| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1a66212fdb43fb8d03fc1e4c7612ad1b@kapio-technology.com>
Date: Fri, 28 Oct 2022 09:45:52 +0200
From: netdev@...io-technology.com
To: Vladimir Oltean <vladimir.oltean@....com>
Cc: Ido Schimmel <idosch@...dia.com>, netdev@...r.kernel.org,
bridge@...ts.linux-foundation.org, davem@...emloft.net,
kuba@...nel.org, pabeni@...hat.com, edumazet@...gle.com,
jiri@...dia.com, petrm@...dia.com, ivecera@...hat.com,
roopa@...dia.com, razor@...ckwall.org, mlxsw@...dia.com
Subject: Re: [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass
(MAB) support
On 2022-10-28 00:58, Vladimir Oltean wrote:
> I was going to ask if we should bother to add code to prohibit packets
> from being forwarded to an FDB entry that was learned as LOCKED, since
> that FDB entry is more of a "ghost" and not something fully committed?
I think that it is a security flaw if there is any forwarding to
BR_FDB_LOCKED
entries. I can imagine a host behind a locked port with no credentials,
that gets a BR_FDB_LOCKED entry and has a friend on another non-locked
port
who can now communicate uni-directional to the host with the
BR_FDB_LOCKED
entry. It should not be too hard to create a scheme using UDP packets or
other for that.
Powered by blists - more mailing lists