lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 22 Oct 2022 08:50:20 +0000
From:   Oleksandr Mazur <>
To:     Vladimir Oltean <>,
        "" <>
CC:     "" <>,
        "" <>,
        "" <>,
        Florian Fainelli <>,
        Andrew Lunn <>,
        Vivien Didelot <>,
        Eric Dumazet <>,
        Paolo Abeni <>,
        Kurt Kanzenbach <>,
        Hauke Mehrtens <>,
        Woojung Huh <>,
        "" <>,
        Sean Wang <>,
        Landen Chao <>,
        DENG Qingfang <>,
        Matthias Brugger <>,
        Claudiu Manoil <>,
        Alexandre Belloni <>,
        Jiri Pirko <>,
        Ivan Vecera <>,
        Roopa Prabhu <>,
        Nikolay Aleksandrov <>,
        Shuah Khan <>,
        Russell King <>,
        Christian Marangi <>,
        Daniel Borkmann <>,
        Yuwei Wang <>,
        Petr Machata <>,
        Ido Schimmel <>,
        Florent Fourcot <>,
        Hans Schultz <>,
        Joachim Wiberg <>,
        Amit Cohen <>,
        "" <>,
        "" <>
Subject: Re: [PATCH v8 net-next 10/12] net: dsa: mv88e6xxx: mac-auth/MAB

On Fri, Oct 21, 2022 at 07:39:34PM +0200, wrote:
>> Well, with this change, to have MAB working, the bridge would need learning on
>> of course, but how things work with the bridge according to the flags, they
>> should also work in the offloaded case if you ask me. There should be no
>> difference between the two, thus MAB in drivers would have to be with
>> learning on.

>Am I proposing for things to work differently in the offload and
>software case, and not realizing it? :-/

>The essence of my proposal was to send a bug fix now which denies
>BR_LEARNING to be set together with BR_PORT_LOCKED. The fact that
>link-local traffic is learned by the software bridge is something
>unintended as far as I understand.

>You tried to fix it here, and as far as I could search in my inbox, that
>didn't go anywhere:

>I thought only mv88e6xxx offloads BR_PORT_LOCKED, but now, after
>searching, I also see prestera has support for it, so let me add
>Oleksandr Mazur to the discussion as well. I wonder how they deal with
>this? Has somebody come to rely on learning being enabled on a locked


>The fact that
>link-local traffic is learned by the software bridge is something
>unintended as far as I understand.

In prestera driver, if port is in blocked state only the PAE frames can be trapped, so i'm not sure where other traffic might come from that you are talking. Or maybe i didn't get the issue here right, sorry?

Also, basically, prestera driver does not rely on the learning flag if the port's flag BR_PORT_LOCKED is set. What this means, is that we discard any learning changes on the port if LOCKED is still set (done inside firmware, if i recall correctly). E.g. learning is always off, if port is in BR_PORT_LOCKED state, or in a block state but also has a static fdb entry (aka mac-auth entry).

The concept we follow is basically:
  - some userspace daemon blocks the port;
  - speaks with the <auth-center> (PAE traffic);
  - the daemon itself populates the FDB with authenticated MACs (adding static FDB MACs);
  - forces learning flag disable, disables the PORT_LOCKED flag. At this point switch can basically receive only the traffic from authorized addresses (fdb still has static entries; learning disabled).

Hope that helps.

Powered by blists - more mailing lists