Date: Wed, 28 Jul 1999 15:43:17 -0400 (EDT) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: "Jordan K. Hubbard" <jkh@zippy.cdrom.com> Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, net@FreeBSD.ORG Subject: Re: cvs commit: src/release/sysinstall tcpip.c Message-ID: <199907281943.PAA10505@khavrinen.lcs.mit.edu> In-Reply-To: <6624.933189650@zippy.cdrom.com> References: <199907281544.LAA09659@khavrinen.lcs.mit.edu> <6624.933189650@zippy.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Wed, 28 Jul 1999 12:20:50 -0700, "Jordan K. Hubbard" <jkh@zippy.cdrom.com> said: > Gah. Is there any functionality reason why a switch would *need* to > behave like that? I'm not going to argue the point that this > constitutes a current vulnerability for switches, but I am wondering > why it could be considered anything short of brain-damaged for a > switch's learning algorithm to behave that way. Well, there are only two possibilities, each implemented by some set of vendors: 1) Learn the ``new'' location of each station immediately. 2) Learn the ``new'' location of each station when its old entry times out of a cache somewhere. The first is generally preferred by network managers such as myself because otherwise our users would be constantly bothering us to flush caches whenever they moved from one location to another -- and this would wreak havoc with wireless roaming. The second is implemented by vendors who didn't have the hardware skills to implement a wire-speed MAC forwarding table. The way this works out under attack conditions is that switches which implement (1) will send packets to whichever port they last heard that address on, and switches which implement (2) have some level of damping such that the old port has to be quiet (or disconnected) for some time before a new location can be learned. (Actually, the new location is learned immediately, but isn't used until the old location times out from the lower-layer cache.) The end result, in any event, is that an attacker can cause packets intended for one station to be diverted to another for some period of time that depends on the strategy implemented by the switch and the frequency of transmissions by the station under attack. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907281943.PAA10505>