| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Secure VLANs
On 05/01/11 22:00, Fajar A. Nugraha wrote:
On Thu, Jan 6, 2011 at 4:49 AM, Jonathan Tripathy<jonnyt@xxxxxxxxxxx> wrote:
On 05/01/11 21:40, Javier Guerra Giraldez wrote:
On Tue, Jan 4, 2011 at 5:58 AM, Jonathan Tripathy<jonnyt@xxxxxxxxxxx>
wrote:
Don't present the physical interface to the DomUs
I had this method in my head however I wasn't sure if it is "secure". Using
the above simple method, is there *no way* that a customer could "VLAN Hop"
by double tagging or anything else?
It's common networking stuff, same situation with physical servers and
switches, nothing xen-specific about it. Your network guys will have
more info.
IIRC it's safe as long as you do NOT assign the switch's native vlan
(usually vlan1) to domU.
Hi Fajar,
While I agree it's nothing xen-sepcific, I've never done any VLAN stuff
with Linux bridges before (which is where my confusion lies). All the
VLAN stuff I've done involved physical switches and servers and no, I
would never allow a switch port connected to a server to have a native
VLAN ID that same as the native VLAN ID of a trunk port (as I believe
that this is how double tagging exploits work).
So in the context of Xen, given that a trunk port on the switch would
connect to Dom0, all I have to make sure is that the DomUs arn't
connected to a bridge in the Dom0 with a VLAN ID the same as the native
VLAN ID of the switch trunk port? (In any case, I would have native VLAN
disabled on the trunk port on my HP Procurve switch, forcing all traffic
to be tagged).
If someone where to try and tag a frame exiting their DomU, what would
happen?
Thanks
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home