lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 27 Nov 2007 14:24:13 +0100
From:	Johannes Berg <johannes@...solutions.net>
To:	Stephen Hemminger <shemminger@...ux-foundation.org>
Cc:	netdev <netdev@...r.kernel.org>,
	bridge <bridge@...ux-foundation.org>
Subject: Re: [RFC] bridging: don't forward EAPOL frames


> > +	if (unlikely(skb->protocol = htons(ETH_P_PAE)))
> > +		goto drop;
> > +
> >  	switch (p->state) {
> >  	case BR_STATE_FORWARDING:
> 
> Not needed because the bridge is already handling it:
> 
> 1) If running STP (ie true bridge), then all link local multicast is only received by
> the bridge and never forwarded.

Well, typical access point setups bridge the wireless AP interface with
wired, EAPOL frames can be unicast (and 802.11 specifies to do so) and
we want to avoid having them unicast to another host.

Also, 802.1X in C.3.3 recommends not bridging the *ethertype* rather
than depending on the link-local multicast address because otherwise
eapol frames can be unicast into the network behind the (authorized)
port which is undesirable.

johannes

Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ