| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Jul 2011 16:44:50 +0100
From: Nick Carter <ncarter100@...il.com>
To: David Lamparter <equinox@...c24.net>
Cc: Stephen Hemminger <shemminger@...ux-foundation.org>,
netdev@...r.kernel.org,
Michał Mirosław <mirqus@...il.com>,
davem@...emloft.net
Subject: Re: [PATCH] bridge: mask forwarding of IEEE 802 local multicast groups
On 12 July 2011 12:36, David Lamparter <equinox@...c24.net> wrote:
> On Mon, Jul 11, 2011 at 08:27:55AM -0700, Stephen Hemminger wrote:
>> On Sun, 10 Jul 2011 17:04:30 +0100
>> Nick Carter <ncarter100@...il.com> wrote:
>>
>> > Updated diffs so they apply to net-next (Original diffs were based off 2.6.38).
>> >
>> > Any chance of getting these diffs applied? The default behaviour of
>> > the bridge code is unchanged. They solve the problem of
>> > authenticating a virtual 802.1x supplicant machine against an external
>> > 802.1X authenticator. It is also a general solution that allows the
>> > forwarding of any combination of the IEEE 802 local multicast groups.
>> >
>> > Signed-off-by: Nick Carter <ncarter100@...il.com>
>> > Reviewed-by: David Lamparter <equinox@...c24.net>
>>
>> I am still undecided on this. Understand the need, but don't like idea
>> of bridge behaving in non-conforming manner. Will see if IEEE 802 committee
>> has any input.
>
> The patch doesn't make the bridge behave nonconformant. The default mask
> is 0, which just keeps the old behaviour.
Also as David points out in his review, after these diffs are applied
we will be able to remove this
@@ -166,6 +166,9 @@ struct sk_buff *br_handle_frame(struct sk_buff *skb)
if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0)
goto forward;
Which is non-standard.
So these diffs enable us to change the existing non-conforming
behaviour to a conforming one.
>
> If you set the lowest 3 bits, yes, you can break your network. But so
> does enabling proxy_arp in most cases. And there are reasonable use
> cases for it, both 802.1X forwarding and fully-transparent* packet
> capture bridges benefit from it. And the latter is something I wouldn't
> wish to move to userspace either.
>
> Maybe we should add a warning if the lowest 3 bits are set, like
> "you have enabled forwarding of STP/Pause/Bond frames. This can
> thoroughly break your network."
>
> * excl. pause frames, sadly - those get eaten by hw/driver...
>
>> Also, don't want to build more knobs in with sysfs that are per-bridge.
>> Eventually, the plan is to make all the setting per-port with sysctl's
>> like IPv6.
>
> This setting doesn't make sense per-port IMHO. Also, sysctl?!
I agree this setting should be per-bridge. Also not taking something
that is needed today, because it will make some possible future change
slightly harder, seems a bit conservative to me.
Nick
>
>
> -David
>
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists