Have a question or want to start a discussion? Post it! No Registration Necessary. Now with pictures!
August 7, 2005, 7:46 am
rate this thread
Hello, i have read many doc about this exploit but there are any
I hnow that this exploit exist in 3 ways :
1) Basic=> The attacker spoof a switch and gains the trunked states of
the switch's port. Rely on auto-negotiate feature turned ON. This ways
is simple to understand and to block
2) Complex 1 => This attack is described on
http://www.sans.org/resources/idfaq/vlan.php and to work need that the
attacker and the trunk share same native vlan ( ex. VLAN 10 ). In this
doc. the attacker send on the access port ( VLAN 10 ) a tagged frame
with a VLAN-ID of target VLAN ( ex. VLAN 20 ) . The switch takes frame
and forward it on trunk port without native tag (10). The other switch
(connected via-trunk) read VLAN-ID(20) and forward frame on the access
In this scenario my doubts is :
- Why the first SW accepts tagged frame ?
Is this behavior an anomaly of work ?
- Why the last switch that receives native frame on trunk port reads
the VLAN-ID ? Is this normal or anomaly ? I think that sw does'nt read
VLAN-ID because the frame on trunk is native .
2)Complex 2 => In other docs per ex:
there is an attack called " Double-Encapsulated 802.1Q ". In this
exploit the conditions are similar to the
precedent but the attacker need to insert two VLAN-ID ( outer,inner ).
If this case work then the first switch read VLAN-ID on access port and
forward frame on trunk ( strip off first VLAN-ID ) . This behavior is
precedent case . Why the switch forward this frame according to VLAN-ID
on the access-port ? Is this behavior another anomalies ?
Sorry about lenght of post but i want to understand if this
vulnerability were resolved or not .
- » Digital Printing Malaysia | Printing Company Malaysia| Dot2Dot
- — Newest thread in » Cisco Certification
- » You probably don't know the answer but what allows WiFi scanning anyway?
- — The site's Newest Thread. Posted in » Wireless Networking