Re: [PATCH v8 net-next 10/12] net: dsa: mv88e6xxx: mac-auth/MAB implementation

From: Oleksandr Mazur
Date: Sat Oct 22 2022 - 08:56:08 EST

Next message: Romain Perier: "Re: [PATCH] MAINTAINERS: git://github -> https://github.com for linux-chenxing"
Previous message: Greg Kroah-Hartman: "Re: [PATCH 1/1] usb: gadget: f_hid: Conduct proper refcounting on shared f_hidg pointer"
In reply to: Vladimir Oltean: "Re: [PATCH v8 net-next 10/12] net: dsa: mv88e6xxx: mac-auth/MAB implementation"
Next in thread: Vladimir Oltean: "Re: [PATCH v8 net-next 10/12] net: dsa: mv88e6xxx: mac-auth/MAB implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I hope the following script will exemplify what I mean.
..
Oh, i get it now.

Frankly speaking we haven't stumbled across such scenario / issue before. But i can tell it does indeed seems a bit broken;

I think there are 2 options here:
1. The setup itself seems insecure, and user should be aware of such behavior / issue;
2. Bridge indeed should not learn MACs if BR_PORT_LOCKED is set. E.g. learning condition should be something like: not BR_PORT_locked and learning is on;

> I don't understand the last step. Why is the BR_PORT_LOCKED flag disabled?
> If disabled, the port will receive frames with any unknown MAC SA,
> not just the authorized ones.

Sorry for the confusion. Basically, what i described what i would expect from a daemon (e.g. daemon would disable LOCKED); So just ignore that part.

Next message: Romain Perier: "Re: [PATCH] MAINTAINERS: git://github -> https://github.com for linux-chenxing"
Previous message: Greg Kroah-Hartman: "Re: [PATCH 1/1] usb: gadget: f_hid: Conduct proper refcounting on shared f_hidg pointer"
In reply to: Vladimir Oltean: "Re: [PATCH v8 net-next 10/12] net: dsa: mv88e6xxx: mac-auth/MAB implementation"
Next in thread: Vladimir Oltean: "Re: [PATCH v8 net-next 10/12] net: dsa: mv88e6xxx: mac-auth/MAB implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]