| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Jun 2011 23:46:03 +0100 From: Nick Carter <ncarter100@...il.com> To: David Lamparter <equinox@...c24.net> Cc: Stephen Hemminger <shemminger@...ux-foundation.org>, netdev@...r.kernel.org, davem@...emloft.net Subject: Re: [PATCH] bridge: Forward EAPOL Kconfig option BRIDGE_PAE_FORWARD On 28 June 2011 22:46, David Lamparter <equinox@...c24.net> wrote: > On Tue, Jun 28, 2011 at 10:22:53PM +0100, Nick Carter wrote: >> > I beg to differ, there very much is. You never ever ever want to be >> > running STP with 802.1X packets passing through... some client will shut >> > down your upstream port, your STP will break and you will die in a fire. >> > >> > The general idea, though, is that a STP-enabled switch is an intelligent >> > switch. And an intelligent switch can speak all those pesky small >> > side-dish protocols. > [...] >> >> > (Some quick googling reveals that hardware switch chips special-drop >> >> > 01:80:c2:00:00:01 [802.3x/pause] and :02 [802.3ad/lacp] and nothing >> >> > else - for the dumb ones anyway. It also seems like the match for pause >> >> > frames usually works on the address, not on the protocol field like we >> >> > do it...) >> >> 'Enterprise' switches drop :03 [802.1x] >> > >> > They also speak STP, see above about never STP+1X :) >> But if you turn off STP they wont start forwarding 802.1x. > > Yes, hence my suggestion to have a knob for all of the link-local > ethernet groups. (Which I'm still not actually endorsing, just placing > the idea) > >> Also having STP on and forwarding 802.1x would be useful (but >> non-standard) in some cheap redundant periphery switches, connecting >> to a couple of 'core' switches acting as 802.1x authenticators. > > That wouldn't really make much sense since those central 802.1X > authenticators wouldn't be able switch the client-facing ports on and > off. Although its non standard, it is common for authenticators to do 802.1X per source mac rather than per port. Also the central authenticator ports can be routed not bridged. So i dont think you can rule out the "STP on plus 802.1x being forwarded" requirement. > Instead, you now have to (1) disable the port switching to make > sure your upstreams stay on and (2) deal with 802.1X clients being > re"routed" by STP to different authenticators that don't know them. Well if the authenticators are pointed at a remote ACS then they will know them. And again even though non-standard, 802.1X 'mac move' functionality exists. Nick > > > -David > > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists