Brett Lymn wrote: > > a) VLANs are implemented by putting data into an otherwise unused part > of the IP header. Anyone can easily craft a packet with the right > data in the right place given the right tools and access.
Just in case this wasn't just a typo: The VLAN ID is _not_ in the IP header. It's in the ethernet header. Standard "Ethernet-II" header: - 6 bytes destination - 6 bytes sender - 2 bytes "contained protocol ID, e.g. IP/ARP/RARP/IPX/etc.." (total 14 bytes) And with VLAN extensions: - 6 bytes destination - 6 bytes sender - 2 bytes "this is a VLAN packet!" identifier (0x0081) - 2 bytes containing vlan ID, QoS bits, etc - 2 bytes "contained protocol ID, e.g. IP/ARP/RARP/IPX/etc.." (total 18 bytes) After this follows standard IP/IPX/NetBEUI/whatever headers. The beauty of this format is that units that do not understand VLANs will see "ethernet packets of protocol 0x0081", which they most likely will not be interested in. However, other than the above: Yes, I'm a grumpy paranoid who pretty much hates VLANs other than in very specific low-security-level (or atleast pretty-much-the-same-security-level) segmentations. So: Go get 'em! :) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
