Opened 8 years ago

Closed 8 years ago

Last modified 4 years ago

#7546 closed defect (fixed)

VLANs on rtl8366s are insecure

Reported by: anonymous Owned by: juhosg
Priority: normal Milestone: Barrier Breaker 14.07
Component: kernel Version: Trunk
Keywords: vlan rtl8366s security Cc:


The driver for the rtl8366s switch chip seems to not be secure with respect to vlans. Here's a specific test case:

I have a DIR-825, I've enabled vlan and configured a couple vlans:

config switch
        option name rtl8366s
        option reset 1
        option enable_vlan 1

config switch_vlan
        option device rtl8366s
        option vlan 2
        option ports '0 2t 3 5t'

config switch_vlan
        option device rtl8366s
        option vlan 3
        option ports '1 2t 5t'

Then two networks are configured, one on top of br-lan that contains the wireless and vlan 2, and one that just contains vlan3:

config interface lan
        option ifname   eth0.2
        option type     bridge
        option proto    static
        option ipaddr
        option netmask

config interface san
        option ifname   eth0.3
        option proto    static
        option ipaddr
        option netmask

A PC on port 0 gets a IP and a laptop on port 1 gets a IP, so the configuration is working fine.

However I go to the laptop, and configure a vlan device on vlan 2 on top of the ethernet device (that's supposed to be on vlan 3):

# vconfig add eth0 2
Added VLAN with VID == 2 to IF -:eth0:-
# ifconfig eth0.2 up

Now any packets I send on this device are in fact showing up on vlan 2, the PC on port 0 can see them. The switch is dropping any replies, so two way communication is not possible, however the laptop could send anything it wants to vlan 2, including poisoning arp caches, etc.

So unless I screwed up this configuration somehow, it doesn't seem to be secure. From looking at the rtl8366 specs, it looks like it has a vlan ingress filter that can be used to drop packets marked as belonging to a vlan a port is not on. Maybe the driver can enable this somehow?

Attachments (0)

Change History (4)

comment:1 Changed 8 years ago by juhosg

  • Owner changed from developers to juhosg
  • Status changed from new to accepted

comment:2 Changed 8 years ago by juhosg

  • Resolution set to fixed
  • Status changed from accepted to closed

Fixed with r22044. Thanks for reporting!

comment:3 Changed 8 years ago by anonymous

Confirmed fixed with r22044.

comment:4 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.