This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Secure VLANs

On Thu, Jan 6, 2011 at 9:13 AM, Javier Guerra Giraldez
<javier@xxxxxxxxxxx> wrote:
> On Wed, Jan 5, 2011 at 6:45 PM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx> wrote:
>> So, it is the linux vconfig utility that strips all vlan tags coming into
>> the Dom0 and conversely, tags traffic coming out?
> more exactly, vconfig sets up the virtual interfaces.  once they're
> set up, the kernel will do the right thing.

... assuming vlan support is built into the kernel, which is the
default for most distros.

> (oh, be sure that eth0's
> MTU is 4 bytes bigger than usual, to let the tag pass through).

Modern distros (I tested RHEL and Ubuntu) works just fine without any
need to manually adjust MTU whatsoever.

>> And provided that on my trunk lines (i.e. switch to Dom0, switch to switch
>> and VLAN-aware firewall to switch) I either disable native VLAN (PVID) *or*
>> make sure that the native VLAN ID on the trunk ports are not the same as any
>> customer VLAN ID, then VLAN hopping can't occur?
> never say never... but i would be _very_ surprised if such thing would
> be possible without more direct exploits (like buffer overflows that
> let you plant code to be executed... but Linux network code is under
> constant scrutiny for these kind of things.  the VLAN code in the
> kernel is very simple and easy to read.)

When dom0 is configured correctly, assigning a specific vlan to domU
is as secure as assigning a configuring the switch to assign specific
vlan to a physical server.


Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>