From: netdev@kapio-technology.com
To: Vladimir Oltean <vladimir.oltean@nxp.com>
Cc: petrm@nvidia.com, ivecera@redhat.com,
Ido Schimmel <idosch@nvidia.com>,
razor@blackwall.org, bridge@lists.linux-foundation.org,
roopa@nvidia.com, edumazet@google.com, mlxsw@nvidia.com,
jiri@nvidia.com, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, davem@davemloft.net
Subject: Re: [Bridge] [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support
Date: Fri, 28 Oct 2022 09:45:52 +0200 [thread overview]
Message-ID: <1a66212fdb43fb8d03fc1e4c7612ad1b@kapio-technology.com> (raw)
In-Reply-To: <20221027225832.2yg4ljivjymuj353@skbuf>
On 2022-10-28 00:58, Vladimir Oltean wrote:
> I was going to ask if we should bother to add code to prohibit packets
> from being forwarded to an FDB entry that was learned as LOCKED, since
> that FDB entry is more of a "ghost" and not something fully committed?
I think that it is a security flaw if there is any forwarding to
BR_FDB_LOCKED
entries. I can imagine a host behind a locked port with no credentials,
that gets a BR_FDB_LOCKED entry and has a friend on another non-locked
port
who can now communicate uni-directional to the host with the
BR_FDB_LOCKED
entry. It should not be too hard to create a scheme using UDP packets or
other for that.
next prev parent reply other threads:[~2022-10-28 7:45 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-25 10:00 [Bridge] [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 01/16] bridge: Add MAC Authentication Bypass (MAB) support Ido Schimmel
2022-10-25 11:00 ` Nikolay Aleksandrov
2022-10-27 22:58 ` Vladimir Oltean
2022-10-28 7:45 ` netdev [this message]
2022-10-30 12:59 ` Ido Schimmel
2022-10-30 12:48 ` Ido Schimmel
2022-10-30 22:09 ` netdev
2022-10-31 14:43 ` Ido Schimmel
2022-10-31 16:40 ` netdev
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 02/16] selftests: forwarding: Add MAC Authentication Bypass (MAB) test cases Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 03/16] bridge: switchdev: Let device drivers determine FDB offload indication Ido Schimmel
2022-10-27 23:10 ` Vladimir Oltean
2022-10-30 9:25 ` Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 04/16] bridge: switchdev: Allow device drivers to install locked FDB entries Ido Schimmel
2022-10-25 11:03 ` Nikolay Aleksandrov
2022-10-27 23:27 ` Vladimir Oltean
2022-10-30 13:38 ` Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 05/16] devlink: Add packet traps for 802.1X operation Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 06/16] mlxsw: spectrum_trap: Register 802.1X packet traps with devlink Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 07/16] mlxsw: reg: Add Switch Port FDB Security Register Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 08/16] mlxsw: spectrum: Add an API to configure security checks Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 09/16] mlxsw: spectrum_switchdev: Prepare for locked FDB notifications Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 10/16] mlxsw: spectrum_switchdev: Add support " Ido Schimmel
2022-10-27 23:39 ` Vladimir Oltean
2022-10-30 8:23 ` Ido Schimmel
2022-10-31 8:32 ` Vladimir Oltean
2022-11-03 22:31 ` Vladimir Oltean
2022-11-03 22:54 ` Ido Schimmel
2022-11-03 23:03 ` Vladimir Oltean
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 11/16] mlxsw: spectrum_switchdev: Use extack in bridge port flag validation Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 12/16] mlxsw: spectrum_switchdev: Add locked bridge port support Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 13/16] selftests: devlink_lib: Split out helper Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 14/16] selftests: mlxsw: Add a test for EAPOL trap Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 15/16] selftests: mlxsw: Add a test for locked port trap Ido Schimmel
2022-10-25 10:00 ` [Bridge] [RFC PATCH net-next 16/16] selftests: mlxsw: Add a test for invalid locked bridge port configurations Ido Schimmel
2022-10-25 14:09 ` [Bridge] [RFC PATCH net-next 00/16] bridge: Add MAC Authentication Bypass (MAB) support with offload netdev
2022-10-25 17:43 ` Ido Schimmel
2022-10-27 23:49 ` Vladimir Oltean
2022-11-06 12:04 ` netdev
2022-11-06 13:21 ` Ido Schimmel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1a66212fdb43fb8d03fc1e4c7612ad1b@kapio-technology.com \
--to=netdev@kapio-technology.com \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=idosch@nvidia.com \
--cc=ivecera@redhat.com \
--cc=jiri@nvidia.com \
--cc=kuba@kernel.org \
--cc=mlxsw@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=petrm@nvidia.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=vladimir.oltean@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox