Re: [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support
From: Nikolay Aleksandrov <razor@blackwall.org>
Date: 2022-10-25 11:00:43
Also in:
bridge
On 25/10/2022 13:00, Ido Schimmel wrote:
From: "Hans J. Schultz" <redacted>
Hosts that support 802.1X authentication are able to authenticate
themselves by exchanging EAPOL frames with an authenticator (Ethernet
bridge, in this case) and an authentication server. Access to the
network is only granted by the authenticator to successfully
authenticated hosts.
The above is implemented in the bridge using the "locked" bridge port
option. When enabled, link-local frames (e.g., EAPOL) can be locally
received by the bridge, but all other frames are dropped unless the host
is authenticated. That is, unless the user space control plane installed
an FDB entry according to which the source address of the frame is
located behind the locked ingress port. The entry can be dynamic, in
which case learning needs to be enabled so that the entry will be
refreshed by incoming traffic.
There are deployments in which not all the devices connected to the
authenticator (the bridge) support 802.1X. Such devices can include
printers and cameras. One option to support such deployments is to
unlock the bridge ports connecting these devices, but a slightly more
secure option is to use MAB. When MAB is enabled, the MAC address of the
connected device is used as the user name and password for the
authentication.
For MAB to work, the user space control plane needs to be notified about
MAC addresses that are trying to gain access so that they will be
compared against an allow list. This can be implemented via the regular
learning process with the following differences:
1. Learned FDB entries are installed with a new "locked" flag indicating
that the entry cannot be used to authenticate the device. The flag
cannot be set by user space, but user space can clear the flag by
replacing the entry, thereby authenticating the device.
2. FDB entries cannot roam to locked ports to prevent unauthenticated
devices from disrupting traffic destined to already authenticated
devices.
Enable this behavior using a new bridge port option called "mab". It can
only be enabled on a bridge port that is both locked and has learning
enabled. A new option is added because there are pure 802.1X deployments
that are not interested in notifications about "locked" FDB entries.
Signed-off-by: Hans J. Schultz <redacted>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
Notes:
Changes made by me:
* Reword commit message.
* Reword comment regarding 'NTF_EXT_LOCKED'.
* Use extack in br_fdb_add().
* Forbid MAB when learning is disabled.
include/linux/if_bridge.h | 1 +
include/uapi/linux/if_link.h | 1 +
include/uapi/linux/neighbour.h | 8 +++++++-
net/bridge/br_fdb.c | 24 ++++++++++++++++++++++++
net/bridge/br_input.c | 15 +++++++++++++--
net/bridge/br_netlink.c | 13 ++++++++++++-
net/bridge/br_private.h | 3 ++-
net/core/rtnetlink.c | 5 +++++
8 files changed, 65 insertions(+), 5 deletions(-)Thanks for finalizing this, the patch looks good to me. Acked-by: Nikolay Aleksandrov <razor@blackwall.org> Thanks, Nik