Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3600125ybv; Tue, 25 Feb 2020 04:09:11 -0800 (PST) X-Google-Smtp-Source: APXvYqyLhBFwbtNafm+iIII349Hjxv0Qdt4s0xiSiuFu4wCMMouNQVwxC0CwctPlfNmo+Um17NoC X-Received: by 2002:aca:e106:: with SMTP id y6mr3287059oig.131.1582632551263; Tue, 25 Feb 2020 04:09:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582632551; cv=none; d=google.com; s=arc-20160816; b=Q3tntzOw61YkKt9SBMsPzjx9gQZ/Yp2CtPSdAfCbGvP09wFvnVVBP3OexEheew1rTc xAM1/+v6MEiTelxFa5z28luOVTdstO9WQpFAcRb+lBYsy6yxltmB4Ab6EfauKvVIniWh E23iHLrwCZPaTTzdE42Apqwhednkclgz6Q2n8YJiWJ1nmGL2yh+jRHazgcpJ1V6HSfb1 tJw75v56Px7XxbySH4jXiybDdTqhNuHhANZPZJ1Bla7ao/oJsOqhkLyb44B5kcAULvBR IO3/BruizSt6gGlags3GLVM/XlEWqsa+0VNkzmec2AeaHcn0hycVhEN5xMftIYJdcrVu WVbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=ahe7Ibq0iJ6rhT0lVb1o9RaPIqt0cELm840z23vmLyw=; b=MflReOMEDYoga7Z9uhCknRYB4kPNWk2B3UiQ4UET+Yvh+kgW/YF66QpL9rO93mTA89 842j1n80Ot8lN4ecgpoMG5YS1yRDxJDOxab/DLcSIf7xrSI+wEy7++JKOBmADpzXiI8N LQ7+8YGSFQ++4sTYgHfLGGF6xn+6JKpW6yOwE+AoYbGOLzfsNhdQsgWocoEuL5f23Hpg rRVr3qFfnfNR5u4uIxl3fPzAm8sAjNcXU/vTile4JmKp08V5ki67YbYukPJWQVUipNZK xwQHAVTsbCfBC72u99biHsMS8gxdshPrK1ErVnPz6XrZtZvzZ0ZmOqeL/3Ca6LjqGUoM HFWw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o4si7947935otp.200.2020.02.25.04.08.48; Tue, 25 Feb 2020 04:09:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729034AbgBYLKe (ORCPT + 99 others); Tue, 25 Feb 2020 06:10:34 -0500 Received: from mail.w1.fi ([212.71.239.96]:59712 "EHLO li674-96.members.linode.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728975AbgBYLKe (ORCPT ); Tue, 25 Feb 2020 06:10:34 -0500 X-Greylist: delayed 577 seconds by postgrey-1.27 at vger.kernel.org; Tue, 25 Feb 2020 06:10:33 EST Received: from localhost (localhost [127.0.0.1]) by li674-96.members.linode.com (Postfix) with ESMTP id 02D3E10F41; Tue, 25 Feb 2020 11:00:56 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at w1.fi Received: from li674-96.members.linode.com ([127.0.0.1]) by localhost (mail.w1.fi [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m2yBmsIMQrxJ; Tue, 25 Feb 2020 11:00:54 +0000 (UTC) Received: by jm (sSMTP sendmail emulation); Tue, 25 Feb 2020 13:00:18 +0200 Date: Tue, 25 Feb 2020 13:00:18 +0200 From: Jouni Malinen To: Denis Kenzior Cc: Johannes Berg , linux-wireless@vger.kernel.org, Markus Theil Subject: Re: [PATCH 1/2] Revert "mac80211: support NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211_MAC_ADDRS" Message-ID: <20200225110018.GA7561@w1.fi> References: <20200224101910.b87da63a3cd6.Ic94bc51a370c4aa7d19fbca9b96d90ab703257dc@changeid> <53190ece697ab7d9e83fdd667eaf9e05a4418193.camel@sipsolutions.net> <6e723a78-db68-8ffb-986a-4a3961107f72@gmail.com> <1a56c641eaa03c99dc9a90208902d8bb1ca1b0aa.camel@sipsolutions.net> <048b81db-8e92-7fe0-1f5c-3b6f9ea1a1f1@gmail.com> <366b1599374240ef194bf7eb6e1e47a8b675f474.camel@sipsolutions.net> <978dab89-343a-3fc9-dbdb-7acf87d735ca@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <978dab89-343a-3fc9-dbdb-7acf87d735ca@gmail.com> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Mon, Feb 24, 2020 at 01:35:51PM -0600, Denis Kenzior wrote: > But it seems like the benefits outweigh the drawbacks? At least we have > been super happy with how control port works for us. If you take the > pre-auth path away, I'm really not sure there's any point in (at least for > us) keeping support for the control port path. Do you use the control port for RX only or both TX and RX? The RX side is mostly harmless _if_ something filters unprotected RSN pre-authentication frames that are received between the association and the completion of 4-way handshake. That something would either need to be the specific user space application using the interface or potentially mac80211 with some special rules that are different between EAPOL and RSN pre-authentication ethertypes. For TX, the control port path will likely result in more problematic issues. I'd expect drivers to use higher priority and/or higher reliability for delivering the frames. That is justifiable for EAPOL frames, but unnecessary for RSN pre-authentication frames. Being able to bypass the port authorization control would be undesired from security view point. The key point for me here is the concept of authorized/unauthorized port for normal Data frames based on the IEEE 802.1X standard. Only the frames critical for the authentication service (establishing protected link with the current access point) are allowed to be transmitted and received while the port used for normal data is unauthorized. For IEEE 802.11, only the EAPOL frames are such Data frames that are needed before the port can be authorized. RSN pre-authentication frames are used to establish a new security association with a different access point once the port with the current AP is authorized. As such, RSN pre-authentication frames do not need to go through any special path from the protocol view point and in fact, it would be incorrect to allow them to be transmitted or received before the main port has been authorized. The IEEE 802.11 standard describes this with "communication of all non-IEEE-802.1X MSDUs sent or received" being authorized/not-authorized. MSDU is a reference to Data frames and "non-IEEE-802.1X" in this context to any ethertype other than the one defined in IEEE 802.1X (EAPOL). As a more specific example, the EAPOL frames are expected to be transmitted unencrypted during the initial 4-way handshake (and with some old IEEE 802.1X/WEP designs and some WPA(v1) implementation, even during rekeying). On the other hand, RSN pre-authentication frames are never supposed to go out unencrypted over the air (i.e., they must not be sent or received before the encryption key has been established for the link). The IEEE 802.11 standard describes this with "A STA shall not use preauthentication except when pairwise keys are employed" and "As preauthentication frames do not use the IEEE 802.1X EAPOL EtherType field, the AP with which the STA is currently associated need not apply any special handling. The AP and the MAC in the STA shall handle these frames in the same way as other frames with arbitrary EtherType field values that require distribution via the DS." I understand that there is a different view point for this from the kernel--user space interface side and it may indeed look more convenient to use the same path for both EAPOL and RSN pre-authentication frames from that view point. If that mechanism is used, it needs to be understood that the rules for EAPOL and RSN pre-authentication frames are different, though, and it is not clear where that difference is going to be enforced if the same interface path is used. -- Jouni Malinen PGP id EFC895FA