[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bridges, vlans, and xen, oh my!
> Amongst other messes, [mixing tagged and untagged on tha same trunk]
> can help facilitate vlan-hopping attacks using double-tagged packets.
> An attacker can send a packet with a vlan tag the same as your native
> vlan (which the switch will strip off)
This is something that's always bothered me with vlan tagging: that
tagging switches still pay attention to tags even on
supposedly-untagged ports. ISTM that an untagged port should
completely ignore tags on incoming packets, in the sense of treating
frame type 0x8100 the same as any other.
> Even if you don't care about this in your circumstances now,
I don't, no. This is a bench test setup, where I'm conflating data and
management on the same interface because it's easier than finding a way
to put yet another Ethernet in that box (or find another box). If and
when it goes into production, data and management will be on different
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse%rodents-montreal.org@localhost
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Main Index |
Thread Index |