Unicast flood

Last updated

In computer networking, a unicast flood occurs when a switch receives a unicast frame and the switch does not know that the addressee is on any particular switch port. Since the switch has no information regarding which port, if any, the addressee might be reached through, it forwards the frame through all ports aside from the one through which the frame was received.

Contents

Background

Unicast refers to a one-to-one transmission from one node in a network to another. This diagram illustrates the unicast transmission of a frame from one network node to another:

Unicast.svg

When a switch receives a unicast frame with a destination address not in the switch’s forwarding table, the frame is treated like a broadcast frame and sent to all network segments to which it is attached except the one from which it received the frame:

Broadcast.svg

Causes

The learning process of transparent bridging requires that the switch receive a frame from a device before unicast frames can be forwarded to it. Before any such transmission is received, unicast flooding is used to ensure transmissions reach their intended destinations. This is normally a short-lived condition as receipt typically produces a response that completes the learning process. The process occurs when a device is initially connected to a network segment, or after its address and port identifier is purged from the forwarding information base. An entry is purged when the link goes down on the original port or when it expires due to inactivity (five minutes is the default on many switches). A time limit is necessary because a switch does not necessarily see any indication when a network node is moved or disconnected.

When a bridge or switch has no room left in its forwarding information base and so cannot add an entry for a new node, it must forward any frame addressed to that node through all ports except the one on which the frame was received. This is a common problem on networks with many hosts. [1] Less common is the artificial flooding of address tables in a MAC flooding attack.

Another common cause is a host with an ARP cache timeout longer than the timeout of the forwarding information base (FIB) in a switch—the switch forgets which port connects to the target before the host forgets the MAC address of the target. [2] This can be prevented by configuring the switch with a FIB timeout longer than the ARP cache timeouts of nodes on its network. When a node needs to send a frame to a host after its corresponding ARP cache entry expires it must first send an ARP broadcast frame, which the switch must forward through all ports, to discover the (current) MAC address of the host.

Misconfigured features of the networks may lead to unicast flooding as well. If there are two layer-2 paths from Host A to B and Host A uses path 1 to talk to Host B, but Host B uses path 2 to respond to Host A, then intermediate switches on path 1 will never learn the destination MAC address of Host B and intermediate switches on path 2 will never learn the destination MAC address of Host A. [3]

A final cause of unicast floods are topology changes. When a link state changes on a network port which participates in rapid spanning tree, the address cache on that switch will be flushed causing all subsequent frames to be flooded out of all ports until the addresses are relearned by the switch. [4]

Remedies

Blocking unicast floods on a Cisco switch is easy to do, but it is not enabled by default. After ensuring that timeouts and/or security features have been configured to maintain table entries on client access ports longer than typical host ARP cache timeouts, this command is used to quiet down the unicast floods on those ports: [5] 

Switch(config-if)# switchport block unicast

Other techniques involve isolating hosts at Layer 2, which blocks intra-LAN communication not destined to specific nodes providing a shared service (e.g. a router). A handy tool for this are protected ports (ports which are forbidden to communicate with other protected ports), available in lower end switches: [6] 

Switch(config-if)# switchport protected

A more robust, cross-switch solution than 'switchport protected' is the use of Private VLANs. [7]

To block flooding on a Linux machine modern enough to have iproute2 installed, you can control the flooding in the devices bridge by running bridge link set dev phy6 flood off. To set a MAC timeout larger than the ARP timeout, these commands can be issued:

brctl setageing br0 330; echo 300 > /proc/sys/net/ipv4/neigh/br0/gc_stale_time

Most modern switches, high and low end, support flooding protection.

Effects on Networks

When a network is experiencing unicast flooding, network performance is degraded. Here is a graph of a bridge before and after adjusting the size of the bridge address cache: [1]

StoppingTheUnicastFlood.png

80% of the frames were flooded out never to be received by the destination address, while 20% was valid traffic. In high volume networks, the flooded traffic may cause ports to saturate and lead to packet loss and high latency.

Another side effect of exhausted address tables is the compromise of data. The security considerations are discussed in the MAC flooding—one of several causes of unicast floods. If an end user is running a packet sniffer, the flooded frames could be captured and viewed.

See also

Related Research Articles

A broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer. A broadcast domain can be within the same LAN segment or it can be bridged to other LAN segments.

The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allows a network design to include backup links providing fault tolerance if an active link fails.

A virtual local area network (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer. In this context, virtual refers to a physical object recreated and altered by additional logic, within the local area network. Basically, a VLAN behaves like a virtual switch or network link that can share the same physical structure with other VLANs while staying logically separate from them. Between network devices, VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed.

A multilayer switch (MLS) is a computer networking device that switches on OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI layers. The MLS was invented by engineers at Digital Equipment Corporation.

<span class="mw-page-title-main">ARP spoofing</span> Cyberattack which associates the attackers MAC address with the IP address of another host

In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.

In computer networking, a media access control attack or MAC flooding is a technique employed to compromise the security of network switches. The attack works by forcing legitimate MAC table contents out of the switch and forcing a unicast flooding behavior potentially sending sensitive information to portions of the network where it is not normally intended to go.

The Multiple Spanning Tree Protocol (MSTP) and algorithm, provides both simple and full connectivity assigned to any given virtual LAN (VLAN) throughout a bridged local area network. MSTP uses bridge protocol data unit (BPDUs) to exchange information between spanning-tree compatible devices, to prevent loops in each Multiple Spanning Tree instance (MSTI) and in the common and internal spanning tree (CIST), by selecting active and blocked paths. This is done as well as in Spanning Tree Protocol (STP) without the need of manually enabling backup links and getting rid of switching loop danger.

<span class="mw-page-title-main">Network bridge</span> Device that creates a larger computer network from two smaller networks

A network bridge is a computer networking device that creates a single, aggregate network from multiple communication networks or network segments. This function is called network bridging. Bridging is distinct from routing. Routing allows multiple networks to communicate independently and yet remain separate, whereas bridging connects two separate networks as if they were a single network. In the OSI model, bridging is performed in the data link layer. If one or more segments of the bridged network are wireless, the device is known as a wireless bridge.

Network load balancing is the ability to balance traffic across two or more WAN links without using complex routing protocols like BGP.

Provider Backbone Bridge Traffic Engineering (PBB-TE) is a computer networking technology specified in IEEE 802.1Qay, an amendment to the IEEE 802.1Q standard. PBB-TE adapts Ethernet to carrier class transport networks. It is based on the layered VLAN tags and MAC-in-MAC encapsulation defined in IEEE 802.1ah, but it differs from PBB in eliminating flooding, dynamically created forwarding tables, and spanning tree protocols. Compared to PBB and its predecessors, PBB-TE behaves more predictably and its behavior can be more easily controlled by the network operator, at the expense of requiring up-front connection configuration at each bridge along a forwarding path. PBB-TE Operations, Administration, and Management (OAM) is usually based on IEEE 802.1ag. It was initially based on Nortel's Provider Backbone Transport (PBT).

A forwarding information base (FIB), also known as a forwarding table or MAC table, is most commonly used in network bridging, routing, and similar functions to find the proper output network interface controller to which the input interface should forward a packet. It is a dynamic table that maps MAC addresses to ports. It is the essential mechanism that separates network switches from Ethernet hubs. Content-addressable memory (CAM) is typically used to efficiently implement the FIB, thus it is sometimes called a CAM table.

Hierarchical VLAN (HVLAN) is a proposed Ethernet standard that extends the use of enterprise Ethernet VLAN (802.1Q) to carrier networks. A number of developments have emerged in recent years to help bring Ethernet, a flexible and cost-efficient packet transport technology, to carrier networks. These developments include Q-in-Q (802.1ad), PBB (802.1ah), PBT, and PBB-TE, which bring a set of features to traditional Ethernet to make it “carrier-grade”, adding to it high-availability, OA&M, and more.

<span class="mw-page-title-main">Private VLAN</span> Computer network security technique

Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN contains switch ports that are restricted such that they can only communicate with a given uplink. The restricted ports are called private ports. Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port connected to a router, firewall, server, provider network, or similar central resource.

Data center bridging (DCB) is a set of enhancements to the Ethernet local area network communication protocol for use in data center environments, in particular for use with clustering and storage area networks.

IEEE 802.1aq is an amendment to the IEEE 802.1Q networking standard which adds support for Shortest Path Bridging (SPB). This technology is intended to simplify the creation and configuration of Ethernet networks while enabling multipath routing.

TRILL is an Internet Standard implemented by devices called TRILL switches. TRILL combines techniques from bridging and routing, and is the application of link-state routing to the VLAN-aware customer-bridging problem. Routing bridges (RBridges) are compatible with and can incrementally replace previous IEEE 802.1 customer bridges. TRILL Switches are also compatible with IPv4 and IPv6, routers and end systems. They are invisible to current IP routers, and like conventional routers, RBridges terminate the broadcast, unknown-unicast and multicast traffic of DIX Ethernet and the frames of IEEE 802.2 LLC including the bridge protocol data units of the Spanning Tree Protocol.

The link layer is the lowest layer in the TCP/IP model. It is also referred to as the network interface layer and mostly equivalent to the data link layer plus physical layer in OSI. This particular layer has several unique security vulnerabilities that can be exploited by a determined adversary.

Virtual Extensible LAN (VXLAN) is a network virtualization technology that attempts to address the scalability problems associated with large cloud computing deployments. It uses a VLAN-like encapsulation technique to encapsulate OSI layer 2 Ethernet frames within layer 4 UDP datagrams, using 4789 as the default IANA-assigned destination UDP port number, although many implementations that predate the IANA assignment use port 8472. VXLAN endpoints, which terminate VXLAN tunnels and may be either virtual or physical switch ports, are known as VXLAN tunnel endpoints (VTEPs).

Time-Sensitive Networking (TSN) is a set of standards under development by the Time-Sensitive Networking task group of the IEEE 802.1 working group. The TSN task group was formed in November 2012 by renaming the existing Audio Video Bridging Task Group and continuing its work. The name changed as a result of the extension of the working area of the standardization group. The standards define mechanisms for the time-sensitive transmission of data over deterministic Ethernet networks.

<span class="mw-page-title-main">Broadcast, unknown-unicast and multicast traffic</span> Computer networking concept

Broadcast, unknown-unicast and multicast traffic is network traffic transmitted using one of three methods of sending data link layer network traffic to a destination of which the sender does not know the network address. This is achieved by sending the network traffic to multiple destinations on an Ethernet network. As a concept related to computer networking, it includes three types of Ethernet modes: broadcast, unicast and multicast Ethernet. BUM traffic refers to that kind of network traffic that will be forwarded to multiple destinations or that cannot be addressed to the intended destination only.

References

  1. 1 2 Rudy Rucker (2012-01-27). "Fix for unicast flooding" . Retrieved 2021-03-08.
  2. Steven King (2009-06-17). "Unicast Flooding" . Retrieved 2012-01-27.
  3. "Elimination of Asymmetric Forwarding and Unicast Flooding". Cisco Systems Inc. Retrieved 2012-01-27.
  4. Balaji Sivasubramanian (2004-09-10). "Troubleshooting Unicast Flooding Due to Topology". Cisco Press. Retrieved 2012-01-27.
  5. Jeremy Stretch (2010-06-04). "Blocking Unknown Unicast Flooding". PacketLife.net. Retrieved 2012-01-27.
  6. Petr Lapukhov (2008-07-14). "Private VLANs Revisited" . Retrieved 2012-04-07.
  7. "Configuring Private VLANs". Cisco. Retrieved 2012-04-07.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.