[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Secure VLANs

On 05/01/11 22:00, Fajar A. Nugraha wrote:
On Thu, Jan 6, 2011 at 4:49 AM, Jonathan Tripathy<jonnyt@xxxxxxxxxxx>  wrote:
On 05/01/11 21:40, Javier Guerra Giraldez wrote:
On Tue, Jan 4, 2011 at 5:58 AM, Jonathan Tripathy<jonnyt@xxxxxxxxxxx>
Don't present the physical interface to the DomUs

I had this method in my head however I wasn't sure if it is "secure". Using
the above simple method, is there *no way* that a customer could "VLAN Hop"
by double tagging or anything else?
It's common networking stuff, same situation with physical servers and
switches, nothing xen-specific about it. Your network guys will have
more info.

IIRC it's safe as long as you do NOT assign the switch's native vlan
(usually vlan1) to domU.
Hi Fajar,

While I agree it's nothing xen-sepcific, I've never done any VLAN stuff with Linux bridges before (which is where my confusion lies). All the VLAN stuff I've done involved physical switches and servers and no, I would never allow a switch port connected to a server to have a native VLAN ID that same as the native VLAN ID of a trunk port (as I believe that this is how double tagging exploits work).

So in the context of Xen, given that a trunk port on the switch would connect to Dom0, all I have to make sure is that the DomUs arn't connected to a bridge in the Dom0 with a VLAN ID the same as the native VLAN ID of the switch trunk port? (In any case, I would have native VLAN disabled on the trunk port on my HP Procurve switch, forcing all traffic to be tagged).

If someone where to try and tag a frame exiting their DomU, what would happen?


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.