On Wed, Oct 23, 2024 at 05:35:03PM +0100, Tim Small wrote:
> wpa_supplicant previously hard-coded the destination MAC address for
> EAPOL packets to 01:80:c2:00:00:03 (the "PAE Group Address"). The PAE
> Group Address continues to be the default value for the newly introduced
> wpa_supplicant per-network eapol_dest_addr configuration setting, but
> alternative multicast addresses (e.g. 01:80:c2:00:00:1f - the "EDE-CC
> PEP Address") can now be specified so that outgoing packets can reach
> the desired destination station(s) in a wider variety of operating
> environments.
>
> For example third party ISP switches providing layer 2 forwarding
> services to a customer should filter or terminate packets which use the
> PAE Group Address according to 802.1D ("Ethernet MAC bridges"). This
> will effectively prevent a customer creating their own secure 802.1X +
> MACsec links atop the ISP-provided layer 2 network. The same ISP
> switches should instead forward packets which use the ECE-CC PEP Address
> (or a variety of other multicast addresses which may be better suited to
> the particular usage scenario).
> ---
This needs a Signed-off-by: line (similarly to the one that was included
in patch 1/2).
> src/ap/ap_config.h | 1 +
> src/ap/wpa_auth_kay.c | 1 +
> src/common/ieee802_1x_defs.h | 8 ++++++
> src/pae/ieee802_1x_kay.c | 12 ++++-----
> src/pae/ieee802_1x_kay.h | 5 +++-
> wpa_supplicant/config.c | 51 ++++++++++++++++++++++++++++++++++++
> wpa_supplicant/config_ssid.h | 11 ++++++++
> wpa_supplicant/wpas_kay.c | 1 +
> 8 files changed, 83 insertions(+), 7 deletions(-)
This misses hostapd/config_file.c and hostapd/hostapd.conf changes to
match this change in src/ap/ap_config.h:
> diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
> @@ -301,6 +301,7 @@ struct hostapd_bss_config {
> + u8 eapol_dest_addr[ETH_ALEN];
I.e., this new configuration parameter needs to be actually filled in
based on hostapd configuration.
> diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
> @@ -2549,6 +2598,7 @@ static const struct parse_data ssid_fields[] = {
> + { FUNC(eapol_dest_addr) },
This covers parsing of the new wpa_supplicant network profile parameter,
but writing it to a configuration file on update needs to be covered in
wpa_supplicant/config_file.c, wpa_config_write_network().
> diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
> @@ -418,6 +418,17 @@ struct wpa_ssid {
> */
> unsigned int eap_workaround;
>
> + /**
> + * eapol_dest_addr - mac addr for EAPOL packets (802.11AE-2018+ etc.)
> + * EAPOL packets may have their destination MAC address set to any
> + * non-individual (i.g. multi-cast) address, including the ethernet
> + * broadcast address (ff:ff:ff:ff:ff:ff). Choice of destination
> + * address is dictated by which types of entity (should) filter them
> + * out vs. act on their contents vs. relay them.
> + * See 802.11X-2020 Table 11-1
> + */
> + u8 eapol_dest_addr[ETH_ALEN];
> +
> #endif /* IEEE8021X_EAPOL */
It would probably make more sense to add this configuration parameter in
the same CONFIG_MACSEC block as all the other MACsec/MKA parameters
instead of IEEE8021X_EAPOL which is shared with Wi-Fi use cases.
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
