On 11/01/11 10:57, Jonathan Tripathy wrote:
On 10/01/11 22:15, Jonathan Tripathy wrote:
If a guest maliciously added a vlan tag, wouldn’t it still remain
in the frame, however be "double-tagged" by the outgoing physical
port? Even still though, this probably isn't an issue, provided
that all upstream switches are configured correctly.
I don't believe that this is an issue. And 802.1ad double tag won't
be recognised so it will either be dropped by the switch or dropped
by the outgoing NIC on the bridge. Short of constructing frames by
hand, though, I'm not sure how you would go about adding an 802.1ad
vlan tag on top of an 802.1q vlan tag.
I wish it wasn't an issue. Many switches allow hosts to vlan hop if
the native vlan of a trunk port is the same as the native vlan of the
host. It's eaisly prevent t hough with proper switch configuration.
One of us is missing something. A VLAN tag is 802.1q; a double tag is
802.1ad and, so far as I know, linux doesn't do 802.1ad. If a guest
applies an 802.1q VLAN tag to a frame then that tag will either be
replaced by the outgoing 802.1q vlan-tagging interface or it will be
dropped. (At least I believe this to be the case, you'd have to test
and/or check the code to see what happens, as I'm relying on memory
here.) vconfig (on Linux) does not do 802.1ad double tagging, it's
only 802.1q.
I think I'm go on the assumption that the guest will double-tag the
packet themselves
I'm not sure what you mean by vlan hopping. You have several vlans on
the same port so you can't use trunking (where the port is responsible
for tagging the frames) so you have to say which vlan tags are
permitted on the port and, of course, any frame with a permitted tag
will be passed but incoming frames will only go to the right vlan
interface. (eg if the host has vlans 100, 101 and 102 then the switch
will have to be configured to allow those vlan tags on the port that
the host is connected to. A frame destined for the host with vlan tag
101 will show up on eth0.101 (or whatever) and that is connected to a
bridge that guests who are supposed to be using vlan 101 are using.
So even if a guest could send a frame with tag 100, it wouldn't get a
response from any other host on vlan 100.)
What ebtable command would I use to prevent *any* tagged frames
coming from a host?
I don't remember exactly off-hand, but you can check the particular
bytes in the frame for the vlan tag identifier and if it's present,
drop the frame. (The 802.1q tag normally appears immediately after
the source and destination mac addresses, although it is allowed to be
in a different place. The 802.1ad tag normally appears after the
source and destination mac addresses as well, immediately before the
802.1a tag.)
Have you actually tried this to see what happens? Or are you
surmising that guests can have a double tag applied to an already
tagged frame? Or that a vlan tagged frame is allowed through a vlan
interface with its vlan tag intact? As I recall, the frame will be
re-tagged but it might be dropped, but I'd try it to see what happens
if I really wanted to know. And then I'd check the code as well :-)
jch
For seeing what I mean about VLAN hopping:
http://en.wikipedia.org/wiki/VLAN_hopping
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
