On Sat, Jun 21, 2008 at 01:30:43AM +0200, Quentin Garnier wrote: > On Fri, Jun 20, 2008 at 06:18:16PM -0400, der Mouse wrote: > > Conceptually, what I want is a vlan interface that selects for untagged > > packets on input and does not add any tag on output (what my own 802.1q > > implementation calls VLAN_NONE, if that means anything to anyone). > > I've been bugged by that in the past, too. I wanted to allow the user > to do this: > > ifconfig vlan0 vlan native vlan-if fxp0 As much as sometimes you need to do this (because other people's networks are set up like this) and that it's a good capability for NetBSD to possess, I need to add a strong word here against the practice of mixing tagged and untagged/"native" vlans on the same interface. Amongst other messes, it can help facilitate vlan-hopping attacks using double-tagged packets. An attacker can send a packet with a vlan tag the same as your native vlan (which the switch will strip off) followed by a second vlan header (which will be processed at your next hop, probably your vlan(4) at the host). Depending on the implementation and devices, other permutations may be possible. A quick ref: https://www2.sans.org/reading_room/whitepapers/networkdevs/1090.php Even if you don't care about this in your circumstances now, you might later, and there other reasons to avoid this too, especially if you're using .1p QoS. Appearance of untagged packets can then be a good indicator of a configuration error or other problem. So, if you're setting up the network and have the freedom to choose otherwise, please do. Just a comment about practices, not about the ability of the tools to be used flexibly (which I support). -- Dan.
Attachment:
pgpUCvX5mxTys.pgp
Description: PGP signature