| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 13 Feb 2022 19:44:20 +0100
From: Tobias Waldekranz <tobias@...dekranz.com>
To: Florian Fainelli <f.fainelli@...il.com>,
Hans Schultz <schultz.hans@...il.com>, davem@...emloft.net,
kuba@...nel.org, Andrew Lunn <andrew@...n.ch>,
Vladimir Oltean <olteanv@...il.com>,
Nikolay Aleksandrov <nikolay@...dia.com>,
Ido Schimmel <idosch@...sch.org>,
DENG Qingfang <dqfext@...il.com>,
Ansuel Smith <ansuelsmth@...il.com>,
Microchip Linux Driver Support <UNGLinuxDriver@...rochip.com>
Cc: netdev@...r.kernel.org,
Hans Schultz <schultz.hans+netdev@...il.com>
Subject: Re: [PATCH net-next v2 0/5] Add support for locked bridge ports
(for 802.1X)
On Fri, Feb 11, 2022 at 10:11, Florian Fainelli <f.fainelli@...il.com> wrote:
> It makes sense that we are using the bridge layer to support 802.1x but
> this leaves behind the case of standalone ports which people might want
> to use. Once we cover the standalone ports there is also a question of
> what to do in the case of a regular Ethernet NIC, and whether it can
> actually support 802.1x properly given their MAC filtering capabilities
> (my guess is that most cannot without breaking communication with other
> stations connecting through the same port).
The only interface I can think of that would be generic enough to
support all cases is TC offloading. I.e. you could program a matchall
rule drop rule, and then later insert exceptions for authenticated
clients before the drop rule.
It feels awfully cumbersome for drivers to have to figure this out
though.
> Looking at what Broadcom Roboswitch support, the model you propose
> should be working, it makes me wonder if we need to go a bit beyond what
> can be configurable besides blocked/not-blocked and have different
> levels of strictness. These switches do the following on a per-port
> basis you can:
>
> - set the EAP destination MAC address if different than 01:80:C2:00:00:03
>
> - enable EAP frame with destination MAC address specified
>
> - set the EAP block mode:
> 0 - disabled
> 1 - only the frames with the EAP reserved multicast address will be
> forwarded, otherwise frames will be dropped
> 3 - only the frames with the EAP reserved multicast address will be
> forwarded. Forwarding verifies that each egress port is enabled for EAP
> + BLK_MODE
> - set the EAP mode:
> 0 - disabled
> 2 - extended mode: check MAC SA, port, drop if unknown
> 3 - simplified mode: check SA, port, trap to management if SA is unknown
>
> We have a number of vectors that can be used to accept specific MAC SA
> addresses.
>
> Then we have a global register that allows us to configure whether we
> want to allow ARP, DHCP, BPDU, RMC, RARP or the frames with the
> specified destination IP address/masks being specified. I would assume
> that the two registers allowing us to specify a destination IP/subnet
> might be used to park unauthenticated stations to a "guest" VLAN maybe?
>
> So with that said, it looks like we may not need a method beyond just
> setting the port state. In your case, it sounds like you would program
> the mv88e6xxx switch's ATU with the MAC addresses learned from the
> bridge via the standard FDB learning notification?
The idea is that hostapd (or whatever authenticator daemon you're
running) would do the equivalent of:
bridge fdb add <sa-of-station> [vid X] dev <port> permanent
(Vladimir can correct the flags that I have undoubtedly gotten wrong,
but you get the idea :))
Would this approach not work on a Roboswitch?
In the future, we also want to support things like MAB (mac
authentication bypass), i.e. allowing for some vetting of legacy
devices. This is a bit more complicated, because it requires a
notification from the HW about which exact address that was seen.
Our idea is to add a flag to FDB entries ("locked"), that would indicate
that a dynamic entry has been learned on a locked port. The entry must
therefore never be used to forward traffic. Its addition to the FDB will
trigger an event though, which can be noticed by a daemon that can
perform the necessary verifications. If the station is allowed, the
deamon will clear the locked flag on the FDB entry, allowing forwarding.
In a software setting, this entry will be added by the bridge when a new
SA is detected on a locked port. For switchdevs, the drivers could use
the existing way of notifying the bridge of new entries that it has
learned, except that the locked flag would be set on the entry.
So on Roboswitch, for example, I imagine you could:
- Use EAP mode 3 to trap the frames to the CPU
- Add a hardware FDB entry with a null-destination to block any further
traps for that SA.
- Generate a locked FDB entry notification to the bridge (and by
extension to userspace).
This will let you enforce policies like "only allow stations with OUI
02:de:ad on swp3".
> In the case of Broadcom switches, I suppose the same should be done,
> however instead of programming the main FDB, we would have to program
> the multi-port vector when the port is in blocked state. This becomes a
> switch driver detail.
>
> I would like other maintainers of switch drivers to chime in to know
> whether microchip, Qualcomm/Atheros and Mediatek have similar features
> or not.
>
> Does that make sense?
>
> Time to dust off my freeradius settings to test this out, it's been
> nearly 15 years since I last did this, time to see if EAP-TTLS or
> EAP-PEAP are more streamlined on the client side :)
Powered by blists - more mailing lists