Information Leaks with
Cisco Accessory Protocols
In a Cisco switched environment, there are abounding accessory protocols: some proprietary,
such as Cisco Discovery Agreement (CDP) and VLAN Trunking Agreement (VTP); some
standard, such as Institute of Electrical and Electronic Engineers (IEEE) Articulation Layer
Discovery Agreement (LLDP) and Articulation Aggregation Control Agreement (LACP). This chapter
describes these protocols, sometimes not able-bodied known, and the associated risks, which are
mainly advice leaks, such as giving out advice to a abeyant attacker.
Cisco Discovery Protocol
Cisco Discovery Agreement (CDP) is a Cisco proprietary protocol, which allows for layeradjacent
devices to ascertain anniversary other. It requires little to no configuration. It’s advantageous for
a arrangement administration arrangement (NMS) to ascertain a complete arrangement hop by hop from a
seed device. CDP works over several abstracts articulation layers, including Ethernet.
The agreement itself is simple: Anniversary arrangement article broadcasts a CDP packet already per
minute. It is up to the added arrangement entities on the aforementioned Band 2 arrangement to accept to those
packets and abundance the information.
Diving Deep into CDP
CDP does not run over IP, but it runs anon over the abstracts articulation layer. Back Ethernet is
used, the IEEE 802.3 and IEEE 802.1 encapsulation are acclimated rather than the accepted Ethernet
II absolute encapsulation (which IPv4 uses). The Subnetwork Admission Agreement (SNAP) is
used. SNAP consists of 3 bytes of Logical Articulation Band advance (typically AA-AA-03),
followed by the Cisco Organizational Unique Identifier (OUI) 00-00-0C, and the CDP
identifier 20-00.
Figure 11-1 displays the CDP packet format.
166 Chapter 11: Advice Leaks with Cisco Accessory Protocols
Figure 11-1 CDP Packet Format
The Adaptation acreage is either 1 or 2. The Time to Live (TTL) acreage indicates the bulk of time
(in seconds) that a receiver should absorb the advice independent in this packet.
The absolute advice is conveyed by several combinations of Type, Length, and Value
fields. The Breadth acreage is artlessly the breadth (in bytes) of the agnate Amount field.
Table 11-1 shows the account of the appear CDP types associated with altered information
elements.
Table 11-1 CDP Information
Type Information
1 Hostname of the accessory or accouterments consecutive cardinal as an ASCII appearance string
2 Band 3 abode of the interface that beatific the update
3 Port on which the CDP amend has been sent
4 Functional capabilities of the accessory (router, switch, and so on)
5 Appearance cord absolute the software adaptation (same as appearance version)
6 Accouterments platform
7 Account of IP anon absorbed arrangement prefixes
9 VTP domain
10 In IEEE 802.1Q, the untagged VLAN (that is, the built-in VLAN)
11 Contains the bifold ambience of the sending port
14 and 15 Negotiation of the abetting VLAN for IP phones
16 Bulk of ability a VoIP buzz consumes (in milliWatts)
32 Bits
TTL
Type 1
Type 2
Type n
Version
Value 1
Value 2
Value n
Checksum
Length n
Length 2
Length 1
Cisco Discovery Agreement 167
A CDP’s accepted behavior is to accelerate this anatomy every 60 abnormal or back the amount of data
from Table 11-1 changes. The CDP packets are beatific to Ethernet multicast
0100.0CCC.CCCC. Upon accepting a CDP packet, a bulge should accumulate the advice in
its CDP acquaintance accumulation for the amount of the TTL field.
CDP Accident Analysis
The best accessible accident associated with CDP is the advice leak; that is, an attacker
learns a lot by alert to CDP. This advance is actually passive—there is no way to ascertain this
information leak, and it causes no accident to the network. Abounding sniffing accoutrement accept the
ability to break CDP, such as Yersinia1 (shown in Amount 11-2), but there are additionally generic
sniffers, such as Ethereal.
Figure 11-2 CDP Packet Break by Yersinia
After a best of 60 seconds, the antagonist apparent four Cisco devices, including a
Catalyst 3524, as able-bodied as advice about VTP and built-in VLAN. The exact Cisco IOS
version is not displayed in the figure, but it appears on addition Yersinia screen.
NOTE For added advice on Yersinia, see Chapter 5, “Leveraging DHCP Weaknesses.”
168 Chapter 11: Advice Leaks with Cisco Accessory Protocols
This advice aperture is mostly important to
• Software adaptation and accouterments platform. An antagonist can potentially analyze a
specific absolution with a acclaimed bug that’s accessible to be exploited.
• Abetting VLAN. An antagonist can apprentice which VLAN is acclimated by IP telephony.
NOTE A accepted delusion of IP telephony aegis is the acceptance that application a abstracted VLAN
for articulation and abstracts is the best way to accomplish security. CDP actually kills this
misconception. As anon as an antagonist learns the articulation VLAN by CDP, it is atomic for him
to accelerate and accept IEEE 802.1Q tagged frames with the actual VLAN ID. IP telephony
security can be accomplished by application secure—that is, cryptographically protected—voice and
Layer 2 aegis appearance (which this book describes). Application a abstracted VLAN for articulation and
data makes arrangement operations abundant easier (addressing, affection of account [QoS], firewall
rules, and so on) and is about worthwhile.
The added accident associated with CDP occurs back an antagonist sends artificial CDP packets.
This leads to several abnegation of account (DoS) attacks:
• CDP accumulation overflow. In some Cisco IOS and CatOS releases (see the exact releases
in the Cisco Aegis Notice2), a software bug can displace the about-face back it receives too
many CDP packets. This affair is now fixed.
• CDP accumulation pollution. With contempo Cisco IOS and CatOS releases, the switches will
not reboot anymore; however, the CDP table becomes abstract because it contains a
lot of abortive and affected information.
• Ability exhaustion. By claiming to be a phone, an antagonist can assets some electrical
power, abstinent added authentic accessories from accepting ability from the switch. It also
requires some accouterments on the attacker’s ancillary to affected the electrical signaling, which
is discussed in Chapter 8, “What About Ability over Ethernet?”
Example 11-1 shows a CatOS accumulation attenuated by Yersinia. It makes the abettor assignment more
complex, and it could be acclimated to adumbrate some new accessories amid artificial ones.
Example 11-1 CDP Accumulation Attenuated by Yersinia
Switch> sh cdp neighbors
Port Device-ID Port-ID Platform
-------- ---------------- -------------------- ------------
2/16 2651e FastEthernet0/1 cisco 2651
2/21 inet3 FastEthernet0/0 cisco 2651
2/36 r2-7206 Ethernet2/0.1 cisco 7206VXR
2/47 00M55I1 Ethernet0 yersinia
2/47 00N55I1 Ethernet0 yersinia
2/47 00N66I1 Ethernet0 yersinia
IEEE Articulation Band Discovery Agreement 169
NOTE The advance in Archetype 11-1 can be agitated out because no affidavit is congenital into CDP.
Although this abridgement of affidavit opens the aperture to some attacks, it would be difficult to
get a able affidavit apparatus in CDP because CDP is acclimated alike by bootstrapping
devices, such as an IP phone. Also, as continued as a accessory is not allotment of the network, it is mostly
impossible to analysis for authentication. (For example, no authentic time advice is
available.) As the abutting area shows, IEEE fabricated the aforementioned accommodation back allegorical IEEE
802.LAB.
CDP Accident Mitigation
Because CDP is mainly absorbing to use amid arrangement accessories and not against end-user
hosts, the best way to anticipate both the DoS attacks and advice leaks is to alone enable
CDP on ports to added arrangement accessories and uplinks while disabling it to admission ports.
Because Cisco IP phones await on CDP to ascertain the abetting VLAN and to arresting their
exact ability consumption, CDP charge abide enabled on ports to IP phones. (For more
information on how to abate attacks to the ability over Ethernet ports, see Chapter 8.)
It is accessible to about-face off CDP either globally or on a per-interface basis:
CatOS> (enable) set cdp attenuate
IOS(config)#no cdp run
IOS(config-if)#no cdp enable
Because of the low akin of accident and the allowances of CDP in IP buzz deployment, as well
as for arrangement operation and troubleshooting, it is bigger to leave CDP enabled on all ports.
Of course, the best advantage is to alone configure CDP on ports area it is appropriate (such as
those with an IP phone) to abate accident exposure.