WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Secure VLANs

from [Javier Guerra Giraldez] [Permanent Link][Original]
To: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
Subject: Re: [Xen-users] Secure VLANs
From: Javier Guerra Giraldez <javier@xxxxxxxxxxx>
Date: Wed, 5 Jan 2011 21:13:31 -0500
Cc: Xen-users@xxxxxxxxxxxxxxxxxxx, "Fajar A. Nugraha" <list@xxxxxxxxx>
Delivery-date: Wed, 05 Jan 2011 18:14:47 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4D250288.2000806@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4D22FD70.4030307@xxxxxxxxxxx> <AANLkTinS28-aiPCVnP2909ai7veu_eT1hS8o8EJ6QC29@xxxxxxxxxxxxxx> <4D24E773.6060209@xxxxxxxxxxx> <AANLkTi==xYKQGJvEef4vJudsxEsJpnDdhCdzQeX-RrKe@xxxxxxxxxxxxxx> <4D24EEE6.2030108@xxxxxxxxxxx> <AANLkTinYvDb1CHRcD9m_N7DoR7wWUy7AJLU36rV0a-e8@xxxxxxxxxxxxxx> <4D250288.2000806@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
On Wed, Jan 5, 2011 at 6:45 PM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx> wrote:
> Thank you for the info. I think this has cleared up my confusion.

One is glad to be of help  :-)

> So, it is the linux vconfig utility that strips all vlan tags coming into
> the Dom0 and conversely, tags traffic coming out?

more exactly, vconfig sets up the virtual interfaces.  once they're
set up, the kernel will do the right thing. (oh, be sure that eth0's
MTU is 4 bytes bigger than usual, to let the tag pass through).


> And provided that on my trunk lines (i.e. switch to Dom0, switch to switch
> and VLAN-aware firewall to switch) I either disable native VLAN (PVID) *or*
> make sure that the native VLAN ID on the trunk ports are not the same as any
> customer VLAN ID, then VLAN hopping can't occur?

never say never... but i would be _very_ surprised if such thing would
be possible without more direct exploits (like buffer overflows that
let you plant code to be executed... but Linux network code is under
constant scrutiny for these kind of things.  the VLAN code in the
kernel is very simple and easy to read.)

-- 
Javier

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Xen Netloop module missing, Mark Pryor
Next by Date:  Re: [Xen-users] Secure VLANs, Fajar A. Nugraha
Previous by Thread:  Re: [Xen-users] Secure VLANs, Jonathan Tripathy
Next by Thread:  Re: [Xen-users] Secure VLANs, Fajar A. Nugraha
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy