On Thu, Jan 6, 2011 at 9:13 AM, Javier Guerra Giraldez
> On Wed, Jan 5, 2011 at 6:45 PM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx> wrote:
>> So, it is the linux vconfig utility that strips all vlan tags coming into
>> the Dom0 and conversely, tags traffic coming out?
> more exactly, vconfig sets up the virtual interfaces. once they're
> set up, the kernel will do the right thing.
... assuming vlan support is built into the kernel, which is the
default for most distros.
> (oh, be sure that eth0's
> MTU is 4 bytes bigger than usual, to let the tag pass through).
Modern distros (I tested RHEL and Ubuntu) works just fine without any
need to manually adjust MTU whatsoever.
>> And provided that on my trunk lines (i.e. switch to Dom0, switch to switch
>> and VLAN-aware firewall to switch) I either disable native VLAN (PVID) *or*
>> make sure that the native VLAN ID on the trunk ports are not the same as any
>> customer VLAN ID, then VLAN hopping can't occur?
> never say never... but i would be _very_ surprised if such thing would
> be possible without more direct exploits (like buffer overflows that
> let you plant code to be executed... but Linux network code is under
> constant scrutiny for these kind of things. the VLAN code in the
> kernel is very simple and easy to read.)
When dom0 is configured correctly, assigning a specific vlan to domU
is as secure as assigning a configuring the switch to assign specific
vlan to a physical server.
Xen-users mailing list