|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Secure VLANs
On 05/01/11 22:00, Fajar A. Nugraha wrote: On Thu, Jan 6, 2011 at 4:49 AM, Jonathan Tripathy<jonnyt@xxxxxxxxxxx> wrote:On 05/01/11 21:40, Javier Guerra Giraldez wrote:On Tue, Jan 4, 2011 at 5:58 AM, Jonathan Tripathy<jonnyt@xxxxxxxxxxx> wrote: Don't present the physical interface to the DomUsI had this method in my head however I wasn't sure if it is "secure". Using the above simple method, is there *no way* that a customer could "VLAN Hop" by double tagging or anything else?It's common networking stuff, same situation with physical servers and switches, nothing xen-specific about it. Your network guys will have more info. IIRC it's safe as long as you do NOT assign the switch's native vlan (usually vlan1) to domU. Hi Fajar,While I agree it's nothing xen-sepcific, I've never done any VLAN stuff with Linux bridges before (which is where my confusion lies). All the VLAN stuff I've done involved physical switches and servers and no, I would never allow a switch port connected to a server to have a native VLAN ID that same as the native VLAN ID of a trunk port (as I believe that this is how double tagging exploits work). So in the context of Xen, given that a trunk port on the switch would connect to Dom0, all I have to make sure is that the DomUs arn't connected to a bridge in the Dom0 with a VLAN ID the same as the native VLAN ID of the switch trunk port? (In any case, I would have native VLAN disabled on the trunk port on my HP Procurve switch, forcing all traffic to be tagged). If someone where to try and tag a frame exiting their DomU, what would happen? Thanks _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |