From: Hans Schultz <schultz.hans@gmail.com>
To: Florian Fainelli <f.fainelli@gmail.com>,
Hans Schultz <schultz.hans@gmail.com>,
davem@davemloft.net, kuba@kernel.org
Cc: Ivan Vecera <ivecera@redhat.com>, Andrew Lunn <andrew@lunn.ch>,
Jiri Pirko <jiri@resnulli.us>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, Nikolay Aleksandrov <razor@blackwall.org>,
bridge@lists.linux-foundation.org, linux-kernel@vger.kernel.org,
Ido Schimmel <idosch@nvidia.com>, Roopa Prabhu <roopa@nvidia.com>,
Vladimir Oltean <olteanv@gmail.com>,
Vivien Didelot <vivien.didelot@gmail.com>
Subject: Re: [Bridge] [PATCH net-next 0/3] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)
Date: Thu, 17 Mar 2022 09:29:10 +0100 [thread overview]
Message-ID: <86o825htih.fsf@gmail.com> (raw)
In-Reply-To: <f9b3ecf5-c2a4-3a7a-5d19-1dbeae5acb69@gmail.com>
On ons, mar 16, 2022 at 17:18, Florian Fainelli <f.fainelli@gmail.com> wrote:
> On 3/10/2022 6:23 AM, Hans Schultz wrote:
>> This patch set extends the locked port feature for devices
>> that are behind a locked port, but do not have the ability to
>> authorize themselves as a supplicant using IEEE 802.1X.
>> Such devices can be printers, meters or anything related to
>> fixed installations. Instead of 802.1X authorization, devices
>> can get access based on their MAC addresses being whitelisted.
>>
>> For an authorization daemon to detect that a device is trying
>> to get access through a locked port, the bridge will add the
>> MAC address of the device to the FDB with a locked flag to it.
>> Thus the authorization daemon can catch the FDB add event and
>> check if the MAC address is in the whitelist and if so replace
>> the FDB entry without the locked flag enabled, and thus open
>> the port for the device.
>>
>> This feature is known as MAC-Auth or MAC Authentication Bypass
>> (MAB) in Cisco terminology, where the full MAB concept involves
>> additional Cisco infrastructure for authorization. There is no
>> real authentication process, as the MAC address of the device
>> is the only input the authorization daemon, in the general
>> case, has to base the decision if to unlock the port or not.
>>
>> With this patch set, an implementation of the offloaded case is
>> supplied for the mv88e6xxx driver. When a packet ingresses on
>> a locked port, an ATU miss violation event will occur. When
>> handling such ATU miss violation interrupts, the MAC address of
>> the device is added to the FDB with a zero destination port
>> vector (DPV) and the MAC address is communicated through the
>> switchdev layer to the bridge, so that a FDB entry with the
>> locked flag enabled can be added.
>
> FWIW, we may have about a 30% - 70% split between switches that will
> signal ATU violations over a side band interrupt, like mv88e6xxx will,
> and the rest will likely signal such events via the proprietary tag
> format.
I guess that the proprietary tag scheme a scenario where the packet can
be forwarded to the bridge module's ingress queue on the respective
port?
> --
> Florian
WARNING: multiple messages have this Message-ID (diff)
From: Hans Schultz <schultz.hans@gmail.com>
To: Florian Fainelli <f.fainelli@gmail.com>,
Hans Schultz <schultz.hans@gmail.com>,
davem@davemloft.net, kuba@kernel.org
Cc: netdev@vger.kernel.org, Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
Jiri Pirko <jiri@resnulli.us>, Ivan Vecera <ivecera@redhat.com>,
Roopa Prabhu <roopa@nvidia.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Ido Schimmel <idosch@nvidia.com>,
linux-kernel@vger.kernel.org, bridge@lists.linux-foundation.org
Subject: Re: [PATCH net-next 0/3] Extend locked port feature with FDB locked flag (MAC-Auth/MAB)
Date: Thu, 17 Mar 2022 09:29:10 +0100 [thread overview]
Message-ID: <86o825htih.fsf@gmail.com> (raw)
In-Reply-To: <f9b3ecf5-c2a4-3a7a-5d19-1dbeae5acb69@gmail.com>
On ons, mar 16, 2022 at 17:18, Florian Fainelli <f.fainelli@gmail.com> wrote:
> On 3/10/2022 6:23 AM, Hans Schultz wrote:
>> This patch set extends the locked port feature for devices
>> that are behind a locked port, but do not have the ability to
>> authorize themselves as a supplicant using IEEE 802.1X.
>> Such devices can be printers, meters or anything related to
>> fixed installations. Instead of 802.1X authorization, devices
>> can get access based on their MAC addresses being whitelisted.
>>
>> For an authorization daemon to detect that a device is trying
>> to get access through a locked port, the bridge will add the
>> MAC address of the device to the FDB with a locked flag to it.
>> Thus the authorization daemon can catch the FDB add event and
>> check if the MAC address is in the whitelist and if so replace
>> the FDB entry without the locked flag enabled, and thus open
>> the port for the device.
>>
>> This feature is known as MAC-Auth or MAC Authentication Bypass
>> (MAB) in Cisco terminology, where the full MAB concept involves
>> additional Cisco infrastructure for authorization. There is no
>> real authentication process, as the MAC address of the device
>> is the only input the authorization daemon, in the general
>> case, has to base the decision if to unlock the port or not.
>>
>> With this patch set, an implementation of the offloaded case is
>> supplied for the mv88e6xxx driver. When a packet ingresses on
>> a locked port, an ATU miss violation event will occur. When
>> handling such ATU miss violation interrupts, the MAC address of
>> the device is added to the FDB with a zero destination port
>> vector (DPV) and the MAC address is communicated through the
>> switchdev layer to the bridge, so that a FDB entry with the
>> locked flag enabled can be added.
>
> FWIW, we may have about a 30% - 70% split between switches that will
> signal ATU violations over a side band interrupt, like mv88e6xxx will,
> and the rest will likely signal such events via the proprietary tag
> format.
I guess that the proprietary tag scheme a scenario where the packet can
be forwarded to the bridge module's ingress queue on the respective
port?
> --
> Florian
next prev parent reply other threads:[~2022-03-17 8:29 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-10 14:23 [Bridge] [PATCH net-next 0/3] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Hans Schultz
2022-03-10 14:23 ` Hans Schultz
2022-03-10 14:23 ` [Bridge] [PATCH net-next 1/3] net: bridge: add fdb flag to extent locked port feature Hans Schultz
2022-03-10 14:23 ` Hans Schultz
2022-03-10 14:42 ` [Bridge] " Nikolay Aleksandrov
2022-03-10 14:42 ` Nikolay Aleksandrov
2022-03-10 15:38 ` [Bridge] " Hans Schultz
2022-03-10 15:38 ` Hans Schultz
2022-03-10 15:57 ` [Bridge] " Nikolay Aleksandrov
2022-03-10 15:57 ` Nikolay Aleksandrov
2022-03-10 16:11 ` [Bridge] " Hans Schultz
2022-03-10 16:11 ` Hans Schultz
2022-03-10 16:14 ` [Bridge] " Nikolay Aleksandrov
2022-03-10 16:14 ` Nikolay Aleksandrov
2022-03-10 16:33 ` [Bridge] " Hans Schultz
2022-03-10 16:33 ` Hans Schultz
2022-03-14 15:30 ` [Bridge] " Ido Schimmel
2022-03-14 15:30 ` Ido Schimmel
2022-03-15 8:48 ` [Bridge] " Hans Schultz
2022-03-15 8:48 ` Hans Schultz
2022-03-15 11:00 ` [Bridge] " Ido Schimmel
2022-03-15 11:00 ` Ido Schimmel
2022-03-10 14:23 ` [Bridge] [PATCH net-next 2/3] net: switchdev: add support for offloading of fdb locked flag Hans Schultz
2022-03-10 14:23 ` Hans Schultz
2022-03-10 14:23 ` [Bridge] [PATCH net-next 3/3] net: dsa: mv88e6xxx: mac-auth/MAB implementation Hans Schultz
2022-03-10 14:23 ` Hans Schultz
2022-03-10 14:28 ` [Bridge] " Vladimir Oltean
2022-03-10 14:28 ` Vladimir Oltean
2022-03-10 15:00 ` [Bridge] " Hans Schultz
2022-03-10 15:00 ` Hans Schultz
2022-03-10 15:07 ` [Bridge] " Vladimir Oltean
2022-03-10 15:07 ` Vladimir Oltean
2022-03-10 15:51 ` [Bridge] " Hans Schultz
2022-03-10 15:51 ` Hans Schultz
2022-03-10 16:05 ` [Bridge] " Vladimir Oltean
2022-03-10 16:05 ` Vladimir Oltean
2022-03-10 16:40 ` [Bridge] " Hans Schultz
2022-03-10 16:40 ` Hans Schultz
2022-03-10 15:57 ` [Bridge] " Hans Schultz
2022-03-10 15:57 ` Hans Schultz
2022-03-14 10:46 ` [Bridge] " Hans Schultz
2022-03-14 10:46 ` Hans Schultz
2022-03-16 23:34 ` [Bridge] " Vladimir Oltean
2022-03-16 23:34 ` Vladimir Oltean
2022-03-17 8:52 ` [Bridge] " Hans Schultz
2022-03-17 8:52 ` Hans Schultz
2022-03-17 14:19 ` [Bridge] " Andrew Lunn
2022-03-17 14:19 ` Andrew Lunn
2022-03-17 15:36 ` [Bridge] " Vladimir Oltean
2022-03-17 15:36 ` Vladimir Oltean
2022-03-17 16:07 ` [Bridge] " Hans Schultz
2022-03-17 16:07 ` Hans Schultz
2022-03-17 16:18 ` [Bridge] " Vladimir Oltean
2022-03-17 16:18 ` Vladimir Oltean
2022-03-17 16:58 ` [Bridge] " Hans Schultz
2022-03-17 16:58 ` Hans Schultz
2022-03-17 17:20 ` [Bridge] " Vladimir Oltean
2022-03-17 17:20 ` Vladimir Oltean
2022-03-18 10:04 ` [Bridge] " Hans Schultz
2022-03-18 10:04 ` Hans Schultz
2022-03-18 12:14 ` [Bridge] " Vladimir Oltean
2022-03-18 12:14 ` Vladimir Oltean
2022-03-18 13:10 ` [Bridge] " Hans Schultz
2022-03-18 13:10 ` Hans Schultz
2022-03-18 13:19 ` [Bridge] " Vladimir Oltean
2022-03-18 13:19 ` Vladimir Oltean
2022-03-22 11:01 ` [Bridge] " Hans Schultz
2022-03-22 11:01 ` Hans Schultz
2022-03-22 11:08 ` [Bridge] " Vladimir Oltean
2022-03-22 11:08 ` Vladimir Oltean
2022-03-22 13:21 ` [Bridge] " Hans Schultz
2022-03-22 13:21 ` Hans Schultz
2022-03-22 14:47 ` [Bridge] " Hans Schultz
2022-03-22 14:47 ` Hans Schultz
2022-03-23 10:13 ` [Bridge] " Hans Schultz
2022-03-23 10:13 ` Hans Schultz
2022-03-23 10:16 ` [Bridge] " Vladimir Oltean
2022-03-23 10:16 ` Vladimir Oltean
2022-03-23 10:46 ` [Bridge] " Hans Schultz
2022-03-23 10:46 ` Hans Schultz
2022-03-23 10:57 ` [Bridge] " Hans Schultz
2022-03-23 10:57 ` Hans Schultz
2022-03-23 11:21 ` [Bridge] " Vladimir Oltean
2022-03-23 11:21 ` Vladimir Oltean
2022-03-23 11:43 ` [Bridge] " Hans Schultz
2022-03-23 11:43 ` Hans Schultz
2022-03-23 11:54 ` [Bridge] " Vladimir Oltean
2022-03-23 11:54 ` Vladimir Oltean
2022-03-21 14:51 ` [Bridge] " Hans Schultz
2022-03-21 14:51 ` Hans Schultz
2022-03-10 14:54 ` [Bridge] " Andrew Lunn
2022-03-10 14:54 ` Andrew Lunn
2022-03-11 7:59 ` [Bridge] " Hans Schultz
2022-03-11 7:59 ` Hans Schultz
2022-03-14 15:50 ` [Bridge] [PATCH net-next 0/3] Extend locked port feature with FDB locked flag (MAC-Auth/MAB) Ido Schimmel
2022-03-14 15:50 ` Ido Schimmel
2022-03-15 8:59 ` [Bridge] " Hans Schultz
2022-03-15 8:59 ` Hans Schultz
2022-03-15 11:11 ` [Bridge] " Ido Schimmel
2022-03-15 11:11 ` Ido Schimmel
2022-03-17 0:18 ` [Bridge] " Florian Fainelli
2022-03-17 0:18 ` Florian Fainelli
2022-03-17 8:29 ` Hans Schultz [this message]
2022-03-17 8:29 ` Hans Schultz
2022-03-17 18:42 ` [Bridge] " Vladimir Oltean
2022-03-17 18:42 ` Vladimir Oltean
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86o825htih.fsf@gmail.com \
--to=schultz.hans@gmail.com \
--cc=andrew@lunn.ch \
--cc=bridge@lists.linux-foundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=f.fainelli@gmail.com \
--cc=idosch@nvidia.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.