Hi Everyone, Can someone please give me some tips on how to set up a Xen system with VLANs in such a way that VLAN hopping by DomUs isn''t possible? I have tagged frames coming from my switch into my Dom0. Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Tue, Jan 4, 2011 at 5:58 AM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> Can someone please give me some tips on how to set up a Xen system with > VLANs in such a way that VLAN hopping by DomUs isn''t possible? > > I have tagged frames coming from my switch into my Dom0.set a soft bridge for each VLAN on Dom0 and add each DomU interface to only the respective bridge. Don''t present the physical interface to the DomUs -- Javier _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 05/01/11 21:40, Javier Guerra Giraldez wrote:> On Tue, Jan 4, 2011 at 5:58 AM, Jonathan Tripathy<jonnyt@abpni.co.uk> wrote: >> Can someone please give me some tips on how to set up a Xen system with >> VLANs in such a way that VLAN hopping by DomUs isn''t possible? >> >> I have tagged frames coming from my switch into my Dom0. > set a soft bridge for each VLAN on Dom0 and add each DomU interface to > only the respective bridge. > > Don''t present the physical interface to the DomUs >I had this method in my head however I wasn''t sure if it is "secure". Using the above simple method, is there *no way* that a customer could "VLAN Hop" by double tagging or anything else? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, Jan 6, 2011 at 4:49 AM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> > On 05/01/11 21:40, Javier Guerra Giraldez wrote: >> On Tue, Jan 4, 2011 at 5:58 AM, Jonathan Tripathy<jonnyt@abpni.co.uk> >> wrote:>> Don''t present the physical interface to the DomUs >> > I had this method in my head however I wasn''t sure if it is "secure". Using > the above simple method, is there *no way* that a customer could "VLAN Hop" > by double tagging or anything else?It''s common networking stuff, same situation with physical servers and switches, nothing xen-specific about it. Your network guys will have more info. IIRC it''s safe as long as you do NOT assign the switch''s native vlan (usually vlan1) to domU. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 05/01/11 22:00, Fajar A. Nugraha wrote:> On Thu, Jan 6, 2011 at 4:49 AM, Jonathan Tripathy<jonnyt@abpni.co.uk> wrote: >> On 05/01/11 21:40, Javier Guerra Giraldez wrote: >>> On Tue, Jan 4, 2011 at 5:58 AM, Jonathan Tripathy<jonnyt@abpni.co.uk> >>> wrote: >>> Don''t present the physical interface to the DomUs >>> >> I had this method in my head however I wasn''t sure if it is "secure". Using >> the above simple method, is there *no way* that a customer could "VLAN Hop" >> by double tagging or anything else? > It''s common networking stuff, same situation with physical servers and > switches, nothing xen-specific about it. Your network guys will have > more info. > > IIRC it''s safe as long as you do NOT assign the switch''s native vlan > (usually vlan1) to domU.Hi Fajar, While I agree it''s nothing xen-sepcific, I''ve never done any VLAN stuff with Linux bridges before (which is where my confusion lies). All the VLAN stuff I''ve done involved physical switches and servers and no, I would never allow a switch port connected to a server to have a native VLAN ID that same as the native VLAN ID of a trunk port (as I believe that this is how double tagging exploits work). So in the context of Xen, given that a trunk port on the switch would connect to Dom0, all I have to make sure is that the DomUs arn''t connected to a bridge in the Dom0 with a VLAN ID the same as the native VLAN ID of the switch trunk port? (In any case, I would have native VLAN disabled on the trunk port on my HP Procurve switch, forcing all traffic to be tagged). If someone where to try and tag a frame exiting their DomU, what would happen? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wed, Jan 5, 2011 at 5:21 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> So in the context of Xen, given that a trunk port on the switch would > connect to Dom0, all I have to make sure is that the DomUs arn''t connected > to a bridge in the Dom0 with a VLAN ID the same as the native VLAN ID of the > switch trunk port?On Linux, VLAN and bridge functionalities are separate things. regarding VLANs: you have your physical interface (eth0), and then add VLAN interfaces to it: vconfig add eth0 12 creates a new interface that you can see with ifconfig, probably called vlan12. traffic on this new interface will come out tagged via eth0, and (if the rest of the network is ok), will be able to communicate only with devices on VLAN 12. so, in your startup scripts you should add all the vlan interfaces you need, it will be just as if you had a lot of ethernet NICs regarding bridges: linux''s sowftware bridges don''t manage VLANs, it''s not like physical bridges where you have one bridge and configure each port. so, what you do is create several bridges, one for each VLAN, and then add only one vlan interface to each bridge. for example, to prepare for VLAN 12: vconfig add eth0 12 brctl addbr br12 brctl addif br12 vlan12 now you have a bridge called br12 that is connected to your external VLAN 12 and nothing else. then just add the DomU''s interface to this bridge if they need to connect to VLAN 12 -- Javier _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, Jan 6, 2011 at 5:21 AM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> While I agree it''s nothing xen-sepcific, I''ve never done any VLAN stuff with > Linux bridges before (which is where my confusion lies). All the VLAN stuff > I''ve done involved physical switches and serversThen think of dom0 as as switch, and domUs a normal server. It''s the same thing, really.> If someone where to try and tag a frame exiting their DomU, what would > happen?You''ll have double tagging. All traffic from that domU will still be confined to the vlan you assign it to. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 05/01/11 22:48, Javier Guerra Giraldez wrote:> On Wed, Jan 5, 2011 at 5:21 PM, Jonathan Tripathy<jonnyt@abpni.co.uk> wrote: >> So in the context of Xen, given that a trunk port on the switch would >> connect to Dom0, all I have to make sure is that the DomUs arn''t connected >> to a bridge in the Dom0 with a VLAN ID the same as the native VLAN ID of the >> switch trunk port? > On Linux, VLAN and bridge functionalities are separate things. > > regarding VLANs: > you have your physical interface (eth0), and then add VLAN interfaces to it: > > vconfig add eth0 12 > > creates a new interface that you can see with ifconfig, probably > called vlan12. traffic on this new interface will come out tagged via > eth0, and (if the rest of the network is ok), will be able to > communicate only with devices on VLAN 12. > > so, in your startup scripts you should add all the vlan interfaces you > need, it will be just as if you had a lot of ethernet NICs > > > regarding bridges: > linux''s sowftware bridges don''t manage VLANs, it''s not like physical > bridges where you have one bridge and configure each port. > > so, what you do is create several bridges, one for each VLAN, and then > add only one vlan interface to each bridge. for example, to prepare > for VLAN 12: > > vconfig add eth0 12 > brctl addbr br12 > brctl addif br12 vlan12 > > now you have a bridge called br12 that is connected to your external > VLAN 12 and nothing else. then just add the DomU''s interface to this > bridge if they need to connect to VLAN 12Hi Javier, Thank you for the info. I think this has cleared up my confusion. So, it is the linux vconfig utility that strips all vlan tags coming into the Dom0 and conversely, tags traffic coming out? And provided that on my trunk lines (i.e. switch to Dom0, switch to switch and VLAN-aware firewall to switch) I either disable native VLAN (PVID) *or* make sure that the native VLAN ID on the trunk ports are not the same as any customer VLAN ID, then VLAN hopping can''t occur? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wed, Jan 5, 2011 at 6:45 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> Thank you for the info. I think this has cleared up my confusion.One is glad to be of help :-)> So, it is the linux vconfig utility that strips all vlan tags coming into > the Dom0 and conversely, tags traffic coming out?more exactly, vconfig sets up the virtual interfaces. once they''re set up, the kernel will do the right thing. (oh, be sure that eth0''s MTU is 4 bytes bigger than usual, to let the tag pass through).> And provided that on my trunk lines (i.e. switch to Dom0, switch to switch > and VLAN-aware firewall to switch) I either disable native VLAN (PVID) *or* > make sure that the native VLAN ID on the trunk ports are not the same as any > customer VLAN ID, then VLAN hopping can''t occur?never say never... but i would be _very_ surprised if such thing would be possible without more direct exploits (like buffer overflows that let you plant code to be executed... but Linux network code is under constant scrutiny for these kind of things. the VLAN code in the kernel is very simple and easy to read.) -- Javier _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, Jan 6, 2011 at 9:13 AM, Javier Guerra Giraldez <javier@guerrag.com> wrote:> On Wed, Jan 5, 2011 at 6:45 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote: >> So, it is the linux vconfig utility that strips all vlan tags coming into >> the Dom0 and conversely, tags traffic coming out? > > more exactly, vconfig sets up the virtual interfaces. once they''re > set up, the kernel will do the right thing.... assuming vlan support is built into the kernel, which is the default for most distros.> (oh, be sure that eth0''s > MTU is 4 bytes bigger than usual, to let the tag pass through).Modern distros (I tested RHEL and Ubuntu) works just fine without any need to manually adjust MTU whatsoever.>> And provided that on my trunk lines (i.e. switch to Dom0, switch to switch >> and VLAN-aware firewall to switch) I either disable native VLAN (PVID) *or* >> make sure that the native VLAN ID on the trunk ports are not the same as any >> customer VLAN ID, then VLAN hopping can''t occur? > > never say never... but i would be _very_ surprised if such thing would > be possible without more direct exploits (like buffer overflows that > let you plant code to be executed... but Linux network code is under > constant scrutiny for these kind of things. the VLAN code in the > kernel is very simple and easy to read.)When dom0 is configured correctly, assigning a specific vlan to domU is as secure as assigning a configuring the switch to assign specific vlan to a physical server. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wed, Jan 5, 2011 at 9:32 PM, Fajar A. Nugraha <list@fajar.net> wrote:>> (oh, be sure that eth0''s >> MTU is 4 bytes bigger than usual, to let the tag pass through). > > Modern distros (I tested RHEL and Ubuntu) works just fine without any > need to manually adjust MTU whatsoever.This is more related to the ethernet driver than the distro. some of them simply set a hardware limit to MTU+36, so the card would reject bigger frames. it''s the wrong thing to do, since MTU is an IP parameter, and the tag is an ethernet thing. the ''right'' thing would be to set the limit to MTU+40 when using an interface for tagged frames; but no driver does that. since you''re not supposed to use the main interface for IP anymore, it doesn''t harm to mess with MTU. now, some (i forgot which) GbE-only drivers simply don''t set any hardware based limit. the card will accept any frame up to the size of some internal buffers (which can easily be 16 or even 64 KB), so the ''add 4 to MTU'' kludge isn''t necessary. -- Javier _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> When dom0 is configured correctly, assigning a specific vlan to domU > is as secure as assigning a configuring the switch to assign specific > vlan to a physical server. >If I were to connect my VLAN-aware fiirewall directly into the Dom0, what security consideration would I have to take into account? Would there even be a "native VLAN" in this case (since there is no switch)? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jonathan Tripathy wrote:>If I were to connect my VLAN-aware fiirewall directly into the Dom0, >what security consideration would I have to take into account? Would >there even be a "native VLAN" in this case (since there is no >switch)?I don''t think the lack of a switch would make any different - you still have (on each device) a default VLAN into which any untagged packets received will be placed. That''s all the ''native VLAN'' is. In many (most, all ?) VLAN capable switches, VLAN 1 is automatically created, and all ports default to be members of VLAN1 and untagged. Similarly, the management processor is connected to VLAN1 and this often cannot be changed. Hence the advice to avoid allowing VLAN1 on ''insecure'' ports since that potentially gives customer/whoever access to the management processor on the switch. So just don''t give access to VLAN1 on your insecure ports, and set the default VLAN on these ports to something other than 1 if you have the port set to expect tagged packets. I''m not too certain how this combines with bridges under Linux though ! -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users