Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp908977pxp; Wed, 16 Mar 2022 20:57:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxjRz0mWBmbk2zjtqq1dWDXYszUcr6ymhIvwvbaFNuJLqMI7+bZZihXUsa5Cd9/CwQ6P/nl X-Received: by 2002:a17:902:b490:b0:14c:da4a:deca with SMTP id y16-20020a170902b49000b0014cda4adecamr3119883plr.134.1647489453713; Wed, 16 Mar 2022 20:57:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647489453; cv=none; d=google.com; s=arc-20160816; b=txI00b3Vk/yI5iClDqtnXl+WeQsC6MoVXFhGE1c5hZxEyUBU5hDgz7tOyU2Tr9zlpl sDa98MOmeAiCi4GNVdEBKD+0RhiOg8USfPSJhgXoIJkz2KIioKKZC5aAqPwV4evTnxGv mGZnhm1gD1byW363pi2fe1i9eHk+DWvhAx0HrDrBmsYZgEQ1mOX/b1+96zJEX8AUTXO6 Hp1BRdvxc0N7GtoAdv7KN1s4Bimal3flyK2wdZgjfjeao4Bjby3AENAsGJRYTv2e3/1Y EGoU5PLn5TxJsn24Ms2h3ox8AR1qV66Z/hG4Y4WLrF24m8cicsSNOdQh+54qkZt7rX6i SeJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=PFSNAaQ3b1RcaB6X84veMT1/sBRoeUjyrqfGf9I6kOg=; b=vQ51WvryMUc4N3c+3kLNtmtM8InKfRRBGEtHGpQLBkyirOsugiF6fX2jBmY6YpkzHK p2SE1v6GmewGA6LhsSDyXjaewFHNncx9ID1fgL84zxoMXCG26LYxv5EOIjn6fWj/EX0N 0QuLApE9KAsJRBh2C409IXONulPTuPt6asFidTP6iLDWgDMNsagSatJaOaUN3IV7eQBm 5zjx9h7SVv592DpECBs73rYOMYoIs0IJn1Apvv5bQTUcNLXUTsoEj8YftNBRKXV1z6NP 1buXUMr68u8ibRpOd3i+aBAnB1zLcBzdfz+KFAMFcIYcDcmTYMFZkSciO4ciZR4gEzER grHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=bYoQ3qBU; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id mh17-20020a17090b4ad100b001bf74f9256csi7490705pjb.0.2022.03.16.20.57.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Mar 2022 20:57:33 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=bYoQ3qBU; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 88ECD89CC8; Wed, 16 Mar 2022 20:43:03 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347873AbiCOLNJ (ORCPT + 99 others); Tue, 15 Mar 2022 07:13:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44778 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231292AbiCOLNI (ORCPT ); Tue, 15 Mar 2022 07:13:08 -0400 Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B06194F474; Tue, 15 Mar 2022 04:11:56 -0700 (PDT) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 11C663200E18; Tue, 15 Mar 2022 07:11:54 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Tue, 15 Mar 2022 07:11:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=PFSNAaQ3b1RcaB6X84veMT1/sBRoeUjyrqfGf9I6k Og=; b=bYoQ3qBUijQDWuiMSLzE4q+q+z0Gnv/45k26R0Y4upBMft9FoRm+QqoV1 L1tAP8N8P9Z5rlqJRm3EU+5auE2ltko4YoRFav8LqT7z3zAKZYuqTql9Ywt3kJl4 kWIxH0uZtyJSdm60O2fzzwSHjr0bp7QoxUjm8RAkWJioY9HlGFN/5Oc9YIbPTnU2 7xBEqbuWoig5fUNRaIsF+kP9+TuJARZsIsL1rYThScoqMdPfDHC9CPZuJjmG6o5i 5UJNrcakzAlg69TJU92fjvXKeFF/xLxT7Ts7FZKLdhok6brI6q0XMCShbIFCe4nB JnZNUx0Gmy6gdhu0XfF/rvUW3eVVQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrudeftddgvdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtugfgjgesthekredttddtudenucfhrhhomhepkfguohcu ufgthhhimhhmvghluceoihguohhstghhsehiughoshgthhdrohhrgheqnecuggftrfgrth htvghrnhepvdffveekfeeiieeuieetudefkeevkeeuhfeuieduudetkeegleefvdegheej hefhnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepih guohhstghhsehiughoshgthhdrohhrgh X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 15 Mar 2022 07:11:53 -0400 (EDT) Date: Tue, 15 Mar 2022 13:11:49 +0200 From: Ido Schimmel To: Hans Schultz Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, Andrew Lunn , Vivien Didelot , Florian Fainelli , Vladimir Oltean , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Daniel Borkmann , Ido Schimmel , linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org Subject: Re: [PATCH net-next 0/3] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Message-ID: References: <20220310142320.611738-1-schultz.hans+netdev@gmail.com> <86ee33h9q2.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86ee33h9q2.fsf@gmail.com> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 15, 2022 at 09:59:49AM +0100, Hans Schultz wrote: > On m?n, mar 14, 2022 at 17:50, Ido Schimmel wrote: > > On Thu, Mar 10, 2022 at 03:23:17PM +0100, Hans Schultz wrote: > >> This patch set extends the locked port feature for devices > >> that are behind a locked port, but do not have the ability to > >> authorize themselves as a supplicant using IEEE 802.1X. > >> Such devices can be printers, meters or anything related to > >> fixed installations. Instead of 802.1X authorization, devices > >> can get access based on their MAC addresses being whitelisted. > >> > >> For an authorization daemon to detect that a device is trying > >> to get access through a locked port, the bridge will add the > >> MAC address of the device to the FDB with a locked flag to it. > >> Thus the authorization daemon can catch the FDB add event and > >> check if the MAC address is in the whitelist and if so replace > >> the FDB entry without the locked flag enabled, and thus open > >> the port for the device. > >> > >> This feature is known as MAC-Auth or MAC Authentication Bypass > >> (MAB) in Cisco terminology, where the full MAB concept involves > >> additional Cisco infrastructure for authorization. There is no > >> real authentication process, as the MAC address of the device > >> is the only input the authorization daemon, in the general > >> case, has to base the decision if to unlock the port or not. > >> > >> With this patch set, an implementation of the offloaded case is > >> supplied for the mv88e6xxx driver. When a packet ingresses on > >> a locked port, an ATU miss violation event will occur. When > > > > When do you get an ATU miss violation? In case there is no FDB entry for > > the SA or also when there is an FDB entry, but it points to a different > > port? I see that the bridge will only create a "locked" FDB entry in > > case there is no existing entry, but it will not transition an existing > > entry to "locked" state. I guess ATU miss refers to an actual miss and > > not mismatch. > > > > On a locked port, I get ATU miss violations when there is no FDB entry > for the SA, while if there is an entry but it is not assigned to the > port, then I get an ATU member violation (which I have now masked on > locked ports to limit unwanted interrupts). > > So it seems to me that my 'ATU miss' corresponds to your MISS and my > 'ATU member' corresponds to your MISMATCH. Since I inject an entry with > destination port vector (DPV) zero I get member violations after the > first miss violation. Which causes packets to be silently dropped by the device? Sounds OK, I just want to verify I understand the behavior. > > > The HW I work with doesn't have the ability to generate such > > notifications, but it can trap packets on MISS (no entry) or MISMATCH > > (exists, but with different port). I believe that in order to support > > this feature we need to inject MISS-ed packets to the Rx path so that > > eventually the bridge itself will create the "locked" entry as opposed > > to notifying the bridge about the entry as in your case. > > > > This seems to me to be the way forward in your case. What kind or family > of chips is your HW based on? Nvidia Spectrum ASICs. Some users mentioned 802.1X support, but a requirement never materialized so we didn't work on it. > > >> handling such ATU miss violation interrupts, the MAC address of > >> the device is added to the FDB with a zero destination port > >> vector (DPV) and the MAC address is communicated through the > >> switchdev layer to the bridge, so that a FDB entry with the > >> locked flag enabled can be added. > >> > >> Hans Schultz (3): > >> net: bridge: add fdb flag to extent locked port feature > >> net: switchdev: add support for offloading of fdb locked flag > >> net: dsa: mv88e6xxx: mac-auth/MAB implementation > > > > Please extend tools/testing/selftests/net/forwarding/bridge_locked_port.sh > > with new test cases for this code. > > > > Shall do. Thanks! > > >> > >> drivers/net/dsa/mv88e6xxx/Makefile | 1 + > >> drivers/net/dsa/mv88e6xxx/chip.c | 10 +-- > >> drivers/net/dsa/mv88e6xxx/chip.h | 5 ++ > >> drivers/net/dsa/mv88e6xxx/global1.h | 1 + > >> drivers/net/dsa/mv88e6xxx/global1_atu.c | 29 +++++++- > >> .../net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c | 67 +++++++++++++++++++ > >> .../net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h | 20 ++++++ > >> drivers/net/dsa/mv88e6xxx/port.c | 11 +++ > >> drivers/net/dsa/mv88e6xxx/port.h | 1 + > >> include/net/switchdev.h | 3 +- > >> include/uapi/linux/neighbour.h | 1 + > >> net/bridge/br.c | 3 +- > >> net/bridge/br_fdb.c | 13 +++- > >> net/bridge/br_input.c | 11 ++- > >> net/bridge/br_private.h | 5 +- > >> 15 files changed, 167 insertions(+), 14 deletions(-) > >> create mode 100644 drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c > >> create mode 100644 drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h > >> > >> -- > >> 2.30.2 > >>