| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Jun 2011 23:04:34 +0200 From: David Lamparter <equinox@...c24.net> To: Nick Carter <ncarter100@...il.com> Cc: David Lamparter <equinox@...c24.net>, Stephen Hemminger <shemminger@...ux-foundation.org>, netdev@...r.kernel.org, davem@...emloft.net Subject: Re: [PATCH] bridge: Forward EAPOL Kconfig option BRIDGE_PAE_FORWARD On Tue, Jun 28, 2011 at 09:54:01PM +0100, Nick Carter wrote: > > 'reinject' isn't possible when it hits that code path - which is pretty > > much why I'm saying we should be forwarding everything in the non-STP > > case. > I'm not sure I like this turn off STP and suddenly start forwarding > random groups. There is no connection between wanting STP on / off > and forwarding pae on / off. I beg to differ, there very much is. You never ever ever want to be running STP with 802.1X packets passing through... some client will shut down your upstream port, your STP will break and you will die in a fire. The general idea, though, is that a STP-enabled switch is an intelligent switch. And an intelligent switch can speak all those pesky small side-dish protocols. With STP disabled on the other hand, it depends on site policy. Now policy... > There is no dependencies between the protocols. > Also on reflection I think a knob per mac group would be better. .... policy can be done nice and good with ebtables. You can match the groups you want, or the protocols, or the phase of the moon. > We are only interested in 3 and if I enable pae forwarding so I can > connect virtual machine supplicants, i don't then want to turn on LDP > forwarding which will needlessly hit my virtual machines. > So how about sysfs > ../bridge/pae_forwarding > ../bridge/ldp_forwarding > ../bridge/mvrp_forwarding It's not like either LLDP or MVRP will trash your VMs. Those protocols send a packet once per a few seconds. MVRP is interesting for the STP-enabled case though. I'm not aware of any userspace *VRP implementations, and dropping *VRP without an userspace daemon to speak it on our behalf means we're creating a *VRP border/break. I would however say that doing an userspace *VRP implementation is a better solution than kernel hacks for this particular case. > > (Some quick googling reveals that hardware switch chips special-drop > > 01:80:c2:00:00:01 [802.3x/pause] and :02 [802.3ad/lacp] and nothing > > else - for the dumb ones anyway. It also seems like the match for pause > > frames usually works on the address, not on the protocol field like we > > do it...) > 'Enterprise' switches drop :03 [802.1x] They also speak STP, see above about never STP+1X :) -David -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists