| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Jun 2011 22:22:53 +0100 From: Nick Carter <ncarter100@...il.com> To: David Lamparter <equinox@...c24.net> Cc: Stephen Hemminger <shemminger@...ux-foundation.org>, netdev@...r.kernel.org, davem@...emloft.net Subject: Re: [PATCH] bridge: Forward EAPOL Kconfig option BRIDGE_PAE_FORWARD On 28 June 2011 22:04, David Lamparter <equinox@...c24.net> wrote: > On Tue, Jun 28, 2011 at 09:54:01PM +0100, Nick Carter wrote: >> > 'reinject' isn't possible when it hits that code path - which is pretty >> > much why I'm saying we should be forwarding everything in the non-STP >> > case. >> I'm not sure I like this turn off STP and suddenly start forwarding >> random groups. There is no connection between wanting STP on / off >> and forwarding pae on / off. > > I beg to differ, there very much is. You never ever ever want to be > running STP with 802.1X packets passing through... some client will shut > down your upstream port, your STP will break and you will die in a fire. > > The general idea, though, is that a STP-enabled switch is an intelligent > switch. And an intelligent switch can speak all those pesky small > side-dish protocols. > > With STP disabled on the other hand, it depends on site policy. Now > policy... > >> There is no dependencies between the protocols. >> Also on reflection I think a knob per mac group would be better. > > .... policy can be done nice and good with ebtables. You can match the > groups you want, or the protocols, or the phase of the moon. > >> We are only interested in 3 and if I enable pae forwarding so I can >> connect virtual machine supplicants, i don't then want to turn on LDP >> forwarding which will needlessly hit my virtual machines. >> So how about sysfs >> ../bridge/pae_forwarding >> ../bridge/ldp_forwarding >> ../bridge/mvrp_forwarding > > It's not like either LLDP or MVRP will trash your VMs. Those protocols > send a packet once per a few seconds. > > MVRP is interesting for the STP-enabled case though. I'm not aware of > any userspace *VRP implementations, and dropping *VRP without an > userspace daemon to speak it on our behalf means we're creating a *VRP > border/break. > > I would however say that doing an userspace *VRP implementation is a > better solution than kernel hacks for this particular case. > >> > (Some quick googling reveals that hardware switch chips special-drop >> > 01:80:c2:00:00:01 [802.3x/pause] and :02 [802.3ad/lacp] and nothing >> > else - for the dumb ones anyway. It also seems like the match for pause >> > frames usually works on the address, not on the protocol field like we >> > do it...) >> 'Enterprise' switches drop :03 [802.1x] > > They also speak STP, see above about never STP+1X :) But if you turn off STP they wont start forwarding 802.1x. Also having STP on and forwarding 802.1x would be useful (but non-standard) in some cheap redundant periphery switches, connecting to a couple of 'core' switches acting as 802.1x authenticators. Nick > > -David > > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists