames

3000 frames10000 frames

0

10

20

30

40

50

60

70

80

0 21 42 63 84 105

126

147

168

189

210

231

252

273

294

315

336

357

378

Client A

Time (s)

Ban

dwid

th (M

bps)

1000 frames

3000 frames10000 frames

(a) Bandwidth impact of client A

0

10

20

30

40

50

60

70

80

0 21 42 63 84 105

126

147

168

189

210

231

252

273

294

315

336

357

378

Client B

Time (s)

Ban

dwid

th (M

bps)

1000 frames

3000 frames

10000 frames0

10

20

30

40

50

60

70

80

0 21 42 63 84 105

126

147

168

189

210

231

252

273

294

315

336

357

378

Client B

Time (s)

Ban

dwid

th (M

bps)

1000 frames

3000 frames

10000 frames


111

The learning-caching rate (LCR) of a switch is the upper limit of source addresses learning speed (packets per second, pps).

For a switch with LCR = N, the switch is unable to learn all the source addresses if packet input rate is larger than N.

The MTO attacker can use this feature to achieve the attacking goal with only a small amount of bandwidth.

Thus, the MTO attacker only needs to generate N packets per second to overflow the MAC table.

For example, most switches have N = 8k (MAC table size). Then the attacker can generate 8K pps of short 64-byte packets with randomized source addresses (a total bandwidth of 8192x64x8 = 4Mbps) to achieve the MTO attack.


112

To see how this attack impacts the amount of leaked messages, an experiment is conducted.

Four switches S1, S2, S3, S4 are connected, and each switch connects 20 clients. Each client downloads files from the FTP server with a rate of 2Mbps.

The 20 clients of S1 download from left FTP server and other 60 clients download from the other FTP server.

The MTO attacker connects to S1 to generate the attack packets with 4Mbps and it also receives the packets from the attached port.

Five attacks are launched by the MTO attacker, one per second.

Before attacking, the MTO attacker is not able to receive any FTP download packets as they are not destined to it.

The first attack was launched at 1st second and the 4Mbps (N = 8192) attack packets just overflows the MAC table of S1. The attacker now starts to receive the leaked “broadcast” packets of S1.


113

Switch 3 Switch 4Switch 1

20 Clients

MTOAttacker& Sniffer

…2M 2M

Switch 2

20 Clients

…2M 2M

FTPServer

20 Clients

…2M 2M

FTPServer

20 Clients

…2M 2M

Switch 3 Switch 4Switch 1

20 Clients

MTOAttacker& Sniffer

…2M 2M

Switch 2

20 Clients

…2M 2M

FTPServer

20 Clients

…2M 2M

FTPServer

20 Clients

…2M 2M


Information Leakage test environment with four switches

114

At the 2nd second, the attacker launched the 2nd attack and already received 30Mbits packets. This attack will cause both the MAC tables of S1 and S2

be overflowed, which means the packets downloaded by the clients of S2 will be forwarded and received by the attacker.

At the 3rd second, the attacker received additional 50Mbits packets for the last second. In the same time, the attacker generated the 3rd attack. This causes all the MAC tables of S1 to S3 be overflowed, which means the packets downloaded by the clients of S3 will be forwarded to S2 and S1

and finally received by the attacker. The attacker fired the 4th and 5th attacks at 4th and

5th second respectively, and we can see that at the 5th second, the attacker is able to receive leaked message at a rate of 100Mbps, the speed upper bound of the fast Ethernet.


115

This experiment depicts that by using a small bandwidth (not easy to be detected), the attacker is able to distribute the MTO attack to the entire network in a very short period, and most importantly, the attacker easily steals a large amount of messages. .

0

20

40

60

80

100

120

0 1 2 3 4 5 .Time (s)

Band

width

(Mbp

s)

The leak of data


116

MAC address Spoofing Attack The MAC address spoofing attack tries to intercept the

frames sent to the target station (say MACy). The attacker sends a frame (to port x) with a spoofed

source MAC address as that of the target station (MACy). This enforce the switch to learn the MACy belongs to port x. Then all the frames sent to MACy will be forwarded to port

x where the attacker connected. This interception will be failed as the target station sends a

frame again. So the attacker needs to send the spoofed frame

periodically.

117

MAC address Spoofing Attack

118

DHCP Starvation Attack The DHCP starvation attack is that the

attacker plays as a DHCP server to allocate the IP addresses. And inform all the stations that it is the default gateway.

The attacker sends a lot of DHCP requests (spoofed source MAC addresses) to DHCP server to get all available IP addresses. Then the real DHCP is unable to provide further service as no IP addresses are in hand.

Then the attacker then plays as a new DHCP server to allocate the IP addresses and inform that it is the default gateway.

Then all the frames sent to other LANs are forwarded to the attacker first. The attacker can initiate the man-in-the-middle attack.

119

DHCP Starvation Attack

120


Bridge 1

LAN 1

LAN 2

LAN 3

LAN 4 LAN 5Bridge 5

TC=10 1

ID=10

TC=5 2

ID=50TC: Transmission Cost

TC=10 2

Bridge 2TC=10 1

ID=20

TC=10 2

Bridge 3TC=5 1

ID=30

TC=5 2

Bridge 4TC=5 1

ID=40

TC=20 2

TC=10 1

TC=5 3

121


TC: Transmission Cost

Bridge 1

LAN 1

LAN 2

LAN 3

TC=10 1

ID=10

TC=10 2

Bridge 2TC=10 1

ID=20

TC=10 2

Bridge 3TC=5 1

ID=30

TC=5 2

Bridge 4TC=5 1

ID=40

TC=20 2

122

Spanning Tree Example 3LAN 1

LAN 6

LAN 3

LAN 5

Bridge 8

Bridge 1ID=10

TC=5 1

TC=5 2

ID=80

LAN 7

Bridge 3 Bridge 4

TC=15 2

ID=40ID=30

TC=15 1

LAN 2

Bridge 5ID=50

TC=5

1

LAN 4 TC=10 3

TC=5 2

TC=15 2

TC=15 1

TC=10 2

TC=10 1

Bridge 2ID=20

TC=5 1

TC=10 2

Bridge 7ID=70

TC=5 1

TC=5 2

Bridge 6ID=60

TC=5 1

TC=5 2

123

H

VLANAVAB

VLANA VLANC

H H

HH

VAB

VAB

Hybrid Link

VLANB

Access Link

VLANA

H

H

H

H

H

H

H

Access Link

Access Link

Access Link H

H

Trunk Link

Spanning Tree

H

VLANBH

H Access Link

VAB: VLAN Aware Bridge

Layer 2 Network Security

Documents

vlan services

absence of vlan configuration

vlan membership information

virtual lansbridgeswitch

virtual lansvlan

virtual bridged lansieee

virtual lan securityieee

ip subnet