[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Secure VLANs

  • To: Xen User-List <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: "Fajar A. Nugraha" <list@xxxxxxxxx>
  • Date: Thu, 6 Jan 2011 09:32:03 +0700
  • Delivery-date: Wed, 05 Jan 2011 18:33:03 -0800
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

On Thu, Jan 6, 2011 at 9:13 AM, Javier Guerra Giraldez
<javier@xxxxxxxxxxx> wrote:
> On Wed, Jan 5, 2011 at 6:45 PM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx> wrote:
>> So, it is the linux vconfig utility that strips all vlan tags coming into
>> the Dom0 and conversely, tags traffic coming out?
> more exactly, vconfig sets up the virtual interfaces.  once they're
> set up, the kernel will do the right thing.

... assuming vlan support is built into the kernel, which is the
default for most distros.

> (oh, be sure that eth0's
> MTU is 4 bytes bigger than usual, to let the tag pass through).

Modern distros (I tested RHEL and Ubuntu) works just fine without any
need to manually adjust MTU whatsoever.

>> And provided that on my trunk lines (i.e. switch to Dom0, switch to switch
>> and VLAN-aware firewall to switch) I either disable native VLAN (PVID) *or*
>> make sure that the native VLAN ID on the trunk ports are not the same as any
>> customer VLAN ID, then VLAN hopping can't occur?
> never say never... but i would be _very_ surprised if such thing would
> be possible without more direct exploits (like buffer overflows that
> let you plant code to be executed... but Linux network code is under
> constant scrutiny for these kind of things.  the VLAN code in the
> kernel is very simple and easy to read.)

When dom0 is configured correctly, assigning a specific vlan to domU
is as secure as assigning a configuring the switch to assign specific
vlan to a physical server.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.