|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Secure VLANs
On Thu, Jan 6, 2011 at 9:13 AM, Javier Guerra Giraldez <javier@xxxxxxxxxxx> wrote: > On Wed, Jan 5, 2011 at 6:45 PM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx> wrote: >> So, it is the linux vconfig utility that strips all vlan tags coming into >> the Dom0 and conversely, tags traffic coming out? > > more exactly, vconfig sets up the virtual interfaces. once they're > set up, the kernel will do the right thing. ... assuming vlan support is built into the kernel, which is the default for most distros. > (oh, be sure that eth0's > MTU is 4 bytes bigger than usual, to let the tag pass through). Modern distros (I tested RHEL and Ubuntu) works just fine without any need to manually adjust MTU whatsoever. >> And provided that on my trunk lines (i.e. switch to Dom0, switch to switch >> and VLAN-aware firewall to switch) I either disable native VLAN (PVID) *or* >> make sure that the native VLAN ID on the trunk ports are not the same as any >> customer VLAN ID, then VLAN hopping can't occur? > > never say never... but i would be _very_ surprised if such thing would > be possible without more direct exploits (like buffer overflows that > let you plant code to be executed... but Linux network code is under > constant scrutiny for these kind of things. the VLAN code in the > kernel is very simple and easy to read.) When dom0 is configured correctly, assigning a specific vlan to domU is as secure as assigning a configuring the switch to assign specific vlan to a physical server. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |