--=-tXxS8+XP1SOEujqFPSjS
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
> Portfast modifies STP, it does not disable it.=20
Well, right, the interface configured with it goes straight from
blocking to forwarding. You got the idea.
>=20
> This does make a good argument for pvst and similar technologies running =
at the vlan level for enterprise networking.=20
I don't see the point. Having one instance of STP per vlan or one for
all, there is no point with the security issue here.
>=20
> But it is probably best to assume someone with access to a segment can se=
e everything on that segment, pretend to be anyone else on that subnet, and=
inject anything onto that subnet. In other words, it is nearly impossible =
to protect reliability and somewhat privacy on a shared link.=20
Of course. It is like an attacker having physical access to a machine.
But it does not mean we shouldn't activate some security features to
make the job harder (and increase the noise in case of an attack).
>=20
> On Apr 29, 2010, at 12:19 AM, news <news@phocean.net> wrote:
>=20
> > Le mercredi 28 avril 2010 =C3=A0 18:20 +0200, Jann Horn a =C3=A9crit :
> >> Am Dienstag, den 27.04.2010, 19:55 +0200 schrieb Przemyslaw Borkowski:
> >>> Second scenario:
> >>> 1. Station C and station D starts to send frames to break link beetwe=
en switch 1 and switch 2, and announce non existing connection and switch f=
rom C port on switch 1 to D port on switch 2
> >>>=20
> >>> A ---- switch 1 --X-- switch 2 ----- B
> >>> | |
> >>> | |
> >>> C --no conn-- D
> >>> 2. Station A sends frame to B
> >>> 3. Frame is forwarded to C station
> >>> 4. Station C stores frame in memory
> >>> 5. After equal timing station C and station D repair link beetween sw=
itch 1 and 2
> >>> 6. station C resends stored packet to station D (ie in tunnel or enca=
psulated in ip packet)
> >>> 7. stations C and D break link beetween switches 1 and 2
> >>> 8. station D sends transmitted packet to station B
> >>=20
> >> If you had a WLAN-link, you could simplify that a lot - as far as I
> >> understand, you are able to make the switches redirect the traffic to
> >> your machines.
> >> Anyway, this attack sounds like something a good switch can easily
> >> prevent by having a list of "STP trusted ports" or something like that=
..
> >> Doesn't that exist?
> >=20
> > I think I have heard about this attack before.
> >=20
> > Yes, a good admin should set all the port used by machine as portfast
> > (no STP), keeping only the STP on the port attached to network devices.
> > Then the attack would be really too noisy to be successful.
> >=20
> > It is also highly recommended to lock down the ports at L2 (port
> > security). Well I hope every one here is doing it, as it can make such
> > attacks really hard.
> >=20
--=-tXxS8+XP1SOEujqFPSjS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
iQIcBAABAgAGBQJL2c5KAAoJEEElXOw26xO+W7MP/3ysthYmNTngrpbyGFW0Se+l
qPPxz44+89P6+CrIvkaqvfA3nUqCVwr+sK/rOGkIFn2r/muQr23hKh7nju2E1qyw
Zma94VTAwlY5nhQSqH6DUHLJHdhE8AhL1pUae2vvWDIkOdgqBaO0SO40SU+I5FoR
FBgnRMjhy/mDFkDdGbRIAhJh0e0DoRAMXHi3w+NmLYs5cZVmmSNy2RtKJZkyWk8J
IMD2FvS+1zGisikLtSmN43+WTSvvkjkm0i6kABah6WM1eV3+07gQajWaL6qB+jUH
OlA3pdZYF6B33YcDTgst1yw6BRImgYyVVq4SLRkdIn/56SnLSMZ1TTcZzz3IknxR
sRXKRJj1AhanYr+Tq1wyXJTFkio/Ako7fs3n/DbxT7CWyX1iPWTxHuo57QgQaGUO
Ot9CiSbiUYI1wtcdX0oBFQzc7Vulwtzhin9HBWTtvwQRZ1eiS5igf512vfzcM3hm
YUwfoxKwN3r47leSPvzTxIZbDzcb3NHaJrqoLH/z5GBeeHg5zAiLps/naLh0Nr1S
eObpp5Nhwou753p8a4XQ2Q/GDuKUS3QBILX+1ju6HPzaHXkp6eRedjXNWj9e1nJA
Y6KYIdYmkt5v7U+3JhX6kHBt9q6axBg339R39E8sTsP8BUKrDBvtSJq3Mg2f3J5o
FcEWbF31OZohC2CX3O5R
=2uWr
-----END PGP SIGNATURE-----
--=-tXxS8+XP1SOEujqFPSjS--
討論串 (同標題文章)
完整討論串 (本文為第 7 之 8 篇):