Cisco uplinkfast Dummy frame (Mac address spoofing)

I bought up this topic in #Cisco on Freenode and no one has ever heard of
this being done nor can i find any documentation whatsoever regarding the
uplinkfast dummy frame.

So I was reviewing some bridging and switching topics and noticed an
interesting abnormality in the uplinkfast dummy frame. This frame is sent
out the new root port of a switch during an uplinkfast reconvergence with
the destination mac 0100.0ccd.cdcd and sourced from each dynamic mac address
in cam table entry of the originating switch. This is used to ensure
reconvergence time of the cam table on the upstream switches during the
event of a uplinkfast failover. Otherwise uplinkfast is useless right? Why
transition to the next available root port immediately if upstream cam
tables are not going to be updated immediately to reflect the l2 topology
change(s)?

None the less. After reading about this frame, Cisco documents it as a frame
that is forwarded throughout the entire l2 domain, in which case this frame
is processed by the SP then forwarded out all forwarding ports. (I'm
assuming)

The dilemma i run into is; can this frame be crafted in a way to cause a L2
denial of service attack or even the ability to sniff traffic destined to a
server on a network by poisoning the CAM table on all switches on the
network simultaneously.

If indeed the frame is spammed across the entire l2 domain and forces Cisco
switches (only cisco) to update their cam tables to the new spammed MAC
address then this would cause l2 traffic to traverse the network in a
different path.

I've attempted to craft the packet but I've been successful as I'm not for
sure what all fields are required/associated with the uplinkfast dummy frame
as I've not had the ability to capture a uplinkfast dummy frame in the act.
(I'll have to put wireshark to work)

Ultimately the question is; Is there a security mechanism in place on the
Cisco SP to prevent such attacks using spoofed uplinkfast frames?

If no security exist to prevent such spoofing someone would easily be able
to craft frames spammed to a switch with lets say the source mac address of
the DNS servers on a network and the destination mac address of the packet
as the uplinkfast multi-cast destination (0100.0ccd.cdcd) in which case it
would be spammed throughout the l2 domain forcing updates of the cam tables
on every cisco switch thus changing the l2 transit path for traffic destined
to that MAC. After all, in modern networks DNS is practically a critical
role. A Network without DNS could a nasty outage as many app's and services
such as email rely on DNS.

-Matthew George

Blogs and organic groups at http://www.ccie.net
Received on Wed Oct 20 2010 - 21:41:40 ART