[Oisf-devel] RFC: vlan_id in flow tracking
Eric Leblond
eric at regit.org
Mon Apr 8 12:56:54 UTC 2013
Hi,
On Mon, 2013-04-08 at 13:02 +0100, Chris Wakelin wrote:
> On 08/04/13 12:44, Eric Leblond wrote:
> > Hi,
> >
> > On Thu, 2013-04-04 at 13:10 +0200, Victor Julien wrote:
> >> (RFC: request for comments :))
> >>
> >> Suricata currently parses VLAN headers but doesn't really do anything
> >> with them. This is obviously wrong in some cases, like in flow tracking.
> >> There can be several vlan's on a network, where in each we see the same
> >> 5-tuple. These shouldn't be mixed, but right now they can be.
> >>
> >> This patch tries to deal with it:
> >> https://github.com/inliniac/suricata/commit/d755fdfdc4576057712ccdb70f1e3a17bfad901c
..
> >
> > We have to force people to upgrade their switches. It is good for the
> > economy! Seriously, VLAN tracking has to be optional even to address the
> > issue with multiple layers of VLAN.
> >
>
> Alas Extreme 10GB border switches aren't cheap, and tagging only one
> direction in a mirrored port is "by design" apparently. Presumably it's
> to mark the direction and if they tagged both directions but with a
> different VLAN tag, it would be just as awkward for us. We wouldn't get
> our border switches upgraded just to make it easier for IDS either. I
> might just about be able to persuade the network manager to go for a
> fibre tap instead though.
I was just joking but thanks for the detailed information!
BR,
--
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/
More information about the Oisf-devel
mailing list