| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Oct 2022 14:00:34 +0300
From: Nikolay Aleksandrov <razor@...ckwall.org>
To: Ido Schimmel <idosch@...dia.com>, netdev@...r.kernel.org,
bridge@...ts.linux-foundation.org
Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
edumazet@...gle.com, jiri@...dia.com, petrm@...dia.com,
ivecera@...hat.com, roopa@...dia.com, netdev@...io-technology.com,
vladimir.oltean@....com, mlxsw@...dia.com
Subject: Re: [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass
(MAB) support
On 25/10/2022 13:00, Ido Schimmel wrote:
> From: "Hans J. Schultz" <netdev@...io-technology.com>
>
> Hosts that support 802.1X authentication are able to authenticate
> themselves by exchanging EAPOL frames with an authenticator (Ethernet
> bridge, in this case) and an authentication server. Access to the
> network is only granted by the authenticator to successfully
> authenticated hosts.
>
> The above is implemented in the bridge using the "locked" bridge port
> option. When enabled, link-local frames (e.g., EAPOL) can be locally
> received by the bridge, but all other frames are dropped unless the host
> is authenticated. That is, unless the user space control plane installed
> an FDB entry according to which the source address of the frame is
> located behind the locked ingress port. The entry can be dynamic, in
> which case learning needs to be enabled so that the entry will be
> refreshed by incoming traffic.
>
> There are deployments in which not all the devices connected to the
> authenticator (the bridge) support 802.1X. Such devices can include
> printers and cameras. One option to support such deployments is to
> unlock the bridge ports connecting these devices, but a slightly more
> secure option is to use MAB. When MAB is enabled, the MAC address of the
> connected device is used as the user name and password for the
> authentication.
>
> For MAB to work, the user space control plane needs to be notified about
> MAC addresses that are trying to gain access so that they will be
> compared against an allow list. This can be implemented via the regular
> learning process with the following differences:
>
> 1. Learned FDB entries are installed with a new "locked" flag indicating
> that the entry cannot be used to authenticate the device. The flag
> cannot be set by user space, but user space can clear the flag by
> replacing the entry, thereby authenticating the device.
>
> 2. FDB entries cannot roam to locked ports to prevent unauthenticated
> devices from disrupting traffic destined to already authenticated
> devices.
>
> Enable this behavior using a new bridge port option called "mab". It can
> only be enabled on a bridge port that is both locked and has learning
> enabled. A new option is added because there are pure 802.1X deployments
> that are not interested in notifications about "locked" FDB entries.
>
> Signed-off-by: Hans J. Schultz <netdev@...io-technology.com>
> Signed-off-by: Ido Schimmel <idosch@...dia.com>
> ---
>
> Notes:
> Changes made by me:
>
> * Reword commit message.
> * Reword comment regarding 'NTF_EXT_LOCKED'.
> * Use extack in br_fdb_add().
> * Forbid MAB when learning is disabled.
>
> include/linux/if_bridge.h | 1 +
> include/uapi/linux/if_link.h | 1 +
> include/uapi/linux/neighbour.h | 8 +++++++-
> net/bridge/br_fdb.c | 24 ++++++++++++++++++++++++
> net/bridge/br_input.c | 15 +++++++++++++--
> net/bridge/br_netlink.c | 13 ++++++++++++-
> net/bridge/br_private.h | 3 ++-
> net/core/rtnetlink.c | 5 +++++
> 8 files changed, 65 insertions(+), 5 deletions(-)
>
Thanks for finalizing this, the patch looks good to me.
Acked-by: Nikolay Aleksandrov <razor@...ckwall.org>
Thanks,
Nik
Powered by blists - more mailing lists