lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ef92ed7a-62aa-a5d0-3656-6a918927c239@gmail.com>
Date:   Fri, 11 Feb 2022 10:11:38 -0800
From:   Florian Fainelli <f.fainelli@...il.com>
To:     Hans Schultz <schultz.hans@...il.com>, davem@...emloft.net,
        kuba@...nel.org, Andrew Lunn <andrew@...n.ch>,
        Vladimir Oltean <olteanv@...il.com>,
        Nikolay Aleksandrov <nikolay@...dia.com>,
        Ido Schimmel <idosch@...sch.org>,
        Tobias Waldekranz <tobias@...dekranz.com>,
        DENG Qingfang <dqfext@...il.com>,
        Ansuel Smith <ansuelsmth@...il.com>,
        Microchip Linux Driver Support <UNGLinuxDriver@...rochip.com>
Cc:     netdev@...r.kernel.org,
        Hans Schultz <schultz.hans+netdev@...il.com>
Subject: Re: [PATCH net-next v2 0/5] Add support for locked bridge ports (for
 802.1X)

On 2/9/22 5:05 AM, Hans Schultz wrote:
> This series starts by adding support for SA filtering to the bridge,
> which is then allowed to be offloaded to switchdev devices. Furthermore
> an offloading implementation is supplied for the mv88e6xxx driver.
> 
> Public Local Area Networks are often deployed such that there is a
> risk of unauthorized or unattended clients getting access to the LAN.
> To prevent such access we introduce SA filtering, such that ports
> designated as secure ports are set in locked mode, so that only
> authorized source MAC addresses are given access by adding them to
> the bridges forwarding database. Incoming packets with source MAC
> addresses that are not in the forwarding database of the bridge are
> discarded. It is then the task of user space daemons to populate the
> bridge's forwarding database with static entries of authorized entities.
> 
> The most common approach is to use the IEEE 802.1X protocol to take
> care of the authorization of allowed users to gain access by opening
> for the source address of the authorized host.
> 
> With the current use of the bridge parameter in hostapd, there is
> a limitation in using this for IEEE 802.1X port authentication. It
> depends on hostapd attaching the port on which it has a successful
> authentication to the bridge, but that only allows for a single
> authentication per port. This patch set allows for the use of
> IEEE 802.1X port authentication in a more general network context with
> multiple 802.1X aware hosts behind a single port as depicted, which is
> a commonly used commercial use-case, as it is only the number of
> available entries in the forwarding database that limits the number of
> authenticated clients.
> 
>       +--------------------------------+
>       |                                |
>       |      Bridge/Authenticator      |
>       |                                |
>       +-------------+------------------+
>        802.1X port  |
>                     |
>                     |
>              +------+-------+
>              |              |
>              |  Hub/Switch  |
>              |              |
>              +-+----------+-+
>                |          |
>             +--+--+    +--+--+
>             |     |    |     |
>     Hosts   |  a  |    |  b  |   . . .
>             |     |    |     |
>             +-----+    +-----+
> 
> The 802.1X standard involves three different components, a Supplicant
> (Host), an Authenticator (Network Access Point) and an Authentication
> Server which is typically a Radius server. This patch set thus enables
> the bridge module together with an authenticator application to serve
> as an Authenticator on designated ports.
> 
> 
> For the bridge to become an IEEE 802.1X Authenticator, a solution using
> hostapd with the bridge driver can be found at
> https://github.com/westermo/hostapd/tree/bridge_driver .
> 
> 
> The relevant components work transparently in relation to if it is the
> bridge module or the offloaded switchcore case that is in use.


It would help for future submissions if you create an union of the
people to copy for *all* patches. What I typically do is:

git format-patch *.patch
./scripts/get_maintainers.pl *.patch > cclist
git send-email *.patch --cc-cmd=cclist.sh
cat cclist.sh
#!/bin/sh
cat $(dirname $0)/cclist

or any smarter way to do that. Now on the actual changes themselves.

It makes sense that we are using the bridge layer to support 802.1x but
this leaves behind the case of standalone ports which people might want
to use. Once we cover the standalone ports there is also a question of
what to do in the case of a regular Ethernet NIC, and whether it can
actually support 802.1x properly given their MAC filtering capabilities
(my guess is that most cannot without breaking communication with other
stations connecting through the same port).

Looking at what Broadcom Roboswitch support, the model you propose
should be working, it makes me wonder if we need to go a bit beyond what
can be configurable besides blocked/not-blocked and have different
levels of strictness. These switches do the following on a per-port
basis you can:

- set the EAP destination MAC address if different than 01:80:C2:00:00:03

- enable EAP frame with destination MAC address specified

- set the EAP block mode:
	0 - disabled
	1 - only the frames with the EAP reserved multicast address will be
forwarded, otherwise frames will be dropped
	3 - only the frames with the EAP reserved multicast address will be
forwarded. Forwarding verifies that each egress port is enabled for EAP
+ BLK_MODE
- set the EAP mode:
	0 - disabled
	2 - extended mode: check MAC SA, port, drop if unknown
	3 - simplified mode: check SA, port, trap to management if SA is unknown

We have a number of vectors that can be used to accept specific MAC SA
addresses.

Then we have a global register that allows us to configure whether we
want to allow ARP, DHCP, BPDU, RMC, RARP or the frames with the
specified destination IP address/masks being specified. I would assume
that the two registers allowing us to specify a destination IP/subnet
might be used to park unauthenticated stations to a "guest" VLAN maybe?

So with that said, it looks like we may not need a method beyond just
setting the port state. In your case, it sounds like you would program
the mv88e6xxx switch's ATU with the MAC addresses learned from the
bridge via the standard FDB learning notification?

In the case of Broadcom switches, I suppose the same should be done,
however instead of programming the main FDB, we would have to program
the multi-port vector when the port is in blocked state. This becomes a
switch driver detail.

I would like other maintainers of switch drivers to chime in to know
whether microchip, Qualcomm/Atheros and Mediatek have similar features
or not.

Does that make sense?

Time to dust off my freeradius settings to test this out, it's been
nearly 15 years since I last did this, time to see if EAP-TTLS or
EAP-PEAP are more streamlined on the client side :)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ