This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Secure VLANs

To: "Fajar A. Nugraha" <list@xxxxxxxxx>
Subject: Re: [Xen-users] Secure VLANs
From: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
Date: Wed, 05 Jan 2011 22:21:26 +0000
Cc: Xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 05 Jan 2011 14:23:11 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <AANLkTi==xYKQGJvEef4vJudsxEsJpnDdhCdzQeX-RrKe@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4D22FD70.4030307@xxxxxxxxxxx> <AANLkTinS28-aiPCVnP2909ai7veu_eT1hS8o8EJ6QC29@xxxxxxxxxxxxxx> <4D24E773.6060209@xxxxxxxxxxx> <AANLkTi==xYKQGJvEef4vJudsxEsJpnDdhCdzQeX-RrKe@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20101027 Thunderbird/3.1.6

On 05/01/11 22:00, Fajar A. Nugraha wrote:
On Thu, Jan 6, 2011 at 4:49 AM, Jonathan Tripathy<jonnyt@xxxxxxxxxxx>  wrote:
On 05/01/11 21:40, Javier Guerra Giraldez wrote:
On Tue, Jan 4, 2011 at 5:58 AM, Jonathan Tripathy<jonnyt@xxxxxxxxxxx>
Don't present the physical interface to the DomUs

I had this method in my head however I wasn't sure if it is "secure". Using
the above simple method, is there *no way* that a customer could "VLAN Hop"
by double tagging or anything else?
It's common networking stuff, same situation with physical servers and
switches, nothing xen-specific about it. Your network guys will have
more info.

IIRC it's safe as long as you do NOT assign the switch's native vlan
(usually vlan1) to domU.
Hi Fajar,

While I agree it's nothing xen-sepcific, I've never done any VLAN stuff with Linux bridges before (which is where my confusion lies). All the VLAN stuff I've done involved physical switches and servers and no, I would never allow a switch port connected to a server to have a native VLAN ID that same as the native VLAN ID of a trunk port (as I believe that this is how double tagging exploits work).

So in the context of Xen, given that a trunk port on the switch would connect to Dom0, all I have to make sure is that the DomUs arn't connected to a bridge in the Dom0 with a VLAN ID the same as the native VLAN ID of the switch trunk port? (In any case, I would have native VLAN disabled on the trunk port on my HP Procurve switch, forcing all traffic to be tagged).

If someone where to try and tag a frame exiting their DomU, what would happen?


Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>