lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Jun 2011 18:00:18 +0200 From: David Lamparter <equinox@...c24.net> To: Stephen Hemminger <shemminger@...ux-foundation.org> Cc: David Lamparter <equinox@...c24.net>, Nick Carter <ncarter100@...il.com>, netdev@...r.kernel.org, davem@...emloft.net Subject: Re: [PATCH] bridge: Forward EAPOL Kconfig option BRIDGE_PAE_FORWARD On Tue, Jun 28, 2011 at 08:10:15AM -0700, Stephen Hemminger wrote: > On Tue, 28 Jun 2011 17:02:57 +0200 > David Lamparter <equinox@...c24.net> wrote: > > > if (skb) { > > > + /* Prevent Crosstalk where a Supplicant on one Port attempts to > > > + * interfere with authentications occurring on another Port. > > > + * (IEEE Std 802.1X-2001 C.3.3) > > > + */ > > > + if (unlikely(!br->pae_forward && > > > + skb->protocol == htons(ETH_P_PAE))) > > > > No, please don't. > > > > Linux bridging has two "grand" modes: dumb and STP enabled. > > > > If we're running a dumb bridge, we behave like an ethernet hub without > > any intelligence, and in that case we should absolutely forward 802.1X > > frames. We may have (e.g. VM) client(s) that want to authenticate with a > > physical switch. > > (For the spec, this counts as "repeater", not "bridge"/"switch") > > > > If we're running with STP enabled, then 802.1X traffic should already be > > caught by the general ethernet link-local multicast drop (which applies > > to 01:80:c2:/24 and therefore catches 802.1X too.) > > The problem is that STP is not enabled by default, and most people don't > know how to enable it. Yes, the default is a dumb hub (IMHO correctly so). And a dumb hub will forward 802.1X packets (IMHO also correctly so). Why should we specifically add a knob for EAPOL? Next we're adding one for STP itself, then one for LLDP, then one for Cisco's deprecated crap (CDP, DTP, ...) etc. If you want a dumb hub that drops EAPOL, use ebtables. -David -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists