Re: bridges, vlans, and xen, oh my!

To: tech-net%netbsd.org@localhost
Subject: Re: bridges, vlans, and xen, oh my!
From: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Mon, 23 Jun 2008 23:31:56 -0400 (EDT)

> Amongst other messes, [mixing tagged and untagged on tha same trunk]
> can help facilitate vlan-hopping attacks using double-tagged packets.
> An attacker can send a packet with a vlan tag the same as your native
> vlan (which the switch will strip off)

This is something that's always bothered me with vlan tagging: that
tagging switches still pay attention to tags even on
supposedly-untagged ports.  ISTM that an untagged port should
completely ignore tags on incoming packets, in the sense of treating
frame type 0x8100 the same as any other.

> Even if you don't care about this in your circumstances now,

I don't, no.  This is a bench test setup, where I'm conflating data and
management on the same interface because it's easier than finding a way
to put yet another Ethernet in that box (or find another box).  If and
when it goes into production, data and management will be on different
physical interfaces.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- bridges, vlans, and xen, oh my!
  - From: der Mouse
- Re: bridges, vlans, and xen, oh my!
  - From: Quentin Garnier
- Re: bridges, vlans, and xen, oh my!
  - From: Daniel Carosone

Prev by Date: Re: bridges, vlans, and xen, oh my!
Next by Date: interesting paper at usenix...
Previous by Thread: Re: bridges, vlans, and xen, oh my!
Next by Thread: interesting paper at usenix...
Indexes:

Home | Main Index | Thread Index | Old Index