[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Secure VLANs
On Wed, Jan 5, 2011 at 6:45 PM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx> wrote: > Thank you for the info. I think this has cleared up my confusion. One is glad to be of help :-) > So, it is the linux vconfig utility that strips all vlan tags coming into > the Dom0 and conversely, tags traffic coming out? more exactly, vconfig sets up the virtual interfaces. once they're set up, the kernel will do the right thing. (oh, be sure that eth0's MTU is 4 bytes bigger than usual, to let the tag pass through). > And provided that on my trunk lines (i.e. switch to Dom0, switch to switch > and VLAN-aware firewall to switch) I either disable native VLAN (PVID) *or* > make sure that the native VLAN ID on the trunk ports are not the same as any > customer VLAN ID, then VLAN hopping can't occur? never say never... but i would be _very_ surprised if such thing would be possible without more direct exploits (like buffer overflows that let you plant code to be executed... but Linux network code is under constant scrutiny for these kind of things. the VLAN code in the kernel is very simple and easy to read.) -- Javier _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |