As was once said by the wise Ryan Russell, on Tue, Jun 12, 2001 at 08:28:28AM -0600: > The problem does exist with just one switch in at least one instance. On > the Catalyst 5xxx family, a researcher found that they could force 802.1q > frames onto the switch, and some of them would leak through to the VLAN > designated in the frames. Cisco couldn't fix it. The VLAN tags come at > the end of the frame, For 802.1q to my understanding (without looking it up ;) 802.1q inserts the vlan identifier right after the source MAC address. > and under load, the switch would have already > started forwarding the frame before it knew what VLAN it was designated > for. To my best understanding, that is only possible if the switch has trunking going on. The only way we found to exploit it was with multiple switches which are configured to do 802.1q vlan trunking. If it can be done with just one switch with NO vlan trunking that would be news to me. I am unfortunately not in a place to be able to test (yea, I wish I had a coupla Cat 5xxx's at home ;) I would have to see more info to believe that it happens without vlan trunking, because I thought the way the exploit worked was via having the switch on the other side of a vlan trunk think the 802.1q header on the frame was from the peer switch... Got a url? Damieon Stark Unix/Network Security Engineer <plug> currently seeking employment </plug>
This archive was generated by hypermail 2b30 : Tue Jun 12 2001 - 09:49:20 PDT