Re: Infosec.19990305.macof.a

[alan () LXORGUK UKUU ORG UK (Alan Cox)]

> IEEE 802.1d isn't much use in deciding which option
> is best.

IEEE 802.1d is of questionable value anyway. Grep the
standard for the word security. Spanning tree used maliciously
is spectacularly effective when you decide to elect yourself
the root of the tree.

> Fixes are to activate "port security", which deactivates
> a port if its MAC address changes.  This limits the
> DoS to one machine, which may still be worthwhile
> if the machine runs an attractive service.  It is
> costly to administer in a large network.

Your security is still totally illusionary. Treat a switch
as a network accelerator thats all. Any security consultant who talks
about switches as a security feature you should offer to
sell a bridge too (london bridge that is).

The only time the switch helps is if it has IP level filters

> Networks with trees of switches will see multiple traps
> as MAC addresses changes, so this option is usually
> only enabled on switches at the edge.

Be careful the bridge handles this right. You can trash some
with trap bombs too  - its often loading the on board CPU down
to handle an SNMP trap and that in many bridges clobbers some
of the hardware assisted performance badly.

> access areas (computing labs, etc) on their own IP subnets.
> These areas usually require significant IP filtering
> in any case.  The effect is to limit link-level DoS attacks
> initiated from a public keyboard to a single physical area.

Sort of.

Given nodes A and B talking IP away from the public lab. Ping A, ping
B. Note their mac addresses. Send A a regular stream of ARPs claiming B
has moved to your address. Send B a stream of frames claiming A has
moved to your address. Sit in the middle rewriting destination headers.
Enjoy.

You are using strong crypto on your network aren't you 8)

Alan