Layer 2 Network Security

Outline How Layer 2 Switches Work ? Virtual LAN Security IEEE 802.1Q : Virtual Bridged LANs VLAN hopping Spanning Tree Security IEEE 802.1D: Spanning Tree Algorithm STP manipulation CAM table overflow MAC address spoofing DHCP starvation

How Layer 2 Switches Work ? Layer 2 switch uses store and forward scheme to forward or filter incoming frames. MAC Address Learning (Filtering Database) MAC Address Lookup Engine Forward frame into the port x if the destination MAC is found in the Filtering DB with port x. Otherwise, broadcast to all ports. Broadcast all multicast/broadcast frames Ether-Switch Architecture with switching Fabric ASICs Each pair of Ethernets can have a transmission simultaneously. Wire-speed design Gbps, 10Gbps, 100Gbps, … Plug-and-Play Are L2 switches secure ?

Ethernet Switch ASIC (24+4) Typical Architecture for Ethernet Switch ASIC (24+4)

8-Port Gigabit Ethernet Switch ASIC Typical Architecture for Ethernet Switch ASIC (8 GE)

Security Issues for L2 Switch VLAN hopping attack STP manipulation attack CAM table overflow attack MAC address spoofing attack DHCP starvation attack

Virtual Bridged LANs (IEEE 802.1Q)

VLAN Topology VAB VAB B B VAB H H H H H VLANA VLANC Access Link H H VLANB VAB H VLANA Trunk Link 802.1D BLAN VLANC VAB H Group in VLANA B H B VLANC Hybrid Link Spanning Tree H H H Access Link H VAB VLANA VLANB H H Access Link

Overview of Virtual LAN Virtual LAN Services in Bridged LANs. Forwarding Process required to support VBLANs. Filtering Database needed to support VBLANs. Protocols and Procedures required to provide VLAN services and distribute the VLAN membership information. Management services and Operations required to configure and administer VBLANs.

VLAN Aims and Benefits Easy administration of logical group of stations. Also moves, adds, and changes in members of theses groups. Traffic between VLANs is firewalled. The propagation of multicast and broadcast traffic between VLANs is limited. Supported over shared and point-to-point media. Each VLAN is uniquely identified (VID). Maintain compatibility with existing bridges/switches and stations. In the absence of VLAN configuration, bridges work in Plug-and-Play.

VLAN Architecture Overview Based on a 3-level model: Configuration Distribution/Resolution Relay MIBs Declaration Protocols Req/Resp Protocols Ingress Rules Forwarding Rules Egress Rules

Configuration The VLAN configuration is specified in the first place. Assignment of VLAN configuration.

Virtual LANs Technologies Port-based VLAN MAC-based VLAN IP-subnet based VLAN Layer-3 Protocol based VLAN

Port-based Virtual LANs VLAN 1 VLAN 3 VLAN 2 Bridge/Switch 2 1 12 Bridge/Switch 1 Bridge/Switch 3

MAC-based Virtual LANs Bridge/Switch 1 1 2 3 4 5 6 7 8 Bridge/Switch 3 Bridge/Switch 2 9 10 11 12 13 14 15 16 VLAN 1 VLAN 2 VLAN 3 VLAN 4

MAC-based Virtual LANs -- MAC5 moves Bridge/Switch 1 1 2 3 4 6 7 8 Bridge/Switch 3 Bridge/Switch 2 9 10 11 12 5 13 14 15 16 VLAN 1 VLAN 2 VLAN 3 VLAN 4

IP Subnet-based Virtual LANs Bridge/Switch 1 1 2 3 4 5 6 7 8 140.114.76.xx 140.114.77.xx 140.114.78.xx Bridge/Switch 3 Bridge/Switch 2 9 10 11 12 13 14 15 16 140.114.76.xx 140.114.77.xx 140.114.78.xx VLAN 1 = IP subnet 140.114.76 VLAN 2 = IP subnet 140.114.77 VLAN 3 = IP subnet 140.114.78

Layer-3 Protocol based Virtual LANs Bridge/Switch 1 1 2 3 4 5 6 7 8 Bridge/Switch 3 Bridge/Switch 2 9 10 11 12 13 14 15 16 VLAN 1 (IPX) VLAN 2 (IP)

Distribution Distribute information for Bridges to determine on which VLAN a given packet should be forwarded. Various possibilities exist for achieving this: Declaration Protocols for distributing VLAN associations (such as GARP to distribute membership information among Bridges) Request/Response protocols to request a specific VLAN association (SNMP).

Relay Mapping received frames to VLANs: determined by a set of ingress rules. Where received frames should be forwarded: determined by a set of forwarding rules. Mapping frames for output Ports and format (tagged or untagged): determined by a set of egress rules. VLAN frame format to carry VLAN IDs (VIDs). The procedure to tag frames, modify tagged frames, and untag frames.

Relay The Port-based approach specifies ingress, forwarding and egress rules based on VLAN membership, which allow bridges to: Classify all received untagged frames as belonging to particular VLAN(PVID, Port VID). Recognize the VID associated with received tagged frames. Make use of this VID to forwarding/filtering. Transmit frames in tagged or untagged format, as defined for a given Port/VLAN pairing.

Frame Tagging Implicit tagging Explicit tagging A frame is classified to a particular VLAN based on the data content of the frame (MAC address, Layer 3 Protocol ID, etc) and/or the receiving Port. Explicit tagging A frame carries an explicit identification of the VLAN to which it belongs. DA SA Tag (VLAN ID) PT N Bytes C-Data 46 <= N <= 1496 FCS

Ingress Rules/Egress Rules Each frame received is classified as belonging to exactly one VLAN by associating a VID with it. The classification is achieved as follows Explicit Tagging : the VID value it carries Implicit Tagging : the PVID associated with the port it is received. Frames shall be filtered if outgoing port is not preset in the Member Set of the VLAN

Port-Based VLAN Definitions VLAN aware devices understand VLAN membership and VLAN frame format. VLAN unaware devices. An Access Link is a LAN segment used to multiplex one or more VLAN unaware devices into a Port of a VLAN Bridge. All frames on an access link are implicitly tagged. No VLAN tagged frames on an access link. Viewed as being on the edge of the network. Can be attached to other 802.1D-conferment Bridges (BLAN).

Definitions A Trunk Link is a LAN segment used to multiplex VLANs between VLAN Bridges. All devices connect to a Trunk Link must be VLAN aware. All frames (including end station frames) on a Trunk Link are explicitly tagged with a VLAN ID. A Hybrid Link is a LAN segment that has both VLAN aware and unaware devices. There can be a mix of Tagged Frames and Untagged Frames but they must be from different VLANs.

VLAN Topology VAB VAB B B VAB H H H H H VLANA VLANC Access Link H H VLANB VAB H VLANA Trunk Link 802.1D BLAN VLANC VAB H Group in VLANA B H B VLANC Hybrid Link Spanning Tree H H H Access Link H VAB VLANA VLANB H H Access Link

Rules for Tagging Frames For each VLAN, all frames traversing a particular hybrid link must be tagged the same way: All implicitly tagged or All carrying the same explicit tag. There can be a mix of implicitly and explicit tagged frames but they must be for different VLANs. All the frames for VLANs A and B are explicit tagged on the hybrid link. All frames for VLAN C on the hybrid link are implicitly tagged. On the trunk link all frames are tagged.

Spanning Tree Eliminate loops in a bridged LAN. Improve scalability in a large network. Spanning tree formed in a virtual LAN environment need not be identical to the topology of the VLAN(S). Each VLAN may be overlaid on different segments or entirely separate from each other. All VLANs are aligned along the Spanning Tree from which they are formed. A VLAN is defined by a subset of the Spanning Tree. The topology of the VLAN is dynamic.

Bridge Operation A Bridge filters frames to ensure that traffic destined for a given VLAN is forwarded only on segments (ports) that form a path to members of that VLAN. For each VLAN, the bridge needs to keep: Member set (Port IDs) Untagged set (Port IDs)

Addressing Learning Shared VLAN Learning (SVL) Independent VLAN Learning (IVL) In most cases, SVL or IVL produces the same result. But in some special cases, we need to specify the learning mode of bridge.

IVL Example -- Multiple Independent VLANs Server (Bridge-Router, or Connector) connecting multiple independent VLANs. Connector and stations are VLAN unaware (untag). Connector did not turn on spanning tree algorithm. VLAN Red (A) <--> VLAN Blue (B) should be delivered to Connector (firewalled). The Filtering databases should be independent. Otherwise, MAC A(B) will be learned from different ports 1,4 (2,3) alternatively. The frames from A (B) to B(A) will be delivered in a wrong way.

IVL Example -- Multiple Independent VLANs Filtering DB MAC Port Correct paths For A->B and B->A Bridge Router A X B Y Port X Port Y Member Set： Red - Ports 1,3 Blue - Ports 2,4 VLAN Red Port 3 Port 4 MAC Port PVID = Red PVID = Blue A 1 B 3 VLAN Bridge VLAN Blue Untag Set： Red - Ports 1,3 Blue - Ports 2,4 MAC Port PVID = Red PVID = Blue A 4 Port 1 Port 2 B 2 A B

If SVL is used for this case Filtering DB MAC Port Bridge Router A X Incorrect path For B->A B Y Port X Port Y Member Set： Red - Ports 1,3 Blue - Ports 2,4 Port 3 Port 4 SVL (Red, Blue) PVID = Red PVID = Blue MAC Port ? A 4 B 3 PVID = Red PVID = Blue Untag Set： Red - Ports 1,3 Blue - Ports 2,4 Port 1 Port 2 A B

IVL Example (2) -- Multiple Independent VLANs Server (Bridge-Router, or Connector) connecting multiple independent VLANs. Server is VLAN aware (tagging frames) and stations are VLAN unaware. VLAN Red : A <--> Server VLAN Blue : B <--> Server The Filtering databases should be independent. Otherwise, MAC A(B) will be learned from different ports alternatively. The frames from server with tag Blue or Red may be filtered.

IVL Example (2) -- Multiple Independent VLANs Shared Filtering DB (Red, Blue) Bridge Router MAC Port A 1 B 1 Port 1 B A VLAN Red Member Set： Red - Ports 1,3 Blue - Ports 2,3 Port 3 MAC Port PVID = Discard A 1 B 3 VLAN Bridge VLAN Blue MAC Port Untag Set： Red - Port 1 Blue - Port 2 PVID = Red PVID = Blue A 3 B 2 Port 1 Port 2 A B

If SVL is used for this case Shared Filtering DB (Red, Blue) Bridge Router MAC Port A 1 B 1 Port 1 B A Member Set： Red - Ports 1,3 Blue - Ports 2,3 Port 3 SVL (Red, Blue) PVID = Discard MAC Port A 1 <-> 3 B 2 <-> 3 Untag Set： Red - Port 1 Blue - Port 2 PVID = Red PVID = Blue Port 1 Port 2 A B

IVL Example (3) -- Duplicate MAC addresses Stations A and B use the same MAC address X. Server is VLAN aware (tagging frames) and stations are VLAN unaware. VLAN Red : A <--> Server VLAN Blue : B <--> Server The Filtering databases should be independent. Otherwise, MAC X will be learned from different ports alternatively. The frames from server with tag Blue (Red) may be forwarded to wrong destination A (B).

IVL Example (3) -- Duplicate MAC addresses Server (VLAN-aware) VLAN Red Port 3 MAC Port Member Set： Red - Ports 1,3 Blue - Ports 2,3 PVID = Discard X 1 VLAN Bridge VLAN Blue PVID = Red PVID = Blue MAC Port Untag Set： Red - Port 1 Blue - Port 2 X 2 Port 1 Port 2 A B MAC X MAC X

If SVL is used for this case Server (VLAN-aware) SVL (Red, Blue) Port 3 Member Set： Red - Ports 1,3 Blue - Ports 2,3 PVID = Discard MAC Port ? X 1 <-> 2 ? PVID = Red PVID = Blue Untag Set： Red - Port 1 Blue - Port 2 Port 1 Port 2 A Incorrect path For Server ->A B MAC X MAC X

Asymmetric VLAN Typically, two stations A and B belong to the same VLAN use the same VID to communicate. Asymmetric VLAN: A->B and B -> A use different VIDs. All server and stations are VLAN unaware (untagging frames) A -> S and S->B but not A <-> B for security reason. VLAN Purple : Server --> A or B VLAN Red : A --> Server VLAN Blue : B --> Server

Asymmetric VLAN If the Filter databases of VLAN Red and Purple are independent, then the frame from the server to A will be forwarded to both A and B due to A is not learned by VLAN Purple. Broadcast the frame in VLAN Purple for this case. SVL is required for Asymmetric VLAN !!

Asymmetric VLAN Member Set： Purple - Ports 1,2 Red - Port 3 Server (VLAN-unaware) Purple Purple Member Set： Purple - Ports 1,2 Red - Port 3 Blue - Port 3 Port 3 SVL (Purple, Red, Blue) PVID = Purple MAC Port A 1 B 2 PVID = Red PVID = Blue S 3 Untag Set： Purple - Ports 1,2 Red - Port 3 Blue - Port 3 Port 1 Port 2 Red Blue A B

If IVL is used for this case S  A or S  B, but will S A and B Server (VLAN-unaware) VLAN Purple MAC Port S 3 Member Set： Purple - Ports 1,2 Red - Port 3 Blue - Port 3 Purple Purple Port 3 VLAN Red MAC Port PVID = Purple A 1 Untag Set： Purple - Ports 1,2 Red - Port 3 Blue - Port 3 VLAN Bule PVID = Red PVID = Blue MAC Port B 2 Port 1 Port 2 A B

The Filtering Database Static Filtering Entry Static VLAN Registration Entry Dynamic Filtering Entry Dynamic VLAN Registration Entry

Static Filtering Entry MAC VLAN ID Port MAP MACa 2 MACb 3 MACc 3 MACd 2 MACe 4 Individual MAC, Group MAC, All Group MAC, All Unregistered Group MAC Control Element Forward, Filter, According to dynamic FD

Static VLAN Registration Entry VLAN ID Port MAP 2 3 4 5 6 Control Element GVRP Registrar Administrative Control : Registration Fixed, Forbidden, Normal. Tagged/Untagged

Dynamic Filtering Entry (By Learning Process) MAC FID Port (MAP) Time MACa 2 200 MACa 3 120 MACb 3 100 MACb 2 250 MACc 4 60 Individual MAC

Dynamic VLAN Registration Entry VLAN ID Port MAP 2 3 4 5 6 Control Element VID is registered on this port ?

VLAN Tag Structure Tag Protocol Identifier (TPID) Tag Control Information (TCI) User-Priority Canonical Format Indicator VID 8 2 SNAP-encoded TPID Ethernet-encoded TPID 2 TCI TCI 3 1 12 Bits VLAN Identifier (VID) Canonical Format Indicator User-Priority

Tag Format (Ethernet-encoded) 2 2 2 2-30 Bytes Ethernet-encoded TPID (81-00) TCI LEN RIF 3 1 12 Bits VLAN Identifier (VID) Canonical Format Indicator (CFI) User Priority (0-7)

Tag Format (Ethernet-encoded) RIF 2 0-28 Bytes RC Route Descriptors RT (X) LTH D LF NCFI 3 5 1 6 1 bit RT (Routing Type): Transparent bridges or Source-routing bridges Length: 2 for no route descriptors Direction: Largest Frame : <= 1470 bytes Non-canonical Format Indicator

Tag Format (SNAP-encoded) 8 2 Bytes SNAP-encoded TPID TCI SNAP Header (AA-AA-03) 3 Bytes SNAP PID (00-00-00) 3 Bytes Tag Type (81-00) 2 Bytes

VLAN Hopping Attack VLAN Hopping Attack tries to Get frames from different VLANs Access resources for different VLANs Two kinds of attacks Switch Spoofing attack Double Tagging attack

VLAN Switch Spoofing Attack Usually when switches enable the VLAN function, a link is required between switches to send the frames belong to a certain VLAN. In the example, there are two VLANs with VID =20 and 30, and two links are established between the switches. A trunk link is then designed to support for multiple VLANs. Then all the frames of the VLANs are forwarded via the trunk link. Cisco switch will automatically execute Dynamic Trunk Protocol (DTP) to establish trunk link with other Cisco switch. The attacker uses a system to employ the DTP protocol to establish a trunk link with Cisco switch to receive all frames on the trunk link.

Switch Spoofing Attack

VLAN Double Tagging Attack The frames between different VLANs are firewalled and should be forwarded via the router. The manager is able to set rules or policy in the router to control some resources can only be accessed by some VLANs. The attacker sends frames with double tagging (VLAN headers) to router to pass router’s check (first VLAN header) and the frames may be forwarded to a wrong VLAN with the second VLAN header. Most current switches only check one VLAN header.

Double Tagging Attack In the example, the attacker (at VLAN 20) sends a frame with double tagging (The first VLAN ID = 20, the 2nd = 30). The first VLAN header is removed by the first switch, and the frame is forwarded to the trunk link with 2nd VLAN header (VID = 30). The 2nd switch forwards the frame to VLAN 30 according to the carried VLAN ID 30. Then the frame sent by VLAN 20 is forwarded to VLAN 30.

VLAN Double Tagging

Spanning Tree Algorithm Bridges and Spanning Tree Algorithm (IEEE 802.1D)

Functions of a Bridge MAC layer device which relays frames among physically separated LANs and makes the physical LANs appear as one logical LAN to the end stations 7 1 6 6 2 4 Bytes Preamble SFD DA SA LEN LLC PAD FCS

Functions of a Bridge Basic Functions: Additional Functions: Frame Forwarding Learning and Filtering Resolving Possible Loops in the Topology Additional Functions: Congestion Control (Enough Buffer) Static Filtering (Security) Translation (Multi-Bridge) Routing (Multi-Bridge) Segmentation

A Simple Bridge Example LAN A 1 2 3 4 Bridge LAN B 5 6 7 Stations

Design Considerations No modifications to the content or format of the frames Contain enough buffer space to meet peak demands Contain addressing and routing intelligence A bridge may connect more than two networks Why Bridged LANs (BLAN) ? Reliability Performance Security Geography

Bridge Routing The Bridges must be equipped with a routing capability The routing decision may not always be a simple one (loop) Topology changes have to be considered A bridge knows all the station addresses (Filtering Database)

BLAN Example (Without loop) Bridge 1 ID=10 1 2 A B LAN 3 LAN 1 1 1 1 Bridge 3 Bridge 4 Bridge 2 ID=40 ID=30 2 3 ID=20 2 2 LAN 4 LAN 2 LAN 5 LAN 6 C F D E

Bridged LAN (BLAN) Example with Loop 1 Station LAN 1 Bridge 1 Bridge 2 2 3 LAN 2 LAN 3 Bridge 3 Bridge 4 Bridge 5 Bridge 6 Bridge 7 LAN 6 LAN 4 LAN 5 4 5 6

Bridge Protocol Architecture Station A Station D USER t1 USER Bridge t8 LLC t2 LLC t7 MAC MAC MAC MAC t3 t4 t5 t6 PHY B PHY PHY C PHY LAN 1 LAN 2 t1, t8 User Data t2, t7 LLC-H User Data t3, t4, t5, t6 MAC-H LLC-H User Data MAC-T

Spanning Tree Routing Frame Forwarding and Filtering Address Learning Use the destination MAC address (DMAC) field in each MAC frame A bridge maintains a filtering database with entries: [Address, Port, Time] Address Learning Use the source MAC address (SMAC) field in each MAC frame If the element is already in the database, the entry is updated and the timer is reset If the element is not in the database, a new entry is created with its own timer 7 1 6 6 2 4 Bytes Preamble SFD DMAC SMAC LEN LLC PAD FCS

Filtering Database Examples Filtering Database（Bridge 1） LAN 1 MAC Addr Port Time (S) A 2 20 E F 1 B 2 18 C 2 25 Bridge1 D 2 4 2 A B E 1 5 F 1 12 LAN 2 1 Filtering Database（Bridge 2） Bridge 2 2 3 MAC Addr Port Time(S) A 1 19 LAN 4 LAN 3 B 1 17 C 2 24 C D D 3 3 E 1 6 F 1 13

Forwarding and Address Learning Algorithm Frame from Port x Frame Forwarding DMAC in FDB ？ N Forwarding and Address Learning Algorithm Y Belong to Port x ？ Forward to all ports （except port x） Filter Y N Forward to belonging Port Y Address Learning SMAC in FDB ？ Change to port X, reset timer N Add SMAC, port (x) and Timer (0) into FDB End

Addresses Learning Example 1. A -> E 2. B -> D 3. C -> B 4. D -> A 5. E -> C 2 A 1 FDB Bridge X Bridge Y Bridge Z LAN 1 LAN 2 LAN 3 LAN 4 LAN 5 MAC Port MAC Port B C D E 3

Addresses Learning Example (AE) MAC Port MAC Port MAC Port A 1 A 2 A 1 FDB FDB 2 Bridge Y Bridge X E A LAN 2 2 3 E A LAN 4 1 Bridge Z 1 1 2 B D E A LAN 1 E A LAN 3 E A LAN 5 A C E

Addresses Learning Example (BD) MAC Port MAC Port MAC Port A 1 A 2 A 1 FDB FDB B 2 B 2 B 1 2 Bridge Y Bridge X B D LAN 2 2 3 B D LAN 4 1 Bridge Z 1 1 2 B D B D LAN 1 B D LAN 3 B D LAN 5 A C E

Addresses Learning Example (CB) MAC Port MAC Port MAC Port A 1 A 2 A 1 FDB FDB B 2 B 2 B 1 C 2 C 1 2 Bridge Y 3 1 Bridge X B C LAN 2 2 LAN 4 Bridge Z 1 1 2 B D LAN 1 LAN 3 LAN 5 B C A C E

Addresses Learning Example (DA) MAC Port MAC Port MAC Port A 1 A 2 A 1 FDB FDB B 2 B 2 B 1 C 2 C 1 D 1 D 2 D 3 2 Bridge Y Bridge X A D LAN 2 2 3 LAN 4 1 A D Bridge Z 1 1 2 B D A D LAN 1 LAN 3 LAN 5 A C E

Addresses Learning Example (EC) MAC Port MAC Port MAC Port A 1 A 2 A 1 FDB FDB B 2 B 2 B 1 C 2 C 1 D 1 D 2 D 3 E 2 E 3 2 Bridge Y Bridge X LAN 2 2 3 C E LAN 4 1 Bridge Z 1 1 2 B D LAN 1 C E LAN 3 C E LAN 5 A C E

Loop Problems and Resolution Loops provides reliability Loops make frames duplication Loops make wrong address learning B t2 LAN 1 t1 B A 2 1 B A BridgeＸ BridgeＹ 1 2 t0 LAN 2 B A B A A

Spanning Tree Example 1 LAN 1 LAN 2 LAN 3 LAN 4 LAN 5 1 1 Bridge 2

Graph Representation of a BLAN 1 2 3 4 5 LAN Bridge Spanning Tree

Spanning Tree Example 1 (Continued) Bridge 1 ID=10 Root Bridge 1 2 LAN 3 LAN 1 1 2 Bridge 3 Bridge 4 ID=30 ID=40 2 1 LAN 2 1 1 Bridge 5 Bridge 2 ID=50 ID=20 2 3 2 LAN 4 LAN 5

Spanning Tree Algorithm (requirements) Bridges Each bridge is assigned a unique identifier (8 octets): Priority part (two octets): programmable address part (six octets) A special group MAC address for all bridges : 01-80-C2-00-00-00 (Multicast address) 10000000-00000001-01000011- Each port of a bridge has a unique port identifier.

Spanning Tree Algorithm (definitions) Root Bridge: The bridge with the lowest value of bridge identifier. Path Cost: For each port, the cost of transmitting a frame onto a LAN. Root Port: For each bridge, the port on the minimum-cost path to the root bridge. Root Path Cost: For each bridge, the cost of the path to the root bridge with minimum cost. Designated Bridge: For each LAN, the bridge that provides the minimum cost path to the root bridge. The only bridge allowed to forward frames to and from the LAN. Designated Port: The port of the designated bridge that attaches the bridge to the LAN. All internet traffic to and from the LAN pass through the designated port.

Spanning Tree Example 2 LAN 1 LAN 2 LAN 3 TC: Transmission Cost LAN 4 Bridge 2 Bridge 3 ID=20 ID=30 2 2 1 TC=10 TC=5 TC=10 Bridge 1 ID=10 2 LAN 2 TC=10 1 TC=5 Bridge 4 ID=40 2 LAN 3 TC=5 1 TC=10 TC: Transmission Cost 2 3 TC=5 ID=50 TC=5 Bridge 5 LAN 4 LAN 5

Spanning Tree Example 2 (continued) Bridge 1 ID=10, RPC=0 Root Bridge 1 2 TC=10 TC=10 LAN 3 D D LAN 1 R R 1 2 TC=5 TC=5 Bridge 3 Bridge 4 ID=30,RPC=5 ID=40,RPC=5 R 2 1 TC=5 1 TC=5 TC=10 D R Bridge 5 LAN 2 ID=50, RPC=10 1 TC=10 2 3 TC=5 TC=5 Bridge 2 RPC: Root Path Cost TC: Transmission Cost D: Designated Port R: Root Port ID=20,RPC=10 D D 2 LAN 4 LAN 5 TC=10

Spanning Tree Algorithm Three Steps: 1. Determine the root bridge. 2. Determine the root port on all other bridges. 3. Determine the designated port on each LAN. The port with the minimum root path cost. In the case of two or more bridges with the same root path cost, the highest-priority bridge is selected. If the designated bridge has two or more ports attached to this LAN, then the port with the lowest value of identifier is selected.

Bridge Port State Diagram Blocking After a forward delay time Listening Learning Forwarding Cancel Selected as a D or R port

Bridge Protocol Data Unit (BPDU) Bytes 2 Protocol ID 1 Version ID 1 BPDU Type Bytes 1 Flag 2 Protocol ID 8 Root Bridge ID 1 Version ID 1 BPDU Type 4 RPC (b)Topology Change BPDU 8 Bridge ID 2 Root Port ID 2 Message Age 2 Time Limit 2 Hello Time (a)Network Configuration BPDU 2 Forward delay

Spanning Tree Algorithm Example RPC = 25 9 RPC = 20 5 l i RPC = 53, R = k RPC = 58, R = j 4 TC=5 TC=15 Bridge Y Bridge X RPC = 45, R = m 8 RPC = 40, R = k RPC = 35, R = i, D(W) = j 6 k j TC=5 RPC = 30, R = l, D(W) = k 10 TC=10 RPC = 30 RPC = 35, R = i 11 RPC = 35 7 LAN W RPC = 48 3 m TC=10 RPC = 48, R = n, D(W) = m 2 D(W): Designated Port of LAN W Bridge Z n RPC = 40, R = m 12 TC=10 RPC = 38 1

Spanning Tree Algorithm Example (Continued) TC=5 TC=15 Bridge Y Bridge X k j TC=5 TC=10 D LAN W R D: Designated Port R: Root Port m TC=15 Bridge Z n TC=10

Spanning Tree Features The spanning tree constructed by the IEEE 802.1D algorithm has the features that for each bridge, the shortest path (minimum root path cost, RPC) to the root bridge is included. For each LAN, the shortest path (minimum root path cost, RPC) to the root bridge via the designated bridge is included. So the spanning tree usually is not a minimum cost spanning tree. The spanning tree of a BLAN (or switches connected network) is predictable or deterministic. Thus, given a BLAN topology (with any loops) and configuration parameters, the spanning tree of the BLAN can be calculated manually.

Spanning Tree Example 3 Root Bridge LAN 1, DPC = 20 LAN 7, DPC = 5 TC=5 TC=5 TC=5 Bridge 2 Bridge 6 Bridge 7 ID=20,RPC=20 ID=60,RPC=10 ID=70,RPC=5 2 2 2 TC=10 TC=5 TC=5 R R LAN 2, DPC = 10 D LAN 6, DPC = 0 D 1 TC=10 1 1 Bridge 1 TC=15 TC=15 Root Bridge Bridge 3 ID=10,RPC=0 Bridge 4 ID=30,RPC=15 ID=40,RPC=15 2 TC=10 2 2 TC=15 TC=15 D R R R LAN 3,DPC = 0 R 1 1 TC=5 TC=5 3 LAN 5, DPC = 5 2 2 Bridge 5 D TC=5 TC=10 TC=5 D Bridge 8 ID=50,RPC=5 LAN 4, DPC = 5 ID=80,RPC=5

Spanning Tree Maintenance The transmission of the configuration is triggered by root. The root will periodically (once every Hello time) issue a configuration BPDU on all LANs to which it is attached. A bridge that receives a configuration BPDU on what it decides is its root port passes that information to all LANs for which it believes itself to be the designated bridge. A cascade of configuration BPDUs throughout the spanning tree. A bridge may change the spanning tree topology A TCN BPDU is reliable relayed up the new spanning tree to the root bridge (bridge by bridge). The root will set the Topology Change flag in all configuration messages transmitted for some time.

Spanning Tree Maintenance Example 1 LAN 1, DPC = 20 25 LAN 7, DPC = 5 D R D 1 1 1 TC=5 TC=5 TC=5 Bridge 2 Bridge 6 Bridge 7 ID=20,RPC=20 ID=60,RPC=10 ID=70,RPC=5 2 2 2 TC=10 TC=5 TC=5 LAN 2, DPC = 10 R R D LAN 6, DPC = 0 15 D D 1 TC=10 1 1 Bridge 1 TC=15 TC=15 Root Bridge Bridge 3 ID=10,RPC=0 Bridge 4 ID=30,RPC=15 ID=40,RPC=15 2 TC=10 2 2 TC=15 TC=15 D R R R LAN 3,DPC = 0 R 1 1 TC=5 TC=5 2 3 LAN 5, DPC = 5 2 Bridge 5 D TC=5 TC=10 TC=5 D Bridge 8 ID=50,RPC=5 LAN 4, DPC = 5 ID=80,RPC=5

Spanning Tree Maintenance Example 1 Assume Bridge 60 faults. Then all the Hello BPDUs sent from root bridge to Bridge 60 will not be forwarded to LAN 2 any more. The Bridges 30 and 40 in LAN 2 will trigger the timeout event individually which means the Designated bridge 60 for LAN 2 was gone. Then they will try to serve as the Designated bridge of LAN 2 by forwarding a configuration BPDU. Assume bridge 40 sends the BPDU first with a RPC = 15. Then bridge 30 will return another BPDU with RPC=15 since it’s priority is higher than bridge 40 (same RPC, smaller ID). After two forwarding delays, bridge 30 will become the new Designated bridge of LAN2 and the DPC becomes 15.

Spanning Tree Maintenance Example 1 Also the DPC of LAN 1 is changed from 15 to 25. Bridge 30 then sends a Topology Change Notification (TCN) BPDU to root bridge. The root will set the Topology Change flag in all configuration messages transmitted for some time.

Final configuration of example 1 LAN 1, DPC = 25 LAN 7, DPC = 5 D D 1 1 TC=5 TC=5 Bridge 2 Bridge 6 Bridge 7 ID=20,RPC=20 ID=60 ID=70,RPC=5 2 2 TC=10 TC=5 R R LAN 2, DPC = 15 LAN 6, DPC = 0 D D 1 TC=10 1 1 Bridge 1 TC=15 TC=15 Root Bridge Bridge 3 ID=10,RPC=0 Bridge 4 ID=30,RPC=10 ID=40,RPC=10 2 TC=10 2 2 TC=10 TC=10 D R R R LAN 3,DPC = 0 R 1 1 TC=5 TC=5 2 D 2 3 LAN 5, DPC = 5 Bridge 5 TC=5 TC=5 TC=10 D Bridge 8 ID=50,RPC=5 LAN 4, DPC = 5 ID=80,RPC=5

Spanning Tree Maintenance Example 2 LAN 1, DPC = 20 LAN 7, DPC = 5 D R D 1 1 1 TC=5 TC=5 TC=5 Bridge 2 Bridge 6 Bridge 7 ID=20,RPC=20 ID=60,RPC=10 ID=70,RPC=5 2 2 2 TC=10 TC=5 TC=5 LAN 2, DPC = 10 R R D LAN 6, DPC = 0 D R 1 TC=10 1 1 Bridge 1 TC=15 TC=15 Root Bridge Bridge 3 Bridge 4 ID=10,RPC=0 ID=30,RPC=15 25 ID=40,RPC=15 2 TC=10 2 2 TC=15 TC=15 D R R R LAN 3,DPC = 0 R 1 1 TC=5 TC=5 R Root Bridge 2 2 3 LAN 5, DPC = 5 Bridge 5 D TC=5 TC=10 TC=5 D Bridge 8 ID=50,RPC=5 LAN 4, DPC = 5 ID=80,RPC=5

Spanning Tree Maintenance Example 2 Assume LAN 3 faults. Then all the Hello BPDUs sent from root bridge to LAN 3 will be lost. All the ports connected to LAN 3, including port 2 of bridge 30, port 2 0f bridge 40, port 1 of bridge 50, and port 1 of bridge 80, will become “blocked” state from “forwarding” state. All these bridges are now don’t have “R” port (root port) and then try to be a root bridge. Bridges 30 and 40 still can receive the Hello BPDU from port 1, so they will change their root port to port 1.

Spanning Tree Maintenance Example 2 Bridges 50 and 80 will exchange BPDU to compete as a new root follow the STP protocol. Assume bridge 80 sends the BPDU first with a RPC = 0. Then bridge 50 will return another BPDU with RPC=0 since it’s priority is higher than bridge 80 (smaller ID). After two forwarding delays, bridge 50 will become the new root bridge and the port 1 of bridge 80 will become a root port. Finally, we have two separated (disconnected) spanning trees.

Final configuration of example 2 LAN 1, DPC = 20 LAN 7, DPC = 5 D R D 1 1 1 TC=5 TC=5 TC=5 Bridge 2 Bridge 6 Bridge 7 ID=20,RPC=20 ID=60,RPC=10 ID=70,RPC=5 2 2 2 TC=10 TC=5 TC=5 LAN 2, DPC = 10 R R D LAN 6, DPC = 0 D 1 R R TC=10 1 1 Bridge 1 TC=15 TC=15 Root Bridge Bridge 3 ID=10,RPC=0 Bridge 4 ID=30,RPC=25 ID=40,RPC=25 2 TC=10 2 2 TC=10 TC=10 LAN 3 1 1 TC=5 TC=5 R 2 2 3 LAN 5, DPC = 5 Bridge 5 D TC=5 TC=5 TC=10 D Bridge 8 ID=50,RPC=0 LAN 4, DPC = 0 ID=80,RPC=5

STP Manipulation Attack The attacker plays as a root bridge to receive frames and initiates man-in-the-middle attack. The attacker sends STP Configuration/Topology change BPDUs (TCN) continuously to ask all the bridges on the STP to recalculate the STP paths. Each time may take 30-45 seconds. This is a kind of DOS (Denial of Service) attack. In the example, switch A is the root bridge, and switches A and B exchange frames directly.

STP Manipulation Attack The attacker broadcasts STP topology change BPDUs to claim that he has the highest priority. All switches will treat the attacker as a new root bridge, and recalculate the STP paths, so that the frames between switches A and B are forwarded by the attacker. The attacker is now able to receive frames or execute the man-in-the-middle attack.

CAM Table Overflow Attack For each switch there is a table (Forwarding Table) to record all the learned MAC addresses of the broadcast domain where the switch located. For fast table MAC address lookup, the table is built by CAM (Content Addressable Memory) to parallely compare the MAC address in the received frame with those MAC addresses in the table. For L2 Switch, the CAM is Binary CAM, which provides exactly matching function. Each bit in the table is either 0 or 1. For L3 Switch, the CAM is Ternary CAM (TCAM), which provide longest prefix matching. Each bit in the table can be 0,1, or x (don’t care). The CAM table size for L2 switch is usually designed as 4k or 8k entries due to the size of a broadcast domain. Initially, the CAM table is empty. Each time a frame is received, the SMAC address of the frame is learned into the table with the incoming port.

CAM Table Overflow Attack When a frame is received from port x, the DMAC address of the frame is used to lookup the CAM table. If the DMAC is found with port x, the frame is filtered. If the DMAC is found with port y, the frame is forwarded to port y. Otherwise, the frame is forwarded to all the other ports belong to the spanning tree (except port x). The CAM Table attack is to set the whole CAM table by all random MAC addresses (or wrong MAC addresses) so that each incoming frame is broadcasted (lookup failure). The way to achieve this is that the attacker periodically send frames (say 4K or 8K) with random source MAC addresses. Then the CAM table is always overflowed. And the attacker can receive all the frames sent via the attacked switch.

CAM Table Overflow Attack

MAC Table Overflow (MTO) vulnerability Any host connected to the LAN segment can easily launch a MTO attack by sending frames with a non-existed destination MAC address and random generated source MAC address. Then the MAC Table of the switch connecting the attacking host will be overwritten by the radom source MAC addresses. Thus, the MAC Table will be overflowed. Since the destination MAC address of the attacking frame is not existed, the attacking frames will be forwarded to all the switches of the LAN segment. This means that the MAC Table overflow phenomenon will be propogated to all the switches in a very short period. When this happens, all the frames in the LAN segment will be broadcasted to all switch ports. Consequently, the switch-based LAN is degraded to a bus-based LAN. This exposes two serious problems : slower effective bandwidth (broadcasting model) and information leaking (packets broadcasted).

MAC Table Overflow (MTO) vulnerability With the MTO attack, the LAN speed chould be slowed down dramatically and the attacker can easily eavesdrop all the packets transmitted within the LAN segment. Even worse, an end user might feel the network is just slower, but may not know that his/her critical information are stolen by unauthorized attacker. To see how fast the MTO attack propagates within a LAN segment, an experimental test with three Cisco 2950 switches is designed. The MAC table size of each switch is of 8k entries. There are two pairs of FTP server and client, one pair (with client B) connects to switch 3 and the other pair (with client A) connects to switch 1, where the MTO attacker also connects to.

MAC Table Overflow (MTO) vulnerability Test environment of MTO attack with three switches

MAC Table Overflow (MTO) vulnerability The download speeds of clients A and B are impacted by MTO attacks. Initially, both clients A and B receive the files with 70Mbps data rate. The 1st MTO attack with 1000 frames was launched at around 21th second, we can see the download speed of client A was reduced and caused an oscillation, but that of client B is not affected at all. Then the 2nd MTO attack with 3000 frames was launched at around 105th second. We can see that the download speed of client A was more seriously impacted (larger oscillation), and that of client B was impacted slightly. Last, an MTO attack with 10000 frames was generated at around 273th second. We can see that both clients A and B were seriously impacted. Even when the attack was stopped, the oscillation situation still remains a few minutes.

MAC Table Overflow (MTO) vulnerability (a) Bandwidth impact of client A

MAC Table Overflow (MTO) vulnerability The learning-caching rate (LCR) of a switch is the upper limit of source addresses learning speed (packets per second, pps). For a switch with LCR = N, the switch is unable to learn all the source addresses if packet input rate is larger than N. The MTO attacker can use this feature to achieve the attacking goal with only a small amount of bandwidth. Thus, the MTO attacker only needs to generate N packets per second to overflow the MAC table. For example, most switches have N = 8k (MAC table size). Then the attacker can generate 8K pps of short 64-byte packets with randomized source addresses (a total bandwidth of 8192x64x8 = 4Mbps) to achieve the MTO attack.

MAC Table Overflow (MTO) vulnerability To see how this attack impacts the amount of leaked messages, an experiment is conducted. Four switches S1, S2, S3, S4 are connected, and each switch connects 20 clients. Each client downloads files from the FTP server with a rate of 2Mbps. The 20 clients of S1 download from left FTP server and other 60 clients download from the other FTP server. The MTO attacker connects to S1 to generate the attack packets with 4Mbps and it also receives the packets from the attached port. Five attacks are launched by the MTO attacker, one per second. Before attacking, the MTO attacker is not able to receive any FTP download packets as they are not destined to it. The first attack was launched at 1st second and the 4Mbps (N = 8192) attack packets just overflows the MAC table of S1. The attacker now starts to receive the leaked “broadcast” packets of S1.

MAC Table Overflow (MTO) vulnerability Information Leakage test environment with four switches

MAC Table Overflow (MTO) vulnerability At the 2nd second, the attacker launched the 2nd attack and already received 30Mbits packets. This attack will cause both the MAC tables of S1 and S2 be overflowed, which means the packets downloaded by the clients of S2 will be forwarded and received by the attacker. At the 3rd second, the attacker received additional 50Mbits packets for the last second. In the same time, the attacker generated the 3rd attack. This causes all the MAC tables of S1 to S3 be overflowed, which means the packets downloaded by the clients of S3 will be forwarded to S2 and S1 and finally received by the attacker. The attacker fired the 4th and 5th attacks at 4th and 5th second respectively, and we can see that at the 5th second, the attacker is able to receive leaked message at a rate of 100Mbps, the speed upper bound of the fast Ethernet.

MAC Table Overflow (MTO) vulnerability This experiment depicts that by using a small bandwidth (not easy to be detected), the attacker is able to distribute the MTO attack to the entire network in a very short period, and most importantly, the attacker easily steals a large amount of messages.

MAC address Spoofing Attack The MAC address spoofing attack tries to intercept the frames sent to the target station (say MACy). The attacker sends a frame (to port x) with a spoofed source MAC address as that of the target station (MACy). This enforce the switch to learn the MACy belongs to port x. Then all the frames sent to MACy will be forwarded to port x where the attacker connected. This interception will be failed as the target station sends a frame again. So the attacker needs to send the spoofed frame periodically.

MAC address Spoofing Attack

DHCP Starvation Attack The DHCP starvation attack is that the attacker plays as a DHCP server to allocate the IP addresses. And inform all the stations that it is the default gateway. The attacker sends a lot of DHCP requests (spoofed source MAC addresses) to DHCP server to get all available IP addresses. Then the real DHCP is unable to provide further service as no IP addresses are in hand. Then the attacker then plays as a new DHCP server to allocate the IP addresses and inform that it is the default gateway. Then all the frames sent to other LANs are forwarded to the attacker first. The attacker can initiate the man-in-the-middle attack.

DHCP Starvation Attack

Spanning Tree Example 2 LAN 1 LAN 2 LAN 3 TC: Transmission Cost LAN 4 Bridge 1 LAN 1 LAN 2 LAN 3 LAN 4 LAN 5 Bridge 5 TC=10 1 ID=10 TC=5 2 ID=50 TC: Transmission Cost Bridge 2 ID=20 Bridge 3 ID=30 Bridge 4 ID=40 TC=20 3

Spanning Tree Example 2 LAN 1 LAN 2 TC: Transmission Cost LAN 3 Bridge 1 LAN 1 LAN 2 LAN 3 TC=10 1 ID=10 2 Bridge 2 ID=20 Bridge 3 TC=5 ID=30 Bridge 4 ID=40 TC=20

Spanning Tree Example 3 LAN 1 LAN 7 LAN 6 LAN 2 LAN 3 LAN 5 LAN 4 Bridge 8 Bridge 1 ID=10 TC=5 1 2 ID=80 LAN 7 Bridge 3 Bridge 4 TC=15 ID=40 ID=30 LAN 2 Bridge 5 ID=50 LAN 4 TC=10 3 Bridge 2 ID=20 Bridge 7 ID=70 Bridge 6 ID=60

VAB H VLANC Access Link VLANA Trunk Link Hybrid Spanning Tree Link VLANB Access Link Trunk Link Spanning Tree VAB: VLAN Aware Bridge