tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bridges, vlans, and xen, oh my!

On Sat, Jun 21, 2008 at 01:30:43AM +0200, Quentin Garnier wrote:
> On Fri, Jun 20, 2008 at 06:18:16PM -0400, der Mouse wrote:
> > Conceptually, what I want is a vlan interface that selects for untagged
> > packets on input and does not add any tag on output (what my own 802.1q
> > implementation calls VLAN_NONE, if that means anything to anyone).
> I've been bugged by that in the past, too.  I wanted to allow the user
> to do this:
> ifconfig vlan0 vlan native vlan-if fxp0

As much as sometimes you need to do this (because other people's
networks are set up like this) and that it's a good capability for
NetBSD to possess, I need to add a strong word here against the
practice of mixing tagged and untagged/"native" vlans on the same

Amongst other messes, it can help facilitate vlan-hopping attacks
using double-tagged packets.  An attacker can send a packet with a
vlan tag the same as your native vlan (which the switch will strip
off) followed by a second vlan header (which will be processed at your
next hop, probably your vlan(4) at the host).  Depending on the
implementation and devices, other permutations may be possible.  A
quick ref:

Even if you don't care about this in your circumstances now, you might
later, and there other reasons to avoid this too, especially if you're
using .1p QoS.  Appearance of untagged packets can then be a good
indicator of a configuration error or other problem.

So, if you're setting up the network and have the freedom to choose
otherwise, please do.

Just a comment about practices, not about the ability of the tools to
be used flexibly (which I support).


Attachment: pgpUCvX5mxTys.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index