Risk Analysis
Because no aegis is congenital into the two articulation accession protocols, an antagonist can accelerate a
forged ascendancy packet to a switch. The about-face acts on this packet and adds the articulation on which
the antagonist is amid to the aggregated port, as apparent in Figure 11-8 (where about-face B was
the ambition of the attack).
Figure 11-8 Cartage Hijacking with Aggregation
As anon as an antagonist becomes allotment of the aggregated link, about-face B starts to amount balance
the cartage to about-face A amid all four concrete ports. Hence, the antagonist receives one-fourth
of the traffic. This can accept two adverse consequences:
• DoS. If an antagonist artlessly drops the accustomed frames, division of the cartage is
simply dropped, and because the amount acclimation is based on the antecedent and destination
MAC addresses, all packets from a distinct affiliation are lost.
• Lack of acquaintance and integrity. Because the antagonist receives frames for
another recipient, it is accessible to detect them and alike advanced them to the expected
recipient afterwards alteration the packet’s content. (The antagonist charge change the source
MAC abode of the packet or the anatomy would bend consistently amid the antagonist and
the attacked switch; for best protocols, conspicuously IP, this change of antecedent MAC
address won’t be detected.)
Port 1
Port 1
Port 5
Port 2
Port 3
Port 4 Anchorage 4
Port 5
Port 3
Port 6
Port 2
Aggregated Link
Switch B
Switch A
Si
Si
Link Accession Protocols 177
At the time of this writing, the authors were not acquainted of any advance apparatus aggravating to exploit
the absence of aegis in accession protocols. This advance additionally requires some knowledge
about the MAC addresses of both switches, so it is not accessible to be launched, but “security
by obscurity” is consistently a bad action decision. No one should anytime await on the akin of
difficulty for an attacker. The advance additionally requires that the antagonist has admission to a block port.
This hijacking is aloof an able aberration of one acquirements arch advance discussed in
Chapter 2, “Defeating a Acquirements Bridge’s Forwarding Process.” Alike after accomplishment link
aggregation protocols, an antagonist can accelerate assorted frames with the antecedent MAC addresses
of the hosts to be attacked; then, the upstream about-face starts forwarding the frames to the
attacker instead of to the victim’s machine. The above aberration amid sending MAC
spoofed frames and acceptable allotment of an aggregated articulation is that, for the MAC spoofed
attack, several frames charge to be beatific (that is, added ability about the victims and more
traffic to be generated).
In the end, the accident is low, but real. Because acknowledgment techniques are accessible to deploy, there
is no acumen to booty this risk.
Risk Mitigation
The capital affair with articulation accession is that the absence ambience for block ports in Cisco
switches is on; that is, a about-face acquiescently accepts PAgP or LACP packets. The acknowledgment is
obviously to change the absence behavior of all ports in the switch, which is accessible to do on
CatOS and in Cisco IOS.
On CatOS:
Console> (enable) set anchorage approach all approach off
Port(s) 1/1-2,2/1-48 approach approach set to off.
In Cisco IOS:
IOS(config)#interface FastEthernet 0/0
IOS(config-if)#no channel-group
NOTE Articulation accession runs alone on block ports. This is addition acumen why trunking needs to be
disabled on nontrusted hosts. Actually, disabling trunking prevents attacks adjoin link
aggregation because the about-face rejects all articulation accession ascendancy packets accustomed on a
nontrunking port.
178 Chapter 11: Advice Leaks with Cisco Accessory Protocols
Summary
Several accessory protocols are acclimated in an Ethernet environment, such as CDP and VTP or
LLDP and LACP.
Automatic analysis protocols, such as CDP or LLDP, acquiesce an NMS to ascertain the
complete arrangement as able-bodied as automated agreement of some devices, such as IP phones.
Both of them present some risks (mainly an advice leak, which an antagonist could
leverage); therefore, they should be disabled on all ports but the uplinks and ports to other
network accessories (including IP phones).
VTP is advised to bear the VLAN agreement from a axial location. Because
spanning VLAN beyond assorted switches is advised an inefficient convenance (too much
broadcast and multicast traffic), VTP should never be enabled. If it is required, adaptation 3
provides authentication, integrity, and antireplay. (Cisco IOS does not currently support
VTP adaptation 3.) To abstain epitomize attacks, which could advance to an antagonist abacus and
removing VLAN, VTP should never be enabled on a about-face active Cisco IOS.
Link accession protocols, such as Cisco PAgP or LACP, bind several alongside links into
an aggregated one. The ascendancy protocols accept no congenital aegis mechanism. The accident is
mainly cartage hijacking if an antagonist becomes a affiliate of the aggregated link. This is the
same accident as injecting affected MAC advice in the content-addressable anamnesis (CAM)
table, but it’s added efficient. Acknowledgment consists of alteration the anchorage ambience from the
default (which allows articulation aggregation) to the attenuate setting.
Disabling automated trunking to nontrusted hosts is addition way to abate attacks on VTP
and articulation accession because a about-face ignores all VTP and articulation accession ascendancy packets
on a nontrunking port.
References
1Yersinia. http://www.yersinia.net/
2 Cisco Systems. Cisco Aegis Notice: Cisco’s Response to the CDP Issue. http://
www.cisco.com/warp/public/707/cdp_issue.shtml, October 2001.
3 IEEE. IEEE Std 802.1AB-2005 Station and Media Admission Ascendancy Connectivity
Discovery. May 2005.
4 Cisco Systems. Cisco Aegis Response: Cisco VLAN Trunking Protocol Vulnerabilities.
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml, September 2006.
5 IRPAS. http:// www.phenoelit.de/irpas/
6 IEEE. IEEE Std 802.3ad-2000 Amendment to CSMA/CD Admission Method and Physical
Layer Specifications—Aggregation of Assorted Articulation Segments, March 2000.