For performance reasons, it is sometimes required to bind several parallel links into a single aggregated bundle. The intent is to have a link with more bandwidth. Figure 11-5 shows such a bundling where two links are used between switch A and switch B. If the links were 1 Gbps links, the aggregated bandwidth would be 2 Gbps. In Cisco switches, this mechanism is called EtherChannel.
Figure 11-5 Aggregating Multiple Links
The EtherChannel (aggregated link) behaves like a link per itself. Spanning Tree Protocol (STP) runs on the aggregated link and not on the physical ports themselves. The aggregated link also has its own MAC address (which is typically identical to one of the physical ports). The switches use specific load-balancing mechanisms to spread the traffic load among all physical ports.
Two protocols exist to achieve such an aggregation:
•
Port Aggregation Protocol (PAgP). Cisco proprietary protocol•
Link Aggregation Control Protocol (LACP). Standardized by the IEEE 802.3ad6 Figure 11-6 shows the packet structure for Cisco PAgP. The packets are sent to the Cisco Ethernet multicast address of 0100.0CCC.CCCC (the same as CDP and VTP) with SNAP encapsulation with the protocol identifier 01-04. The packet contains information about the local port and the partner port (MAC address, port identifier—Cisco devices use the SNMP ifindex capabilities). Additional information about system name and port name are added. There is neither an authentication mechanism or an integrity one.Switch A Switch B Aggregated Link Port 1 Port 1 Port 2 Port 2 Port 4 Port 5 Port 3 Port 5
Si
Si
Figure 11-6 Content of PAgP Packet
Figure 11-7 shows the IEEE 802.3ad LACP protocol data unit (PDU). LACP is part of the IEEE slow protocols—that is, protocols with a low throughput. The packets are sent to the Ethernet multicast address 0180.C200.0002 using the Ethertype of 88-09. It is merely a series of TLV-encoded fields about the actor (the local switch) and the partner. Just like PAgP, no security mechanism is built into LACP.
Figure 11-7 Link Aggregation Control PDU Format
Field Content
Header Version and Flags
Local Device
Partner Device
TLV
Device ID Learn Capability Hot Standby Priority Port Ifindex Group Capability Group Ifindex Count Device Name Port Name Reserved Device ID Learn Capability Hot Standby Priority Port Ifindex Group Capability Group Ifindex
32 Bits
Subtype= Version= Actor Information TLV ...
... Partner Information TLV ...
... Collector Information TLV ... Terminator TLV
Because there is little difference between PAgP and LACP from a security perspective, the next sections describe the risk analysis and the risk mitigation for both protocols. Both protocols are typically enabled by default on all trunk ports. Chapter 4, “Are VLANs Safe?,” describes how an attacker might enable trunking on a port with the help of Dynamic Trunking Protocol (DTP).
Risk Analysis
Because no security is built into the two link aggregation protocols, an attacker can send a forged control packet to a switch. The switch acts on this packet and adds the link on which the attacker is located to the aggregated port, as shown in Figure 11-8 (where switch B was the target of the attack).
Figure 11-8 Traffic Hijacking with Aggregation
As soon as an attacker becomes part of the aggregated link, switch B starts to load balance the traffic to switch A among all four physical ports. Hence, the attacker receives one-fourth of the traffic. This can have two unfortunate consequences:
•
DoS. If an attacker simply drops the received frames, one-fourth of the traffic is simply dropped, and because the load balancing is based on the source and destination MAC addresses, all packets from a single connection are lost.•
Lack of confidentiality and integrity. Because the attacker receives frames for another recipient, it is easy to sniff them and even forward them to the expected recipient after changing the packet’s content. (The attacker must change the source MAC address of the packet or the frame would loop forever between the attacker and the attacked switch; for most protocols, notably IP, this change of source MAC address won’t be detected.)Port 1 Port 1 Port 5 Port 2 Port 3 Port 4 Port 4 Port 5 Port 3 Port 6 Port 2 Aggregated Link Switch B Switch A
Si
Si
At the time of this writing, the authors were not aware of any attack tool trying to exploit the absence of security in aggregation protocols. This attack also requires some knowledge about the MAC addresses of both switches, so it is not easy to be launched, but “security by obscurity” is always a bad policy decision. No one should ever rely on the level of difficulty for an attacker. The attack also requires that the attacker has access to a trunk port. This hijacking is just an efficient variation of one learning bridge attack discussed in Chapter 2, “Defeating a Learning Bridge’s Forwarding Process.” Even without forging link aggregation protocols, an attacker can send multiple frames with the source MAC addresses of the hosts to be attacked; then, the upstream switch starts forwarding the frames to the attacker instead of to the victim’s machine. The major difference between sending MAC spoofed frames and becoming part of an aggregated link is that, for the MAC spoofed attack, several frames need to be sent (that is, more knowledge about the victims and more traffic to be generated).
In the end, the risk is low, but real. Because mitigation techniques are easy to deploy, there is no reason to take this risk.