[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Secure VLANs

On Wed, Jan 5, 2011 at 6:45 PM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx> wrote:
> Thank you for the info. I think this has cleared up my confusion.

One is glad to be of help  :-)

> So, it is the linux vconfig utility that strips all vlan tags coming into
> the Dom0 and conversely, tags traffic coming out?

more exactly, vconfig sets up the virtual interfaces.  once they're
set up, the kernel will do the right thing. (oh, be sure that eth0's
MTU is 4 bytes bigger than usual, to let the tag pass through).

> And provided that on my trunk lines (i.e. switch to Dom0, switch to switch
> and VLAN-aware firewall to switch) I either disable native VLAN (PVID) *or*
> make sure that the native VLAN ID on the trunk ports are not the same as any
> customer VLAN ID, then VLAN hopping can't occur?

never say never... but i would be _very_ surprised if such thing would
be possible without more direct exploits (like buffer overflows that
let you plant code to be executed... but Linux network code is under
constant scrutiny for these kind of things.  the VLAN code in the
kernel is very simple and easy to read.)


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.