> Portfast modifies STP, it does not disable it. Well, right, the interface configured with it goes straight from blocking to forwarding. You got the idea. > > This does make a good argument for pvst and similar technologies running at > the vlan level for enterprise networking. I don't see the point. Having one instance of STP per vlan or one for all, there is no point with the security issue here. > > But it is probably best to assume someone with access to a segment can see > everything on that segment, pretend to be anyone else on that subnet, and > inject anything onto that subnet. In other words, it is nearly impossible to > protect reliability and somewhat privacy on a shared link. Of course. It is like an attacker having physical access to a machine. But it does not mean we shouldn't activate some security features to make the job harder (and increase the noise in case of an attack). > > On Apr 29, 2010, at 12:19 AM, news <news@xxxxxxxxxxx> wrote: > > > Le mercredi 28 avril 2010 à 18:20 +0200, Jann Horn a écrit : > >> Am Dienstag, den 27.04.2010, 19:55 +0200 schrieb Przemyslaw Borkowski: > >>> Second scenario: > >>> 1. Station C and station D starts to send frames to break link beetween > >>> switch 1 and switch 2, and announce non existing connection and switch > >>> from C port on switch 1 to D port on switch 2 > >>> > >>> A ---- switch 1 --X-- switch 2 ----- B > >>> | | > >>> | | > >>> C --no conn-- D > >>> 2. Station A sends frame to B > >>> 3. Frame is forwarded to C station > >>> 4. Station C stores frame in memory > >>> 5. After equal timing station C and station D repair link beetween switch > >>> 1 and 2 > >>> 6. station C resends stored packet to station D (ie in tunnel or > >>> encapsulated in ip packet) > >>> 7. stations C and D break link beetween switches 1 and 2 > >>> 8. station D sends transmitted packet to station B > >> > >> If you had a WLAN-link, you could simplify that a lot - as far as I > >> understand, you are able to make the switches redirect the traffic to > >> your machines. > >> Anyway, this attack sounds like something a good switch can easily > >> prevent by having a list of "STP trusted ports" or something like that. > >> Doesn't that exist? > > > > I think I have heard about this attack before. > > > > Yes, a good admin should set all the port used by machine as portfast > > (no STP), keeping only the STP on the port attached to network devices. > > Then the attack would be really too noisy to be successful. > > > > It is also highly recommended to lock down the ports at L2 (port > > security). Well I hope every one here is doing it, as it can make such > > attacks really hard. > >
Attachment:
signature.asc
Description: Ceci est une partie de message =?iso-8859-1?q?num=E9riquement?==?iso-8859-1?q?_sign=E9e?=