lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 28 Jun 2011 19:34:57 +0100
From:	Nick Carter <ncarter100@...il.com>
To:	David Lamparter <equinox@...c24.net>
Cc:	Stephen Hemminger <shemminger@...ux-foundation.org>,
	netdev@...r.kernel.org, davem@...emloft.net
Subject: Re: [PATCH] bridge: Forward EAPOL Kconfig option BRIDGE_PAE_FORWARD

On 28 June 2011 17:00, David Lamparter <equinox@...c24.net> wrote:
> On Tue, Jun 28, 2011 at 08:10:15AM -0700, Stephen Hemminger wrote:
>> On Tue, 28 Jun 2011 17:02:57 +0200
>> David Lamparter <equinox@...c24.net> wrote:
>> > >   if (skb) {
>> > > +         /* Prevent Crosstalk where a Supplicant on one Port attempts to
>> > > +          * interfere with authentications occurring on another Port.
>> > > +          * (IEEE Std 802.1X-2001 C.3.3)
>> > > +          */
>> > > +         if (unlikely(!br->pae_forward &&
>> > > +             skb->protocol == htons(ETH_P_PAE)))
>> >
>> > No, please don't.
>> >
>> > Linux bridging has two "grand" modes: dumb and STP enabled.
>> >
>> > If we're running a dumb bridge, we behave like an ethernet hub without
>> > any intelligence, and in that case we should absolutely forward 802.1X
>> > frames. We may have (e.g. VM) client(s) that want to authenticate with a
>> > physical switch.
>> > (For the spec, this counts as "repeater", not "bridge"/"switch")
>> >
>> > If we're running with STP enabled, then 802.1X traffic should already be
>> > caught by the general ethernet link-local multicast drop (which applies
>> > to 01:80:c2:/24 and therefore catches 802.1X too.)
>>
>> The problem is that STP is not enabled by default, and most people don't
>> know how to enable it.
>
> Yes, the default is a dumb hub (IMHO correctly so). And a dumb hub will
> forward 802.1X packets (IMHO also correctly so).
>
> Why should we specifically add a knob for EAPOL? Next we're adding one
> for STP itself, then one for LLDP, then one for Cisco's deprecated
> crap (CDP, DTP, ...) etc.
>
> If you want a dumb hub that drops EAPOL, use ebtables.
>
> -David
>
>
If we are not going to have an EAPOL knob, but we are going to act as
a repeater when STP is off then we still need these diffs to forward
the PAE group address.
(In fact we cant just act as a repeater because of the recent ethernet
bonding regression)

diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 90e985b..267f581 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -163,7 +163,8 @@ struct sk_buff *br_handle_frame(struct sk_buff *skb)
                        goto drop;

                /* If STP is turned off, then forward */
-               if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0)
+               if (p->br->stp_enabled == BR_NO_STP &&
+                       (dest[5] == 0 || skb->protocol == htons(ETH_P_PAE)))
                        goto forward;
Nick
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ