Nothing in the 802.1Q specification forbids multiple consecutive tags to be chained, thereby achieving a 802.1Q tag stack. Figure 4-3 represents a two-level 802.1Q tag stack.
Figure 4-3 Multiple 802.1Q Tags
There are legitimate use cases for stacking multiple 802.1Q tags. One of them is Cisco QinQ, where up to 4096 VLANs can be multiplexed inside a single VLAN ID. The first tag from left to right (outer tag) remains the same, while the second tag (inner tag) takes any value ranging from 1 to 4096.
QinQ offers a way to scale well past the 12 bits allotted to VLAN IDs by offering up to 4096 * 4096 possible combinations. As it turns out, this interesting tag-stacking property lays the groundwork for an often talked-about VLAN hopping attack called the double-nested VLAN attack. Figure 4-4 shows the principles in action behind the attack.
First 802.1Q Tag Second 802.1Q Tag
4 Bytes 4 Bytes
Double 802.1Q Stack
Ethernet Frame with Two 802.1Q Tags (Not to scale) Destination MAC
0 × 8100 Pri CFI VID#1 0x8100 Pri CFI VID#2
Figure 4-4 Nested VLAN Hopping Attack
The premises of this attack are
•
The attacker’s port is in VLAN 5.•
The native VLAN of the trunk is VLAN 5.Generally speaking, for the attack to succeed, a trunk on the switch must have the same native VLAN as a VLAN assigned to an access port. With this exploit, what an attacker tries to achieve is to inject traffic from VLAN X into VLAN Y with no router involved. The fact that no router is involved implies that the attack is unidirectional: The victim won’t be able to respond to the attacker’s packet. In this case, this is no concern to the attacker because, chances are, you are dealing with a denial-of-service (DoS) attack (where a “killer packet” might be sent to the victim, for example).
Here is how the attacker proceeds:
1 The attacker crafts a frame with two 802.1Q tags: 5 and 96.
2 The first (outer) tag matches the attacker’s access port’s VLAN (5).
3 The second (inner) tag matches the victim’s access port’s VLAN (96).
4 The attacker sends the frame (which likely contains a killer packet).
5 The frame enters switch 1; here, it gets classified into VLAN 5.
6 The frame is destined to a MAC address located off the trunk.
7 Because the native VLAN of the trunk to switch 2 is 5, the first tag is stripped off. (Remember that frames on the native VLAN travel untagged.)
Attacker Port: VLAN 5 802.1Q, Frame 802.1Q, 802.1Q Source MAC
Destination MAC 8100 96 0800 Data
Nested VLAN Hopping Attack
1st Tag 2ndTag
Note: Only Works if Trunk Has the Same
Native VLAN as the Attacker’s Port Victim
8100 5
VLAN 96
VLAN x 2
Frame
Strip Off 1st Tag
8 The frame carries a second tag (96) followed by data. This is how it leaves the trunk on switch 1.
9 The frame arrives on switch 2 with tag 96. As such, it is classified by switch 2 as belonging to VLAN 96.
10 The frame is delivered to the victim in VLAN 96. VLAN hopping just happened! The attack might seem convoluted. After all, it involves manually crafting an Ethernet frame so that it contains two tags and some data. This is difficult to pull off—definitely not something in the realm of a script kiddie. That statement might have been true a few years ago—before Yersinia2 entered the scene.
NOTE The Yersinia Layer 2 attack tool was introduced in Chapter 3, “Attacking the Spanning Tree Protocol.” If you are not familiar with this tool, see Chapter 3 for a summary of this Layer 2 hacker’s Swiss-army knife.
Yersinia makes it easy to inject double-tagged frames into the network, as Figure 4-5 and Figure 4-6 show.
Figure 4-6 Yersinia’s Nested VLAN Attack Screen
The attack is entirely menu-driven. Using Yersinia, it is possible to modify the frame’s contents and specify its outer and inner 802.1Q tags, as the lower portion of Figure 4-6 shows. After the frame is constructed, a simple mouse click sends it out on the port. It doesn’t get much easier than that.
This attack is particularly difficult to trace. From a protocol’s standpoint, no foul play occurs—chaining 802.1Q headers is not illegal, and the switch won’t complain when it sees such frames. You can thwart this attack in three ways:
•
Ensure that the native VLAN is not assigned to any access port.•
Clear the native VLAN from the trunk (not recommended).•
Force all traffic on the trunk to always carry a tag (preferred).Option 1 is available on switches from all vendors. It is just a matter of configuring the switch in a way that ensures access ports aren’t placed in a VLAN that is used as the native VLAN of a trunk on the same switch. For example, if you have a trunk whose native VLAN is 10, make sure that no access port is a member of VLAN 10.
On the other hand, options 2 and 3 might not be available on all LAN switches. Option 2 consists of manually clearing (or pruning) the native VLAN off the trunk. For example, to achieve this, the Cisco IOS configuration would look like what’s shown in Example 4-1.
Example 4-1 removes VLAN 10 from the trunk, thereby clearing the native VLAN. Various reasons exist for why you should notopt for this choice. Several “system” protocols rely on the presence of the native VLAN to function properly, and protocol-level compatibility between switches might no longer be guaranteed with the native VLAN gone. Option 3 is the preferred method. Its operation is straightforward: It ensures that all traffic leaving a trunk always carries a tag. In a way, it gets rid of the native VLAN concept, but it does not disrupt traffic sent to or from the native VLAN. It just tags it.
WARNING Be careful when interoperating with a switch that does not provide this option; it breaks communication on the native VLAN.
Within the family of Cisco switches, certain discrepancies exist regarding the specifics of the feature. For example, with the option enabled, a Catalyst 6500 switch ensures that both outgoing and incoming frames are always tagged. Frames arriving on a trunk without a tag are dropped. On the other hand, the Catalyst 3750 tags all outgoing traffic, but it is lenient toward incoming traffic that arrives untagged.
NOTE Regardless of platform-specific idiosyncrasies, the option to tag all trunk traffic is available on most Cisco switches.
Depending on the software version, the command is available either globally or on a per- port basis. Example 4-2 lists the global and per-port configurations:
Example 4-1 Cisco IOS Trunk Port Configuration to Clear Native VLAN CiscoSwitch(config)#interface GigabitEthernet2/1
CiscoSwitch(config-if)#switchport
CiscoSwitch(config-if)#switchport trunk encapsulation dot1q
CiscoSwitch(config-if)#switchport trunk native vlan 10
CiscoSwitch(config-if)#switchport trunk allow vlan 1-500
CiscoSwitch(config-if)#switchport trunk allow vlan remove 10
dot1q tag nativeprevents double-encapsulation/nested VLAN attacks by never stripping off the outer tag in the presence of a double-tagged frame. That way, both tags remain intact throughout the transit of the frame across the trunk, leaving the attacker empty-handed in terms of VLAN hopping.