Re: STP mitm attack idea

[Jean-Christophe Baptiste <jc () phocean net>]

> Portfast modifies STP, it does not disable it. 
Well, right, the interface configured with it goes straight from
blocking to forwarding. You got the idea.

> This does make a good argument for pvst and similar technologies running at the vlan level for enterprise networking. 
I don't see the point. Having one instance of STP per vlan or one for
all, there is no point with the security issue here.

> But it is probably best to assume someone with access to a segment can see everything on that segment, pretend to be 
> anyone else on that subnet, and inject anything onto that subnet. In other words, it is nearly impossible to protect 
> reliability and somewhat privacy on a shared link. 
Of course. It is like an attacker having physical access to a machine.
But it does not mean we shouldn't activate some security features to
make the job harder (and increase the noise in case of an attack).

> On Apr 29, 2010, at 12:19 AM, news <news () phocean net> wrote:
>
> > Le mercredi 28 avril 2010 à 18:20 +0200, Jann Horn a écrit :
> > > Am Dienstag, den 27.04.2010, 19:55 +0200 schrieb Przemyslaw Borkowski:
> > > > Second scenario:
> > > > 1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non 
> > > > existing connection and switch from C port on switch 1 to D port on switch 2
> > > >
> > > > A ---- switch 1 --X-- switch 2 ----- B
> > > >          |              |
> > > >          |              |
> > > >          C  --no conn-- D
> > > > 2. Station A sends frame to B
> > > > 3. Frame is forwarded to C station
> > > > 4. Station C stores frame in memory
> > > > 5. After equal timing station C and station D repair link beetween switch 1 and 2
> > > > 6. station C resends stored packet to station D (ie in tunnel or encapsulated in ip packet)
> > > > 7. stations C and D break link beetween switches 1 and 2
> > > > 8. station D sends transmitted packet to station B
> > >
> > > If you had a WLAN-link, you could simplify that a lot - as far as I
> > > understand, you are able to make the switches redirect the traffic to
> > > your machines.
> > > Anyway, this attack sounds like something a good switch can easily
> > > prevent by having a list of "STP trusted ports" or something like that.
> > > Doesn't that exist?
> >
> > I think I have heard about this attack before.
> >
> > Yes, a good admin should set all the port used by machine as portfast
> > (no STP), keeping only the STP on the port attached to network devices.
> > Then the attack would be really too noisy to be successful.
> >
> > It is also highly recommended to lock down the ports at L2 (port
> > security). Well I hope every one here is doing it, as it can make such
> > attacks really hard.

Attachment: signature.asc
Description: Ceci est une partie de message numériquement signée