|
Author
|
Topic: Double tagging attack
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted December 07, 2011 07:23 AM
Hi all
With double tagging, in which mode should the port that is connected to the attacker be configured. Should it be trunk mode or access mode?
Attacker ----------- sw1 ------------------ sw2 ----------- Victim
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
theevilmuffin
I need a life
Member # 23191
Member Rated:
|
posted December 07, 2011 02:18 PM
It needs to be a trunk containing the vlan that is the native for the vlan between sw 1 and sw 2.
Posts: 1065 | From: UK | Registered: Sep 2007
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted December 07, 2011 08:39 PM
So the native vlan used in the trunk port connected to the attacker should be same as the native vlan used in the port connected to the other switch. This has been my understanding till today. Am I right?
But why should native vlans match?
With “vlan dot1q tag native” configured, the first switch will not strip the outer tag and hence 2nd switch will only see the outer tag and this the packet will never reach the victim. Please let me know, your thoughts on this.
Based on my investigations, the following are the various methods to prevent this attack
1) The native vlan of all trunk ports should not be used on any access ports.
2) Don’t use default vlan 1 as the native vlan.
Use a dedicated vlan for native vlans.
3) Configure allowed vlans range on trunk ports.
4) Configure “vlan dot1q tag native” globally that tags native vlan traffic.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
theevilmuffin
I need a life
Member # 23191
Member Rated:
|
posted December 08, 2011 04:08 AM
So the native vlan used in the trunk port connected to the attacker should be same as the native vlan used in the port connected to the other switch. This has been my understanding till today. Am I right?
>> In some examples I have seen it gives an attacker with an access port that is the same as the native vlan on the trunk (between SW1 and SW2), however I believe that if the attacker can enable his port to be a trunk he could also perform this attack using a trunk. I always thought that if the switch received DOT1Q traffic on an access port it would either drop or ignore (can't remember off the top of my head), but this is the examples given by Cisco. I am sure when I tested this I used the attacker port as a trunk, this makes more logical sense to me as I can't see why a switch would strip the DOT1Q tag from an access port...
But why should native vlans match?
Because when SW1 strips the outer tag off the packet for it going onto the native vlan, if it tagged the native vlan it wouldn't strip the DOT1Q tag off.
Your examples to mitigate this are all correct, just a word of warning - I'm sure I've encountered issues with tagging the native vlan on a 65k, from memory it will only tag VLAN 1 (might be getting this wrong it was a few years ago). Also if you are running any trunks to ESX hosts these normally require the native un-tagged, so be warned!!!
I'm sure you're well aware that this is uni-directional.
cheers
Posts: 1065 | From: UK | Registered: Sep 2007
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted December 08, 2011 04:23 AM
Exactly, I am seeing docs using access ports also. But I think both of them having trunk or access port should work. When using access port, the vlan membership should be the same as the native vlan when trunk is used.
The switch will strip off the dot1q tag only when it is trying to forward and only when the outgoing trunk interface's native matches the outer dot1q's vlan ID.
So my question is, will the tag be removed when it receives the frame or forwards the frame.
When the stripping happens when forwarding, then
why most of the docs are claiming that the receiving trunk interface should have native vlan matching the vlan ID in the outer tag.
Based on my understanding, the vlan ID of the outer tag is required to match only the native vlan of the outgoing interface and thus the switch strips and sends the frame.
This is where “vlan dot1q tag native” plays the role. When configures, the switch doesn't strip the outer tag and sends the frame double tagged as it came from the attacker and thus it only never reach the victim.
Please let me know your thoughts?
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
murali_uda
Jr Member
Member # 32401
Rate Member
|
posted May 24, 2012 06:21 AM
hi
till now i dont understand why the switch will accept a tagged frame from access port...
and after receiving the frame it strips off the outer tag as it is same as native vlan of the trunk ..
why the switch strips off the outer tag ?
i know because native vlan doest require a tag ..but why the switch removes it explicitly ?
Waiting for you reply
Thanks!!
Posts: 12 | From: bangalore | Registered: May 2012
| IP: Logged
|
|
theevilmuffin
I need a life
Member # 23191
Member Rated:
|
posted May 24, 2012 07:17 AM
the attacker port needs to be a trunk, not access.
Posts: 1065 | From: UK | Registered: Sep 2007
| IP: Logged
|
|
murali_uda
Jr Member
Member # 32401
Rate Member
|
posted May 26, 2012 04:04 AM
Thank you for the reply , but i still does not understand why the switch strips off the outer tag?
Yes it is native vlan , But i need to know how the switch actually process the vlan tags .
Is there any resources available , i searched but no luck.
Thanks !
Posts: 12 | From: bangalore | Registered: May 2012
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted May 26, 2012 07:53 AM
Native vlan traffic is always untagged unless you configure “vlan dot1q tag native”. Thus the switch removes the outer tag as it matches the native vlan.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
murali_uda
Jr Member
Member # 32401
Rate Member
|
posted May 26, 2012 11:16 AM
Got it , thank you so much... ![[Smile]](smile.gif)
Posts: 12 | From: bangalore | Registered: May 2012
| IP: Logged
|
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic