On Thu, 2007-09-27 at 18:39 -0700, Jouni Malinen wrote: > On Wed, Sep 26, 2007 at 09:39:54AM +0200, Johannes Berg wrote: > > > So any STA can actually send EAPOL frames with an arbitrary destination > > MAC address except our own into our 802.3 interface. Hence, it looks > > like the first case above is only for having eapol on mgmt iface. > > EAPOL ethertype is not supposed to be bridged, so it would be perfectly > fine dropping these wherever it is most convenient to do. Not sure I understand. If it's not supposed to be bridged then I hope the bridging code knows about this. Otherwise, we can fix it. But I don't understand the second part of your sentence, I was actually proposing not doing anything special to EAPOL packets at all except accepting them unencrypted. > > The only problem I see with not doing this is that hostapd will have to > > listen for EAPOL frames on all VLAN interfaces but I suppose that is > > doable. > > That's fine. This should be doable with just one packet socket that is > not bound to any interface or alternatively with multiple sockets (one > per interface). Good point. > I wouldn't be too concerned about the extra cost here as > long as the other EAPOL related silliness (e.g., the difference in > encryption of re-keying packets in 802.1X with dynamic WEP vs. WPA). That sentence seems unfinished? johannes
Attachment:
signature.asc
Description: This is a digitally signed message part
