tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bridges, vlans, and xen, oh my!

> Amongst other messes, [mixing tagged and untagged on tha same trunk]
> can help facilitate vlan-hopping attacks using double-tagged packets.
> An attacker can send a packet with a vlan tag the same as your native
> vlan (which the switch will strip off)

This is something that's always bothered me with vlan tagging: that
tagging switches still pay attention to tags even on
supposedly-untagged ports.  ISTM that an untagged port should
completely ignore tags on incoming packets, in the sense of treating
frame type 0x8100 the same as any other.

> Even if you don't care about this in your circumstances now,

I don't, no.  This is a bench test setup, where I'm conflating data and
management on the same interface because it's easier than finding a way
to put yet another Ethernet in that box (or find another box).  If and
when it goes into production, data and management will be on different
physical interfaces.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML      
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Home | Main Index | Thread Index | Old Index