ian.vitekat_private wrote: > Problem: Due to limitation with ARP/MAC-tables; > switches could start sending packages to all ports, > other network devices could hang, crash or reboot > if they receive lots of MAC-addresses. > This problem is well-known. We see it occassionally. The bridge designer faces two choices: 1. To flood packets when the filtering database fills. Thus the bridge can cope with larger bridged networks than it was originally designed for. 2. To refuse service to addresses not already in the filtering database when the database fills. IEEE 802.1d isn't much use in deciding which option is best. Fixes are to activate "port security", which deactivates a port if its MAC address changes. This limits the DoS to one machine, which may still be worthwhile if the machine runs an attractive service. It is costly to administer in a large network. Some switches have a "trap on port MAC address change" option. The port running the exploit will generate a huge number of traps, and suitable administrative action taken. Networks with trees of switches will see multiple traps as MAC addresses changes, so this option is usually only enabled on switches at the edge. However, we run this option on all our switches and just deal with the extra traps. Switch vendors do need to improve security. Most vendors' plans involve obtaining user authentication before granting significant link-level access. At present, these plans are somewhat propietary. Network design is also important. We place all public access areas (computing labs, etc) on their own IP subnets. These areas usually require significant IP filtering in any case. The effect is to limit link-level DoS attacks initiated from a public keyboard to a single physical area. -- Glen Turner Network Specialist Tel: (08) 8303 3936 Information Technology Services Fax: (08) 8303 4400 The University of Adelaide 5005 Email: glen.turnerat_private South Australia
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:17 PDT