lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 17 Apr 2020 11:05:47 +0200
From:   Sabrina Dubroca <sd@...asysnail.net>
To:     Igor Russkikh <irusskikh@...vell.com>
Cc:     netdev@...r.kernel.org,
        Mark Starovoytov <mstarovoitov@...vell.com>,
        Antoine Tenart <antoine.tenart@...tlin.com>,
        Dmitry Bogdanov <dbogdanov@...vell.com>
Subject: Re: [PATCH net 1/2] net: macsec: update SCI upon MAC address change.

Hello,

2020-03-10, 18:22:24 +0300, Igor Russkikh wrote:
> From: Dmitry Bogdanov <dbogdanov@...vell.com>
> 
> SCI should be updated, because it contains MAC in its first 6 octets.

Sorry for catching this so late. I don't think this change is correct.

Changing the SCI means wpa_supplicant (or whatever MKA you're using)
will disagree as to which SCI is in use. The peer probably doesn't
have an RXSC for the new SCI either, so the packets will be dropped
anyway.

Plus, if you're using "send_sci on", there's no real reason to change
the SCI, since it's also in the packet, and may or may not have any
relationship to the MAC address of the device.

I'm guessing the issue you're trying to solve is that in the "send_sci
off" case, macsec_encrypt() will use the SCI stored in the secy, but
the receiver will construct the SCI based on the source MAC
address. Can you confirm that? If that's the real problem, I have a
couple of ideas to solve it.


Thanks, and sorry again for the delay in looking at this,

-- 
Sabrina

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ