Vulnerability Development mailing list archives
Re: Vlans
From: "Aaron D. Turner" <aturner () ONESECURE COM>
Date: Fri, 19 Jan 2001 09:50:56 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John, This is not necessarily true for all switches. It depends on the algorithm used to determine which port recieves/sends packets. There are a few options (not all are addressed here, but it should give you something to go on): 1) A frame that comes in on any port gets copied to the buffer of all ports. Then a central authority (main CPU) tells which port should drop which frame. Advantages: fast and cheap (centralized intelligence) Disadvantage: if CPU becomes overloaded the switch becomes a bridge 2) A frame that comes in on any port gets copied to the buffer of only those ports that need it. Advantage: fast and more secure (each port has it's own CPU and you can design the CPU to be fast enough to handle the full line speed) Disad: more expensive (distributed intelligence) The basic difference is fail-safe vs. fail-open. When 'bad things happen' like the switch gets hammered with more packets than it can deal with, how does it respond? There's no industry standard to specify how switches or other devices should deal with these kind of situations. - -- Aaron D. Turner Security Architect, OneSecure http://www.onesecure.com/ aturner () onesecure com work: 408-992-8045 cell: 408-314-9874 pub 1024D/1B57EB4D 2000-09-27 Aaron D. Turner <aturner () onesecure com> Key fingerprint = F90C BFB4 4404 5504 295D 4435 578B 1DD5 1B57 EB4D All emails by me are PGP signed; an invalid signature indicates a forgery. On Thu, 18 Jan 2001, John Kinsella wrote:
Tim - In theory it's capable to "flatten" VLANs on a switch by slamming the switch's CPU with enough traffic that it stops tagging packets for the appropriate VLANs. From what I understand, at this point instead of the switch dropping the packet, it sends the packet out destined for all VLANs. There was some discussion on this topic on bugtraq last year. I've been meaning to test out the theory myself in the lab over the last few weeks but haven't had a chance yet...I will say that unless money is a serious constraint that a client has, I always try to keep internal and external network traffic on physically separate switches. Some piece of mind may come, though, from considering that the amount of traffic needed to jump a switch's VLANs *should* be more than easily generated by a remote user...I'd guess at least 80% of a switch's backplane capacity would need to be forced through the switch. John
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key 0x1B57EB4D at: http://www.keyserver.net/en/ Filter: gpg4pine 4.1 (http://azzie.robotics.net) iEYEARECAAYFAjpofoEACgkQV4sd1RtX603UogCgj+WBCOKAFldc1ZFT2ed2a553 38EAnjkoKRlssUxe1UC/jxQpD8Ts+WEU =geVo -----END PGP SIGNATURE-----