Re: [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support

[RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
[RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
Re: [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support · Nikolay Aleksandrov <razor@blackwall.org> · 2022-10-25
Re: [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support · Vladimir Oltean <vladimir.oltean@nxp.com> · 2022-10-27
Re: [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support · <hidden> · 2022-10-28
Re: [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support · Ido Schimmel <idosch@nvidia.com> · 2022-10-30
Re: [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support · Ido Schimmel <idosch@nvidia.com> · 2022-10-30
Re: [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support · <hidden> · 2022-10-30
Re: [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support · Ido Schimmel <idosch@nvidia.com> · 2022-10-31
Re: [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support · <hidden> · 2022-10-31
[RFC PATCH net-next 02/16] selftests: forwarding: Add MAC Authentication Bypass (MAB) test cases · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
[RFC PATCH net-next 03/16] bridge: switchdev: Let device drivers determine FDB offload indication · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
Re: [RFC PATCH net-next 03/16] bridge: switchdev: Let device drivers determine FDB offload indication · Vladimir Oltean <vladimir.oltean@nxp.com> · 2022-10-27
Re: [RFC PATCH net-next 03/16] bridge: switchdev: Let device drivers determine FDB offload indication · Ido Schimmel <idosch@nvidia.com> · 2022-10-30
[RFC PATCH net-next 04/16] bridge: switchdev: Allow device drivers to install locked FDB entries · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
Re: [RFC PATCH net-next 04/16] bridge: switchdev: Allow device drivers to install locked FDB entries · Nikolay Aleksandrov <razor@blackwall.org> · 2022-10-25
Re: [RFC PATCH net-next 04/16] bridge: switchdev: Allow device drivers to install locked FDB entries · Vladimir Oltean <vladimir.oltean@nxp.com> · 2022-10-27
Re: [RFC PATCH net-next 04/16] bridge: switchdev: Allow device drivers to install locked FDB entries · Ido Schimmel <idosch@nvidia.com> · 2022-10-30
[RFC PATCH net-next 05/16] devlink: Add packet traps for 802.1X operation · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
[RFC PATCH net-next 06/16] mlxsw: spectrum_trap: Register 802.1X packet traps with devlink · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
[RFC PATCH net-next 07/16] mlxsw: reg: Add Switch Port FDB Security Register · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
[RFC PATCH net-next 08/16] mlxsw: spectrum: Add an API to configure security checks · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
[RFC PATCH net-next 09/16] mlxsw: spectrum_switchdev: Prepare for locked FDB notifications · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
[RFC PATCH net-next 10/16] mlxsw: spectrum_switchdev: Add support for locked FDB notifications · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
Re: [RFC PATCH net-next 10/16] mlxsw: spectrum_switchdev: Add support for locked FDB notifications · Vladimir Oltean <vladimir.oltean@nxp.com> · 2022-10-27
Re: [RFC PATCH net-next 10/16] mlxsw: spectrum_switchdev: Add support for locked FDB notifications · Ido Schimmel <idosch@nvidia.com> · 2022-10-30
Re: [RFC PATCH net-next 10/16] mlxsw: spectrum_switchdev: Add support for locked FDB notifications · Vladimir Oltean <vladimir.oltean@nxp.com> · 2022-10-31
Re: [RFC PATCH net-next 10/16] mlxsw: spectrum_switchdev: Add support for locked FDB notifications · Vladimir Oltean <vladimir.oltean@nxp.com> · 2022-11-03
Re: [RFC PATCH net-next 10/16] mlxsw: spectrum_switchdev: Add support for locked FDB notifications · Ido Schimmel <idosch@nvidia.com> · 2022-11-03
Re: [RFC PATCH net-next 10/16] mlxsw: spectrum_switchdev: Add support for locked FDB notifications · Vladimir Oltean <vladimir.oltean@nxp.com> · 2022-11-03
[RFC PATCH net-next 11/16] mlxsw: spectrum_switchdev: Use extack in bridge port flag validation · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
[RFC PATCH net-next 12/16] mlxsw: spectrum_switchdev: Add locked bridge port support · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
[RFC PATCH net-next 13/16] selftests: devlink_lib: Split out helper · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
[RFC PATCH net-next 14/16] selftests: mlxsw: Add a test for EAPOL trap · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
[RFC PATCH net-next 15/16] selftests: mlxsw: Add a test for locked port trap · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
[RFC PATCH net-next 16/16] selftests: mlxsw: Add a test for invalid locked bridge port configurations · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
Re: [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload · <hidden> · 2022-10-25
Re: [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload · Ido Schimmel <idosch@nvidia.com> · 2022-10-25
Re: [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload · Vladimir Oltean <vladimir.oltean@nxp.com> · 2022-10-27
Re: [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload · <hidden> · 2022-11-06
Re: [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload · Ido Schimmel <idosch@nvidia.com> · 2022-11-06

From: <hidden>
Date: 2022-10-28 07:46:16
Also in: bridge

On 2022-10-28 00:58, Vladimir Oltean wrote:

I was going to ask if we should bother to add code to prohibit packets
from being forwarded to an FDB entry that was learned as LOCKED, since
that FDB entry is more of a "ghost" and not something fully committed?

I think that it is a security flaw if there is any forwarding to 
BR_FDB_LOCKED
entries. I can imagine a host behind a locked port with no credentials,
that gets a BR_FDB_LOCKED entry and has a friend on another non-locked 
port
who can now communicate uni-directional to the host with the 
BR_FDB_LOCKED
entry. It should not be too hard to create a scheme using UDP packets or
other for that.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help