Re: VLANs

[Jonathan Tripathy <jonnyt@abpni.co.uk>]

> On 11/01/11 10:57, Jonathan Tripathy wrote:
>>> On 10/01/11 22:15, Jonathan Tripathy wrote:
>>>> If a guest maliciously added a vlan tag, wouldn’t it still remain 
>>>> in the frame, however be "double-tagged" by the outgoing physical 
>>>> port? Even still though, this probably isn't an issue, provided 
>>>> that all upstream switches are configured correctly. 
>>>
>>> I don't believe that this is an issue.  And 802.1ad double tag won't 
>>> be recognised so it will either be dropped by the switch or dropped 
>>> by the outgoing NIC on the bridge.   Short of constructing frames by 
>>> hand, though, I'm not sure how you would go about adding an 802.1ad 
>>> vlan tag on top of an 802.1q vlan tag.
>>>
>> I wish it wasn't an issue. Many switches allow hosts to vlan hop if 
>> the native vlan of a trunk port is the same as the native vlan of the 
>> host. It's eaisly prevent t hough with proper switch configuration.
>>
>
> One of us is missing something.  A VLAN tag is 802.1q; a double tag is 
> 802.1ad and, so far as I know, linux doesn't do 802.1ad.   If a guest 
> applies an 802.1q VLAN tag to a frame then that tag will either be 
> replaced by the outgoing 802.1q vlan-tagging interface or it will be 
> dropped.  (At least I believe this to be the case, you'd have to test 
> and/or check the code to see what happens, as I'm relying on memory 
> here.)  vconfig (on Linux) does not do 802.1ad double tagging, it's 
> only 802.1q.
I think I'm go on the assumption that the guest will double-tag the 
packet themselves
>
> I'm not sure what you mean by vlan hopping.  You have several vlans on 
> the same port so you can't use trunking (where the port is responsible 
> for tagging the frames) so you have to say which vlan tags are 
> permitted on the port and, of course, any frame with a permitted tag 
> will be passed but incoming frames will only go to the right vlan 
> interface.  (eg if the host has vlans 100, 101 and 102 then the switch 
> will have to be configured to allow those vlan tags on the port that 
> the host is connected to.  A frame destined for the host with vlan tag 
> 101 will show up on eth0.101 (or whatever) and that is connected to a 
> bridge that guests who are supposed to be using vlan 101 are using.  
> So even if a guest could send a frame with tag 100, it wouldn't get a 
> response from any other host on vlan 100.)
>
>> What ebtable command would I use to prevent *any* tagged frames 
>> coming from a host?
>>
>>
>
> I don't remember exactly off-hand, but you can check the particular 
> bytes in the frame for the vlan tag identifier and if it's present, 
> drop the frame.  (The 802.1q tag normally appears immediately after 
> the source and destination mac addresses, although it is allowed to be 
> in a different place.  The 802.1ad tag normally appears after the 
> source and destination mac addresses as well, immediately before the 
> 802.1a tag.)
>
>
> Have you actually tried this to see what happens?  Or are you 
> surmising that guests can have a double tag applied to an already 
> tagged frame?  Or that a vlan tagged frame is allowed through a vlan 
> interface with its vlan tag intact?  As I recall, the frame will be 
> re-tagged but it might be dropped, but I'd try it to see what happens 
> if I really wanted to know.  And then I'd check the code as well :-)
>
>
> jch

For seeing what I mean about VLAN hopping:

http://en.wikipedia.org/wiki/VLAN_hopping