Security Internetworking Experts


Post New Topic  Post A Reply
my profile | register | search | faq | forum home
  next oldest topic   next newest topic
» Security Internetworking Experts   » Security   » CCIE Security Lab Forum   » Double tagging attack

UBBFriend: Email this page to someone!    
Author Topic: Double tagging attack
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac

Member # 29872

Member Rated:
posted December 07, 2011 07:23 AM      Profile for Kingsley Charles (CCSP, CCNP, CCIP)     Send New Private Message      Edit/Delete Post  Reply With Quote 
Hi all

With double tagging, in which mode should the port that is connected to the attacker be configured. Should it be trunk mode or access mode?

Attacker ----------- sw1 ------------------ sw2 ----------- Victim

With regards
Kings

Posts: 887 | From: India | Registered: Jun 2010  |  IP: Logged
theevilmuffin
I need a life

Member # 23191

Member Rated:
posted December 07, 2011 02:18 PM      Profile for theevilmuffin     Send New Private Message      Edit/Delete Post  Reply With Quote 
It needs to be a trunk containing the vlan that is the native for the vlan between sw 1 and sw 2.
Posts: 1065 | From: UK | Registered: Sep 2007  |  IP: Logged
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac

Member # 29872

Member Rated:
posted December 07, 2011 08:39 PM      Profile for Kingsley Charles (CCSP, CCNP, CCIP)     Send New Private Message      Edit/Delete Post  Reply With Quote 
So the native vlan used in the trunk port connected to the attacker should be same as the native vlan used in the port connected to the other switch. This has been my understanding till today. Am I right?

But why should native vlans match?

With “vlan dot1q tag native” configured, the first switch will not strip the outer tag and hence 2nd switch will only see the outer tag and this the packet will never reach the victim. Please let me know, your thoughts on this.

Based on my investigations, the following are the various methods to prevent this attack

1) The native vlan of all trunk ports should not be used on any access ports.

2) Don’t use default vlan 1 as the native vlan.
Use a dedicated vlan for native vlans.

3) Configure allowed vlans range on trunk ports.

4) Configure “vlan dot1q tag native” globally that tags native vlan traffic.

With regards
Kings

Posts: 887 | From: India | Registered: Jun 2010  |  IP: Logged
theevilmuffin
I need a life

Member # 23191

Member Rated:
posted December 08, 2011 04:08 AM      Profile for theevilmuffin     Send New Private Message      Edit/Delete Post  Reply With Quote 
So the native vlan used in the trunk port connected to the attacker should be same as the native vlan used in the port connected to the other switch. This has been my understanding till today. Am I right?

>> In some examples I have seen it gives an attacker with an access port that is the same as the native vlan on the trunk (between SW1 and SW2), however I believe that if the attacker can enable his port to be a trunk he could also perform this attack using a trunk. I always thought that if the switch received DOT1Q traffic on an access port it would either drop or ignore (can't remember off the top of my head), but this is the examples given by Cisco. I am sure when I tested this I used the attacker port as a trunk, this makes more logical sense to me as I can't see why a switch would strip the DOT1Q tag from an access port...

But why should native vlans match?

Because when SW1 strips the outer tag off the packet for it going onto the native vlan, if it tagged the native vlan it wouldn't strip the DOT1Q tag off.

Your examples to mitigate this are all correct, just a word of warning - I'm sure I've encountered issues with tagging the native vlan on a 65k, from memory it will only tag VLAN 1 (might be getting this wrong it was a few years ago). Also if you are running any trunks to ESX hosts these normally require the native un-tagged, so be warned!!!

I'm sure you're well aware that this is uni-directional.

cheers

Posts: 1065 | From: UK | Registered: Sep 2007  |  IP: Logged
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac

Member # 29872

Member Rated:
posted December 08, 2011 04:23 AM      Profile for Kingsley Charles (CCSP, CCNP, CCIP)     Send New Private Message      Edit/Delete Post  Reply With Quote 
Exactly, I am seeing docs using access ports also. But I think both of them having trunk or access port should work. When using access port, the vlan membership should be the same as the native vlan when trunk is used.

The switch will strip off the dot1q tag only when it is trying to forward and only when the outgoing trunk interface's native matches the outer dot1q's vlan ID.

So my question is, will the tag be removed when it receives the frame or forwards the frame.

When the stripping happens when forwarding, then
why most of the docs are claiming that the receiving trunk interface should have native vlan matching the vlan ID in the outer tag.

Based on my understanding, the vlan ID of the outer tag is required to match only the native vlan of the outgoing interface and thus the switch strips and sends the frame.

This is where “vlan dot1q tag native” plays the role. When configures, the switch doesn't strip the outer tag and sends the frame double tagged as it came from the attacker and thus it only never reach the victim.

Please let me know your thoughts?

With regards
Kings

Posts: 887 | From: India | Registered: Jun 2010  |  IP: Logged
murali_uda
Jr Member

Member # 32401

Rate Member
posted May 24, 2012 06:21 AM      Profile for murali_uda     Send New Private Message      Edit/Delete Post  Reply With Quote 
hi

till now i dont understand why the switch will accept a tagged frame from access port...

and after receiving the frame it strips off the outer tag as it is same as native vlan of the trunk ..
why the switch strips off the outer tag ?

i know because native vlan doest require a tag ..but why the switch removes it explicitly ?

Waiting for you reply

Thanks!!

Posts: 12 | From: bangalore | Registered: May 2012  |  IP: Logged
theevilmuffin
I need a life

Member # 23191

Member Rated:
posted May 24, 2012 07:17 AM      Profile for theevilmuffin     Send New Private Message      Edit/Delete Post  Reply With Quote 
the attacker port needs to be a trunk, not access.
Posts: 1065 | From: UK | Registered: Sep 2007  |  IP: Logged
murali_uda
Jr Member

Member # 32401

Rate Member
posted May 26, 2012 04:04 AM      Profile for murali_uda     Send New Private Message      Edit/Delete Post  Reply With Quote 
Thank you for the reply , but i still does not understand why the switch strips off the outer tag?

Yes it is native vlan , But i need to know how the switch actually process the vlan tags .

Is there any resources available , i searched but no luck.

Thanks !

Posts: 12 | From: bangalore | Registered: May 2012  |  IP: Logged
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac

Member # 29872

Member Rated:
posted May 26, 2012 07:53 AM      Profile for Kingsley Charles (CCSP, CCNP, CCIP)     Send New Private Message      Edit/Delete Post  Reply With Quote 
Native vlan traffic is always untagged unless you configure “vlan dot1q tag native”. Thus the switch removes the outer tag as it matches the native vlan.

With regards
Kings

Posts: 887 | From: India | Registered: Jun 2010  |  IP: Logged
murali_uda
Jr Member

Member # 32401

Rate Member
posted May 26, 2012 11:16 AM      Profile for murali_uda     Send New Private Message      Edit/Delete Post  Reply With Quote 
Got it , thank you so much... [Smile]
Posts: 12 | From: bangalore | Registered: May 2012  |  IP: Logged


All times are Eastern Time  
Post New Topic  Post A Reply Close Topic    Move Topic    Delete Topic next oldest topic   next newest topic
Printer-friendly view of this topic
Hop To:


Contact Us | Security Internetworking Experts