Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp485386pxm; Wed, 23 Feb 2022 04:59:06 -0800 (PST) X-Google-Smtp-Source: ABdhPJxHABa3bohinXM32hBWBAKNn0syLzsGFa8jYEp0I5HVaxKD+Q4e7/IuAfwTBAHvbIEjPytY X-Received: by 2002:a17:906:6d0b:b0:6d1:d64e:3142 with SMTP id m11-20020a1709066d0b00b006d1d64e3142mr8405398ejr.631.1645621146511; Wed, 23 Feb 2022 04:59:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645621146; cv=none; d=google.com; s=arc-20160816; b=FsVQrGiYR1Fm/vKtJT+CWhqVpcLXoQSIJI2CHxT3O9UxqtqESUpJqNVZ6QNrbGh40U JG2MMjxGlKHaJrHoLK6wQtYL1Uxz0Fnqw48QJ/qbXkdnXnx5f4ukD6sdnOXyxODs257D r897A86eyItt1DBa6l907PTheuyqWxneydvXEmrG/BNjG1VzUOg/sn+io1M6lPPjgRKJ dvyeaBrlmg/HQ2MDrvlJOAYW6MQFQQ2YQvL6X8YoZr74c4UpUV6sr8UaNhLOWWbVKykv /xdNT7EU7aJ8Wa+FnDRDBL531Jd25kB9QQdSKeIA/oHp9duwmXUf3FoQ6QRmHpgRtkLx u+vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:dkim-signature; bh=9b1HVsojboQfokDHRf6eoAxjmKnPdoUTHloBjMfMN0I=; b=h2CUSc5c99AD3z8XPIhpO9snVMRJk/+ZCZFn7YJ4QFd0Ov5ymqMp6X3o8Agrh6O7sS q8nzw92k6xBWHynoM9mRMCTQYFsYUm0+EDsPqKfBp+dOr0kzTUsiLoTyXk+v0EmsnaP+ jaI3PBWJKdv2slZwR7ltOCV8iLH33TBbxCh9mgyRyyHTHsyJDKqk+5j0oAkMfCn+7ziE tEUzYTpej/Y+L9qwXWflFYsN9OMOsL8DgLUYX2Y8hKWmBe5WYHHPiYXZ6slznw7RiwpQ 6o7yZRQbnudVld1k2r+x6+YcF/EWwMrH1iivXnsdPkqb7W9n/ubYBHhngTBDLv90pSXh adzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=n4oeCie4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y11si15625559edd.92.2022.02.23.04.58.43; Wed, 23 Feb 2022 04:59:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=n4oeCie4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239029AbiBWIld (ORCPT + 99 others); Wed, 23 Feb 2022 03:41:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49216 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233832AbiBWIlc (ORCPT ); Wed, 23 Feb 2022 03:41:32 -0500 Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F36CA60D8F; Wed, 23 Feb 2022 00:41:04 -0800 (PST) Received: by mail-lj1-x232.google.com with SMTP id u7so15992165ljk.13; Wed, 23 Feb 2022 00:41:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version; bh=9b1HVsojboQfokDHRf6eoAxjmKnPdoUTHloBjMfMN0I=; b=n4oeCie4e9JgX4lIDH7g4gOm8UDlE5WbJbUx9faT/ukECA6YIt1okz6ault6htyU7/ Fwyu9YzXEnfC4XgTyaQs65sWRajFo1uXUwykGQfv6pyNBdr7ydH87wgV4eL23fGL0XrE GFhHsAoot134PCxj7R4DK74PdQOSPjCaRd+X/yh4WSjqYkJfuhl+5Q+nvyBg1cRcS06c QixHgGRKLlX+6haogzQeSMI4leJsO5mBseEF5sQoALvriD9B5OtYXiQz8p3KB13EUEwe d2u7CKDoQoDvvmGfSWhCtLP0CS5BiOnP5lZRtK48ozT9KJttmUqWbqx64bTmHFf1WRoP iYvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=9b1HVsojboQfokDHRf6eoAxjmKnPdoUTHloBjMfMN0I=; b=10AyCriS6Fa8WXkBUcHeytzMhp4Qj7eg5N8gVT8r2o94zObUZaXsu0yNPBtaWn2knV XSakgIar7m1VA4wmkEcSSD9ZQDc5ghm5Ws7r3iKnaf+E8j4BxFQ3h7MXcznTHEXPtHts Cfg04PwH3h3XnPsO00m5CbjanlHKKRvLIhZiU4hZlcG4rTh4gxTcq6AJtk3kGqTaGxT/ cDIN1Zk/oP+tSx4kONAxXrFTc1elud7IBrNctorhYBIZqVmgH6BS55OWP242bkV7vPV+ y7AWhRLPnzCt1QUkLpdOG3/d8vpklvzWUBfkeruwgd+BkhR+dvSTsPygL9pUx5tfRNOv Qmig== X-Gm-Message-State: AOAM532MlHg2L6tpchvjjlnCk4NvkqRxNgI7rzuUsCtgwoK+hON+PSVj o0aGwlMxhvxOlK5lv5+8ciOOUKjLK3xjuXv8gA8= X-Received: by 2002:a2e:91d7:0:b0:245:fce2:4551 with SMTP id u23-20020a2e91d7000000b00245fce24551mr13968389ljg.446.1645605663309; Wed, 23 Feb 2022 00:41:03 -0800 (PST) Received: from wse-c0127 ([208.127.141.29]) by smtp.gmail.com with ESMTPSA id o18sm770984ljp.104.2022.02.23.00.41.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Feb 2022 00:41:02 -0800 (PST) From: Hans Schultz X-Google-Original-From: Hans Schultz To: Jakub Kicinski , Hans Schultz Cc: davem@davemloft.net, netdev@vger.kernel.org, Andrew Lunn , Vivien Didelot , Florian Fainelli , Vladimir Oltean , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Stephen Suryaputra , David Ahern , Ido Schimmel , Petr Machata , Amit Cohen , Po-Hsu Lin , Baowen Zheng , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH net-next v4 0/5] Add support for locked bridge ports (for 802.1X) In-Reply-To: <20220222111523.030ab13d@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> References: <20220222132818.1180786-1-schultz.hans+netdev@gmail.com> <20220222111523.030ab13d@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> Date: Wed, 23 Feb 2022 09:40:59 +0100 Message-ID: <86y222vuuc.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On tis, feb 22, 2022 at 11:15, Jakub Kicinski wrote: > On Tue, 22 Feb 2022 14:28:13 +0100 Hans Schultz wrote: >> This series starts by adding support for SA filtering to the bridge, >> which is then allowed to be offloaded to switchdev devices. Furthermore >> an offloading implementation is supplied for the mv88e6xxx driver. >> >> Public Local Area Networks are often deployed such that there is a >> risk of unauthorized or unattended clients getting access to the LAN. >> To prevent such access we introduce SA filtering, such that ports >> designated as secure ports are set in locked mode, so that only >> authorized source MAC addresses are given access by adding them to >> the bridges forwarding database. Incoming packets with source MAC >> addresses that are not in the forwarding database of the bridge are >> discarded. It is then the task of user space daemons to populate the >> bridge's forwarding database with static entries of authorized entities. >> >> The most common approach is to use the IEEE 802.1X protocol to take >> care of the authorization of allowed users to gain access by opening >> for the source address of the authorized host. >> >> With the current use of the bridge parameter in hostapd, there is >> a limitation in using this for IEEE 802.1X port authentication. It >> depends on hostapd attaching the port on which it has a successful >> authentication to the bridge, but that only allows for a single >> authentication per port. This patch set allows for the use of >> IEEE 802.1X port authentication in a more general network context with >> multiple 802.1X aware hosts behind a single port as depicted, which is >> a commonly used commercial use-case, as it is only the number of >> available entries in the forwarding database that limits the number of >> authenticated clients. >> >> +--------------------------------+ >> | | >> | Bridge/Authenticator | >> | | >> +-------------+------------------+ >> 802.1X port | >> | >> | >> +------+-------+ >> | | >> | Hub/Switch | >> | | >> +-+----------+-+ >> | | >> +--+--+ +--+--+ >> | | | | >> Hosts | a | | b | . . . >> | | | | >> +-----+ +-----+ >> >> The 802.1X standard involves three different components, a Supplicant >> (Host), an Authenticator (Network Access Point) and an Authentication >> Server which is typically a Radius server. This patch set thus enables >> the bridge module together with an authenticator application to serve >> as an Authenticator on designated ports. >> >> >> For the bridge to become an IEEE 802.1X Authenticator, a solution using >> hostapd with the bridge driver can be found at >> https://github.com/westermo/hostapd/tree/bridge_driver . >> >> >> The relevant components work transparently in relation to if it is the >> bridge module or the offloaded switchcore case that is in use. > > You still haven't answer my question. Is the data plane clear text in > the deployment you describe? Sorry, I didn't understand your question in the first instance. So as 802.1X is only about authentication/authorization, the port when opened for a host is like any other switch port and thus communication is in the clear. I have not looked much into macsec (but know ipsec), and that is a crypto (key) based connection mechanism, but that is a totally different ballgame, and I think it would for most practical cases require hardware encryption.