Re: [PATCH iproute2-next 0/3] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/03/2022 15:36, Hans Schultz wrote:
This patch set extends the locked port feature for devices
that are behind a locked port, but do not have the ability to
authorize themselves as a supplicant using IEEE 802.1X.
Such devices can be printers, meters or anything related to
fixed installations. Instead of 802.1X authorization, devices
can get access based on their MAC addresses being whitelisted.

For an authorization daemon to detect that a device is trying
to get access through a locked port, the bridge will add the
MAC address of the device to the FDB with a locked flag to it.
Thus the authorization daemon can catch the FDB add event and
check if the MAC address is in the whitelist and if so replace
the FDB entry without the locked flag enabled, and thus open
the port for the device.

This feature is known as MAC-Auth or MAC Authentication Bypass
(MAB) in Cisco terminology, where the full MAB concept involves
additional Cisco infrastructure for authorization. There is no
real authentication process, as the MAC address of the device
is the only input the authorization daemon, in the general
case, has to base the decision if to unlock the port or not.

With this patch set, an implementation of the offloaded case is
supplied for the mv88e6xxx driver. When a packet ingresses on
a locked port, an ATU miss violation event will occur. When
handling such ATU miss violation interrupts, the MAC address of
the device is added to the FDB with a zero destination port
vector (DPV) and the MAC address is communicated through the
switchdev layer to the bridge, so that a FDB entry with the
locked flag enabled can be added.

Hans Schultz (3):
   net: bridge: add fdb flag to extent locked port feature
   net: switchdev: add support for offloading of fdb locked flag
   net: dsa: mv88e6xxx: mac-auth/MAB implementation

  drivers/net/dsa/mv88e6xxx/Makefile            |  1 +
  drivers/net/dsa/mv88e6xxx/chip.c              | 10 +--
  drivers/net/dsa/mv88e6xxx/chip.h              |  5 ++
  drivers/net/dsa/mv88e6xxx/global1.h           |  1 +
  drivers/net/dsa/mv88e6xxx/global1_atu.c       | 29 +++++++-
  .../net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c   | 67 +++++++++++++++++++
  .../net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h   | 20 ++++++
  drivers/net/dsa/mv88e6xxx/port.c              | 11 +++
  drivers/net/dsa/mv88e6xxx/port.h              |  1 +
  include/net/switchdev.h                       |  3 +-
  include/uapi/linux/neighbour.h                |  1 +
  net/bridge/br.c                               |  3 +-
  net/bridge/br_fdb.c                           | 13 +++-
  net/bridge/br_input.c                         | 11 ++-
  net/bridge/br_private.h                       |  5 +-
  15 files changed, 167 insertions(+), 14 deletions(-)
  create mode 100644 drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.c
  create mode 100644 drivers/net/dsa/mv88e6xxx/mv88e6xxx_switchdev.h


This doesn't look like an iproute2 patch-set. I think you've messed the target
in the subject.




[Index of Archives]     [Netdev]     [AoE Tools]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux