Re: Crash related to VLANs in Oct 18th -current

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Mon, Oct 23, 2017 at 12:18:32PM +0100, Roy Marples wrote:
> 
> I don't know anything about 802.1q trunks.
> How can I tell that it is one, and why shouldn't it have a local address?

Generally speaking, configurations that run tagged ("trunk") and
untagged ("native") traffic on the same interface are poor practice.

One reason in particular (there are others) is that this kind of
configuration is notorious for facilitating attacks in which
double-VLAN-encapsulated packets are fed to an unsuspecting link
partner which then obligingly processes them as if they came in from
a VLAN to which the malicious sender actually had no configured access.
Not good.

Adding addresses by default to physical interfaces that have virtual
interfaces stacked on top of them also breaks important virtual
interface types such as agr, which then can't attach.

I think it is safe to say that an interface which is participating
in an interface stack such as vlan or agr should never be given an
address unless the user has explicitly configured the system to do
so.  The sane default is to give addresses to the leaf interfaces
only (e.g. vlan) not the root nor intermediate nodes (wm, agr, etc --
noting of course that any of these interfaces _could_ be the leaf,
but in fact are not).

Surely if the user has configured the system such that only certain
interfaces should be given addresses, that should be respected.  Even
listening on other interfaces could cause unexpected security exposure
if the client software has bugs.

Thor