From: Johannes Berg <johannes@sipsolutions.net>
To: Michael Braun <michael.braun@fem.tu-ilmenau.de>
Cc: kvalo@codeaurora.org, akarwar@marvell.com, nishants@marvell.com,
Larry.Finger@lwfinger.net, Jes.Sorensen@redhat.com,
linux-wireless@vger.kernel.org, projekt-wlan@fem.tu-ilmenau.de
Subject: Re: [PATCHv3] wireless: check A-MSDU inner frame source address on AP interfaces
Date: Tue, 04 Oct 2016 10:29:19 +0200 [thread overview]
Message-ID: <1475569759.5324.22.camel@sipsolutions.net> (raw)
In-Reply-To: <f9d33317-f23f-9d5e-8e9e-1e63eff1882a@fem.tu-ilmenau.de>
> > First of all - there's nothing specific to "AP interfaces", which
> > you say in the subject, as far as I can tell? That should be
> > removed?
>
> >
> > >
> > > if (unlikely(ta &&
> > > + (iftype == NL80211_IFTYPE_AP ||
> > > + iftype == NL80211_IFTYPE_AP_VLAN)
> > > &&
> > > + !ether_addr_equal(ta, eth.h_source)
> > > + ))
> > > + goto purge;
>
> So the A-MSDU packets are only dropped if received by an interface in
> AP or AP_VLAN mode, not on client side, as my original issue was
> about arp/ip filters being circumvented on AP side.
D'oh. Not paying attention, I guess.
Nevertheless, why should this be conditional on the interface type? It
seems to me that we should apply this to any type? What if, for
example, another BSS client sends an A-MSDU encrypted with the GTK and
then fakes something inside that way? We verify today that only
multicast frames can be encrypted with the GTK, but that applies to the
outer header, so we're susceptible to a variant of the hole-196 attack,
afaict?
> > > IEEE 802.11-2012 mandates that the outer source mac address
> > > should match the inner source address (section 8.3.2.2). For the
> > > destination mac address, matching is not required (section
> > > 10.23.15).
> >
> > I think this is wrong. As we do not support DMS (yet), we should
> > adhere to 8.3.2.2 and only accept matching TA/SA and DA/RA.
>
> IEEE 802.11-2012 8.3.2.2 contains the note "NOTE—It is possible to
> have different DA and SA parameter values in A-MSDU subframe headers
> of the same A-MSDU as long as they all map to the same Address 1 and
> Address 2 parameter values."
>
> I conclude that embedding multicast in unicast A-MSDU frames is
> generally allowed, because "mapping" does not mean "be identical".
Yeah, I saw this. It's not clear to me that they intended this wording
to be about multicast though. I'm not really sure what they had in mind
here, but there's an exception for multicast for DMS, which would seem
pointless if they had intended this "mapping" to be about multicast.
Then again, I don't know of any "address mapping" service or the like
in the spec either.
johannes
next prev parent reply other threads:[~2016-10-04 8:29 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-28 15:14 [PATCHv3] wireless: check A-MSDU inner frame source address on AP interfaces Michael Braun
2016-09-28 15:19 ` Jes Sorensen
2016-09-28 15:32 ` Johannes Berg
2016-09-28 15:39 ` Jes Sorensen
2016-09-28 15:42 ` Johannes Berg
2016-09-28 17:22 ` Jes Sorensen
2016-09-28 22:10 ` Johannes Berg
2016-09-30 10:01 ` Johannes Berg
2016-10-03 10:44 ` Michael Braun
2016-10-04 8:29 ` Johannes Berg [this message]
2016-10-04 8:36 ` Johannes Berg
2016-10-04 21:12 ` M. Braun
2016-10-05 8:14 ` Johannes Berg
2016-10-04 21:57 ` M. Braun
2016-10-05 4:17 ` M. Braun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1475569759.5324.22.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=Jes.Sorensen@redhat.com \
--cc=Larry.Finger@lwfinger.net \
--cc=akarwar@marvell.com \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
--cc=michael.braun@fem.tu-ilmenau.de \
--cc=nishants@marvell.com \
--cc=projekt-wlan@fem.tu-ilmenau.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.