On 11/01/11 12:24, Jonathan Tripathy wrote:
For seeing what I mean about VLAN hopping:
http://en.wikipedia.org/wiki/VLAN_hopping
Ahh. That's interesting, but not nearly so interesting (or useful)
as the Cisco document that it cites:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39054
Basically the hopping only works if the trunk has the same native vlan
as the attacker. This, the cisco article goes on to say, is
considered to be a misconfiguration. You can read it yourself, but
there are two ways of avoiding this.
It's still not clear to me how you would get a reply from the attack
-- you'd need something on the receiving end that can also do the
double tagging (which is not 802.1ad, it's a second 802.1a tag, to be
clear).
jch
Yes I actually read that document. It's a very good document indeed,
however I took it "with a pince of salt" as it's also got marketing
behind it.
Indeed, I have no idea how a double tagging attack would work in regards
to getting a reply, as Ethernet traffic is of course stateless.
I'm still trying to see what I can do to make my Xen network structure
as secure as possible. I would indeed like to make some ebtables rules
that just make sure that there are no taggs at all.
But maybe this is going to far?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
