Attack of the 802.1Q Tag Stack
Nothing in the 802.1Q blueprint forbids assorted after tags to be chained,
thereby accomplishing a 802.1Q tag stack. Figure 4-3 represents a two-level 802.1Q tag stack.
Figure 4-3 Assorted 802.1Q Tags
There are accepted use cases for stacking assorted 802.1Q tags. One of them is Cisco
QinQ, area up to 4096 VLANs can be multiplexed central a distinct VLAN ID. The aboriginal tag
from larboard to appropriate (outer tag) charcoal the same, while the additional tag (inner tag) takes any
value alignment from 1 to 4096.
QinQ offers a way to calibration able-bodied accomplished the 12 $.25 allotted to VLAN IDs by alms up to 4096
* 4096 accessible combinations. As it turns out, this absorbing tag-stacking acreage lays the
groundwork for an generally talked-about VLAN bent advance alleged the double-nested
VLAN attack. Figure 4-4 shows the attempt in activity abaft the attack.
First 802.1Q Tag Additional 802.1Q Tag
4 Bytes 4 Bytes
Double 802.1Q Stack
Ethernet Anatomy with Two 802.1Q Tags (Not to scale)
Destination MAC
0 × 8100 Pri CFI VID#1 0x8100 Pri CFI VID#2
Source MAC Dot 1Q Dot 1Q EtherType Data
72 Chapter 4: Are VLANS Safe?
Figure 4-4 Nested VLAN Bent Attack
The bounds of this advance are
• The attacker’s anchorage is in VLAN 5.
• The built-in VLAN of the block is VLAN 5.
Generally speaking, for the advance to succeed, a block on the about-face charge accept the same
native VLAN as a VLAN assigned to an admission port. With this exploit, what an antagonist tries
to accomplish is to inject cartage from VLAN X into VLAN Y with no router involved. The fact
that no router is complex implies that the advance is unidirectional: The victim won’t be able
to acknowledge to the attacker’s packet. In this case, this is no affair to the antagonist because,
chances are, you are ambidextrous with a denial-of-service (DoS) advance (where a “killer packet”
might be beatific to the victim, for example).
Here is how the antagonist proceeds:
1 The antagonist crafts a anatomy with two 802.1Q tags: 5 and 96.
2 The aboriginal (outer) tag matches the attacker’s admission port’s VLAN (5).
3 The additional (inner) tag matches the victim’s admission port’s VLAN (96).
4 The antagonist sends the anatomy (which acceptable contains a analgesic packet).
5 The anatomy enters about-face 1; here, it gets classified into VLAN 5.
6 The anatomy is destined to a MAC abode amid off the trunk.
7 Because the built-in VLAN of the block to about-face 2 is 5, the aboriginal tag is bare off.
(Remember that frames on the built-in VLAN biking untagged.)
Attacker
Port:
VLAN 5
802.1Q, Frame
802.1Q, 802.1Q
Destination MAC Source MAC 8100 96 0800 Data
Nested VLAN Bent Attack
1st Tag 2nd Tag
Note: Only Works if Block Has the Same
Native VLAN as the Attacker’s Anchorage Victim
8100 5
VLAN 96
VLAN x 2
Frame
Strip Off 1st Tag
Switch 1 About-face 2
IEEE 802.1Q Overview 73
8 The anatomy carries a additional tag (96) followed by data. This is how it leaves the trunk
on about-face 1.
9 The anatomy arrives on about-face 2 with tag 96. As such, it is classified by about-face 2 as
belonging to VLAN 96.
10 The anatomy is delivered to the victim in VLAN 96. VLAN bent aloof happened!
The advance ability assume convoluted. After all, it involves manually crafting an Ethernet
frame so that it contains two tags and some data. This is difficult to cull off—definitely not
something in the branch of a calligraphy kiddie. That account ability accept been accurate a few years
ago—before Yersinia2 entered the scene.
NOTE The Yersinia Layer 2 advance apparatus was alien in Chapter 3, “Attacking the Spanning Tree
Protocol.” If you are not accustomed with this tool, see Chapter 3 for a arbitrary of this Layer
2 hacker’s Swiss-army knife.
Yersinia makes it accessible to inject double-tagged frames into the network, as Figure 4-5 and
Figure 4-6 show.
Figure 4-5 Yersinia’s 802.1Q Advance Screen
74 Chapter 4: Are VLANS Safe?
Figure 4-6 Yersinia’s Nested VLAN Advance Screen
The advance is absolutely menu-driven. Using Yersinia, it is accessible to adapt the frame’s
contents and specify its alien and close 802.1Q tags, as the lower allocation of Figure 4-6
shows. After the anatomy is constructed, a simple abrasion bang sends it out on the port. It
doesn’t get abundant easier than that.
This advance is decidedly difficult to trace. From a protocol’s standpoint, no abhorrent play
occurs—chaining 802.1Q headers is not illegal, and the about-face won’t accuse back it sees
such frames. You can baffle this advance in three ways:
• Ensure that the built-in VLAN is not assigned to any admission port.
• Clear the built-in VLAN from the block (not recommended).
• Force all cartage on the block to consistently backpack a tag (preferred).
Option 1 is accessible on switches from all vendors. It is aloof a amount of configuring the
switch in a way that ensures admission ports aren’t placed in a VLAN that is acclimated as the native
VLAN of a block on the aforementioned switch. For example, if you accept a block whose built-in VLAN
is 10, accomplish abiding that no admission anchorage is a affiliate of VLAN 10.
IEEE 802.1Q Overview 75
On the added hand, options 2 and 3 ability not be accessible on all LAN switches. Advantage 2
consists of manually allowance (or pruning) the built-in VLAN off the trunk. For example, to
achieve this, the Cisco IOS agreement would attending like what’s apparent in Archetype 4-1.
Example 4-1 removes VLAN 10 from the trunk, thereby allowance the built-in VLAN. Various
reasons abide for why you should not opt for this choice. Several “system” protocols await on
the attendance of the built-in VLAN to action properly, and protocol-level compatibility
between switches ability no best be affirmed with the built-in VLAN gone. Advantage 3 is
the adopted method. Its operation is straightforward: It ensures that all cartage abrogation a
trunk consistently carries a tag. In a way, it gets rid of the built-in VLAN concept, but it does not
disrupt cartage beatific to or from the built-in VLAN. It aloof tags it.
WARNING Be accurate back interoperating with a about-face that does not accommodate this option; it breaks
communication on the built-in VLAN.
Within the ancestors of Cisco switches, assertive discrepancies abide apropos the specifics of
the feature. For example, with the advantage enabled, a Catalyst 6500 about-face ensures that both
outgoing and admission frames are consistently tagged. Frames accession on a block after a tag
are dropped. On the added hand, the Catalyst 3750 tags all approachable traffic, but it is lenient
toward admission cartage that arrives untagged.
NOTE Regardless of platform-specific idiosyncrasies, the advantage to tag all block cartage is available
on best Cisco switches.
Depending on the software version, the command is accessible either globally or on a perport
basis. Archetype 4-2 lists the all-around and per-port configurations:
Example 4-1 Cisco IOS Block Anchorage Agreement to Clear Built-in VLAN
CiscoSwitch(config)#interface GigabitEthernet2/1
CiscoSwitch(config-if)#switchport
CiscoSwitch(config-if)#switchport block encapsulation dot1q
CiscoSwitch(config-if)#switchport block built-in vlan 10
CiscoSwitch(config-if)#switchport block acquiesce vlan 1-500
CiscoSwitch(config-if)#switchport block acquiesce vlan abolish 10
CiscoSwitch(config-if)#
76 Chapter 4: Are VLANS Safe?
dot1q tag built-in prevents double-encapsulation/nested VLAN attacks by never stripping
off the alien tag in the attendance of a double-tagged frame. That way, both tags abide intact
throughout the alteration of the anatomy beyond the trunk, abrogation the antagonist empty-handed in
terms of VLAN hopping.
Cisco IOS Agreement for Unconditional Tagging of Frames
CiscoSwitch(config)#vlan dot1q tag native
or
CiscoSwitch(config)#interface GigabitEthernet2/1
CiscoSwitch(config-if)#switchport block built-in vlan tag