Vulnerability Development mailing list archives

Re: Vlans

From: "Aaron D. Turner" <aturner () ONESECURE COM>
Date: Fri, 19 Jan 2001 09:50:56 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


John,

This is not necessarily true for all switches.  It depends on the
algorithm used to determine which port recieves/sends packets.  There are
a few options (not all are addressed here, but it should give you
something to go on):

1) A frame that comes in on any port gets copied to the buffer of all
ports.  Then a central authority (main CPU) tells which port should drop
which frame.  Advantages: fast and cheap (centralized intelligence)
Disadvantage: if CPU becomes overloaded the switch becomes a bridge

2) A frame that comes in on any port gets copied to the buffer of only
those ports that need it.  Advantage: fast and more secure (each port has
it's own CPU and you can design the CPU to be fast enough to handle the
full line speed)  Disad: more expensive (distributed intelligence)

The basic difference is fail-safe vs. fail-open.  When 'bad things happen'
like the switch gets hammered with more packets than it can deal with, how
does it respond?  There's no industry standard to specify how switches or
other devices should deal with these kind of situations.

- --
Aaron D. Turner  Security Architect, OneSecure  http://www.onesecure.com/
aturner () onesecure com  work: 408-992-8045  cell: 408-314-9874
pub  1024D/1B57EB4D 2000-09-27 Aaron D. Turner <aturner () onesecure com>
     Key fingerprint = F90C BFB4 4404 5504 295D  4435 578B 1DD5 1B57 EB4D
All emails by me are PGP signed; an invalid signature indicates a forgery.

On Thu, 18 Jan 2001, John Kinsella wrote:

Tim - In theory it's capable to "flatten" VLANs on a switch by slamming
the switch's CPU with enough traffic that it stops tagging packets for
the appropriate VLANs.  From what I understand, at this point instead of
the switch dropping the packet, it sends the packet out destined for all
VLANs.  There was some discussion on this topic on bugtraq last year.

I've been meaning to test out the theory myself in the lab over the last
few weeks but haven't had a chance yet...I will say that unless money is
a serious constraint that a client has, I always try to keep internal
and external network traffic on physically separate switches.  Some
piece of mind may come, though, from considering that the amount of
traffic needed to jump a switch's VLANs *should* be more than easily
generated by a remote user...I'd guess at least 80% of a switch's
backplane capacity would need to be forced through the switch.

John

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Public key 0x1B57EB4D at: http://www.keyserver.net/en/
Filter: gpg4pine 4.1 (http://azzie.robotics.net)

iEYEARECAAYFAjpofoEACgkQV4sd1RtX603UogCgj+WBCOKAFldc1ZFT2ed2a553
38EAnjkoKRlssUxe1UC/jxQpD8Ts+WEU
=geVo
-----END PGP SIGNATURE-----

Current thread:

Vlans Tim Salus (Jan 17)
- Re: Vlans Tony Soprano (Jan 18)
- Re: Vlans Dom De Vitto (Jan 18)
  - Re: Vlans Tim Salus (Jan 18)
- Re: Vlans Aaron D. Turner (Jan 18)
- Re: Vlans John Kinsella (Jan 18)
  - Re: Vlans Samuel Patton (Jan 19)
  - Re: Vlans Aaron D. Turner (Jan 22)
    - Re: Vlans John Kinsella (Jan 21)
    - Re: Vlans Dom De Vitto (Jan 22)
    - Re: Vlans Dan Kaminsky (Jan 22)
- Re: Vlans Akatosh (Jan 18)
- Re: Vlans Lincoln Yeoh (Jan 22)
  - Re: Vlans Carson Sweet (Jan 22)
    - Re: Vlans Philipp Buehler (Jan 23)
- <Possible follow-ups>
- Vlans Tim Salus (Jan 18)
- Re: Vlans Shawn Davenport (Jan 18)
- Re: Vlans TabascoJack (Jan 19)

(Thread continues...)