| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220211210118.tqhm7wk4lhenwjko@skbuf>
Date: Fri, 11 Feb 2022 23:01:18 +0200
From: Vladimir Oltean <olteanv@...il.com>
To: Florian Fainelli <f.fainelli@...il.com>
Cc: Hans Schultz <schultz.hans@...il.com>, davem@...emloft.net,
kuba@...nel.org, Andrew Lunn <andrew@...n.ch>,
Nikolay Aleksandrov <nikolay@...dia.com>,
Ido Schimmel <idosch@...sch.org>,
Tobias Waldekranz <tobias@...dekranz.com>,
DENG Qingfang <dqfext@...il.com>,
Ansuel Smith <ansuelsmth@...il.com>,
Microchip Linux Driver Support <UNGLinuxDriver@...rochip.com>,
netdev@...r.kernel.org,
Hans Schultz <schultz.hans+netdev@...il.com>
Subject: Re: [PATCH net-next v2 0/5] Add support for locked bridge ports (for
802.1X)
On Fri, Feb 11, 2022 at 10:11:38AM -0800, Florian Fainelli wrote:
> It makes sense that we are using the bridge layer to support 802.1x but
> this leaves behind the case of standalone ports which people might want
> to use. Once we cover the standalone ports there is also a question of
> what to do in the case of a regular Ethernet NIC, and whether it can
> actually support 802.1x properly given their MAC filtering capabilities
The hardware implementations I'm aware of heavily revolve around what is
fundamentally the bridging service. But I've downloaded the 802.1X-2010
standard and there's nothing limiting it to a bridge. It can also apply
to a router, or an end point station. Not sure where that leaves us,
though. A more generic concept would be a MAC SA filter, which is kept
in sync with the bridge FDB by a user space daemon in case the bridge is
used on a port. But in whichever way I think about it, I don't see a
unified way of modeling this MAC SA filter in a way that lends itself
easily to switchdev offloading. On a standalone NIC, it would probably
make more sense for it to be an eBPF program. But for a switch, you just
expand simple information like "drop anything that wasn't learned" into
"drop anything that isn't this, that or the other", and the switch
driver has to parse all that just to figure out "oh, so you mean drop
anything that wasn't learned? well I have a bit for that".
Either we try to find a unified solution, or we let user space do
different things depending on whether a bridge is in use or not.
> (my guess is that most cannot without breaking communication with other
> stations connecting through the same port).
If the hardware support requires dropping packets with unknown MAC SA,
then yes, probably. DSA standalone ports disable MAC SA learning and
operate with empty FDBs on them these days. So we'd cut off all traffic
on that port if we don't change something in this model. And even if we
change something, we also need to take FDB isolation into account, using
a separate FID for authenticated MACs, with no forwarding other than to
the CPU. I'm probably thinking too far ahead though.
> Looking at what Broadcom Roboswitch support, the model you propose
> should be working, it makes me wonder if we need to go a bit beyond what
> can be configurable besides blocked/not-blocked and have different
> levels of strictness. These switches do the following on a per-port
> basis you can:
>
> - set the EAP destination MAC address if different than 01:80:C2:00:00:03
>
> - enable EAP frame with destination MAC address specified
>
> - set the EAP block mode:
> 0 - disabled
> 1 - only the frames with the EAP reserved multicast address will be
> forwarded, otherwise frames will be dropped
> 3 - only the frames with the EAP reserved multicast address will be
> forwarded. Forwarding verifies that each egress port is enabled for EAP
> + BLK_MODE
What's the difference between 1 and 3? At 1, when you say that EAP
reserved multicast packets will be forwarded, do you actually mean they
will be trapped to CPU?
> - set the EAP mode:
> 0 - disabled
> 2 - extended mode: check MAC SA, port, drop if unknown
> 3 - simplified mode: check SA, port, trap to management if SA is unknown
>
> We have a number of vectors that can be used to accept specific MAC SA
> addresses.
>
> Then we have a global register that allows us to configure whether we
> want to allow ARP, DHCP, BPDU, RMC, RARP or the frames with the
> specified destination IP address/masks being specified. I would assume
> that the two registers allowing us to specify a destination IP/subnet
> might be used to park unauthenticated stations to a "guest" VLAN maybe?
>
> So with that said, it looks like we may not need a method beyond just
> setting the port state. In your case, it sounds like you would program
> the mv88e6xxx switch's ATU with the MAC addresses learned from the
> bridge via the standard FDB learning notification?
>
> In the case of Broadcom switches, I suppose the same should be done,
> however instead of programming the main FDB, we would have to program
> the multi-port vector when the port is in blocked state. This becomes a
> switch driver detail.
>
> I would like other maintainers of switch drivers to chime in to know
> whether microchip, Qualcomm/Atheros and Mediatek have similar features
> or not.
>
> Does that make sense?
>
> Time to dust off my freeradius settings to test this out, it's been
> nearly 15 years since I last did this, time to see if EAP-TTLS or
> EAP-PEAP are more streamlined on the client side :)
The Microchip Ocelot switch family (and most probably others too) has 2
kinds of support for 802.1X access control.
- Port-based, this essentially revolves around putting a port in the
BLOCKING STP state. IEEE 802.1X uses MAC address 01-80-C2-00-00-03, so
that will continue to be trapped to the CPU regardless of STP state.
- MAC-based, this essentially revolves around "learn frames" (frames
with unknown MAC SA). There are 2 sub-groups here, solution 1 is
secure CPU-based learning, where learn frames are trapped to the CPU,
and solution 2 is no-learning, where learn frames are just dropped.
In both cases, the host must program the FDB to allow that MAC SA to
be forwarded to other ports. I'm thinking that the no-learning method
is what would resemble the closest this new BR_PORT_LOCKED flag.
The secure learning procedure is probably useful when you want to
bypass the MAC authentication process for a dumb device like a printer
that doesn't speak 802.1X but you want it to be nonetheless whitelisted.
With the difference that MAC-based authentication allows you to have
more than 1 MAC SA behind an 802.1X switch port (like another switch),
and port-based authentication doesn't have that kind of flexibility.
Of course, there's also the TCAM where a custom policy could be enabled
per MAC SA.
The NXP SJA1105P/Q/R/S and SJA1110 of course have to be snowflakes here
as well. There is a "DRPNOLEARN" bit (drop frames which couldn't be
learned), but it's global, not per port, and it doesn't affect frames
which weren't learned due to learning being disabled on a port - just
due to the FDB space reserved for dynamic entries getting depleted.
I could probably hack around that by reserving zero space for dynamic
FDB entries, but again, that would be a setting per switch, not per port.
There's just something about this switch that makes my skin itch :)
This switch family also supports "port enforcement" per FDB entry, where
the switch blocks station migrations/spoofing attempts by dropping a
given MAC SA if the FDB has that address pointing towards a different
port than it was received on. Not sure whether this is something useful
in the context of 802.1X. Looking at Ocelot switches again, I see the
definition of a "learn frame" is actually expanded to cover these kind
of frames too (not just unknown MAC SA). So all that's described above
for learn frames should apply for spoofed traffic too.
Powered by blists - more mailing lists