Attacking the
Spanning Tree Protocol
Radia Perlman, a acclaimed architect at Sun Microsystems, called as one of the 20 most
influential bodies in the industry in the 25th ceremony affair of Abstracts Communications
magazine and the aboriginal artist of the 802.1D spanning-tree blueprint afresh had
a few words to say about the protocol: “It’s time to accommodate (one of the Internet’s best widely
used technologies) in a way that is added able-bodied and gives added able paths.”1
Introducing Spanning Tree Protocol
Chapter 2, “Defeating a Acquirements Bridge’s Forwarding Process,” explained how Ethernet
switches body their forwarding tables by acquirements antecedent MAC addresses from abstracts traffic.
When an Ethernet anatomy arrives on a about-face anchorage in VLAN X with a destination MAC
address for which there is no access in the forwarding table, the about-face floods the frame. That
is, it sends a archetype of the anatomy to every distinct anchorage in VLAN X (except the anchorage that
originally accustomed the frame). Although this is altogether accomplished in a single-switch
environment, absorbing ancillary furnishings are empiric in multiswitch topologies, as Amount 3-1
shows. The amount represents a simple arrangement composed of two LAN switches
interconnected by two Ethernet links.
44 Chapter 3: Attacking the Spanning Tree Protocol
Figure 3-1 Basic Arrangement Setup
In the abutting steps, MAC addresses are calmly beneath to a single-letter architecture for
clarity. A accepted Ethernet MAC abode is absolutely fabricated up of 6 bytes. The following
sequence of contest occurs back an appliance on the top PC (MAC abode A)
communicates with the basal PC (MAC abode B):
1 The top PC sends a anatomy to the basal PC (destination MAC abode B).
2 About-face 1 learns that MAC abode A is off anchorage 0/1.
3 About-face 1 looks up MAC abode B; no bout is found.
4 About-face 1 sends out the anatomy on articulation X and Y (a action accepted as flooding).
5 About-face 2 receives the anatomy from A to B on articulation X and updates its forwarding table.
(A is on articulation X.)
A burning later, about-face 2 receives the exact aforementioned anatomy on articulation Y; this time, it
causes a new amend to the forwarding table. This is accepted as a chase condition—
whichever MAC abode arrives aboriginal wins the chase and gets installed in the forwarding
table.
6 About-face 2 looks up MAC abode B; no bout is found. (B hasn’t talked yet.)
7 About-face 2 sends out the anatomy on anchorage 0/2 and articulation Y (or X, depending on the outcome
of the chase action declared in Step 5).
MAC-address 0000.0000.000A
MAC-address 0000.0000.000B
A B
All Interfaces Are
in VLAN 5
Link Y
0/1
0/2
Link X
Switch 2
Switch 1
Introducing Spanning Tree Agreement 45
8 About-face 1 and PC B both accept the frame; however, this anatomy causes about-face 1 to
again amend its forwarding table. (MAC abode A is now off articulation Y or X.)
9 Return to Step 3 and bend forever. Even if B talks, annihilation changes because both
switches consistently amend their forwarding tables with incorrect information
(because of the amaranthine packet loop).
There is no such affair as a Time to Live (TTL) acreage in Ethernet headers. No routing
protocol distributes advice accompanying to MAC addresses and their whereabouts. Simply
put, abbreviate of a ability or articulation failure, annihilation can stop the packets from looping endlessly
between about-face 1 and 2. There’s no charge for a advertisement or multicast frame; a simple unicast
frame does fine.
The botheration is hardly new. After Radia Perlman’s assignment in the aboriginal 1990s, the IEEE
ratified her agreement assignment into a accepted accepted as 802.1D. 802.1D defines the original
Spanning Tree Agreement (STP), whose assignment is to attenuate bombastic paths from one end of
the Layer 2 arrangement to another, thereby accomplishing two goals: no packet duplication or loops
while still accouterment automated cartage rerouting in case of failure. If about-face 1 or about-face 2 (or
both) were active the STP, the cartography represented in Amount 3-1 would logically appear
as what’s apparent in Amount 3-2.
Figure 3-2 Loop-Free Cartography Calculated by STP
With articulation Y disabled by the spanning-tree algorithm active on about-face 2, packets from the
top PC to the basal PC can no best bend forever.
MAC-address A
Link Y: Blocking
MAC-address B
A B
0/1
0/2
Switch 2
Switch 1
Link X
STP is an acutely common protocol; it keeps around every distinct absolute Ethernetbased
LAN arrangement bend free.