On Fri, Oct 21, 2022 at 09:14:11PM +0300, Vladimir Oltean wrote:
On Fri, Oct 21, 2022 at 07:39:34PM +0200, netdev@kapio-technology.com wrote:
Well, with this change, to have MAB working, the bridge would need learning on of course, but how things work with the bridge according to the flags, they should also work in the offloaded case if you ask me. There should be no difference between the two, thus MAB in drivers would have to be with learning on.
Am I proposing for things to work differently in the offload and software case, and not realizing it? :-/
The essence of my proposal was to send a bug fix now which denies BR_LEARNING to be set together with BR_PORT_LOCKED. The fact that link-local traffic is learned by the software bridge is something unintended as far as I understand.
You tried to fix it here, and as far as I could search in my inbox, that didn't go anywhere: https://lore.kernel.org/netdev/47d8d747-54ef-df52-3b9c-acb9a77fa14a@blackwal...
I thought only mv88e6xxx offloads BR_PORT_LOCKED, but now, after searching, I also see prestera has support for it, so let me add Oleksandr Mazur to the discussion as well. I wonder how they deal with this? Has somebody come to rely on learning being enabled on a locked port?
MAB in offloading drivers will have to be with learning on (same as in software). When BR_PORT_LOCKED | BR_LEARNING will be allowed together back in net-next (to denote the MAB configuration), offloading drivers (mv88e6xxx and prestera) will be patched to reject them. They will only accept the two together when they implement MAB support.
Future drivers after this mess has been cleaned up will have to look at the BR_PORT_LOCKED and BR_LEARNING flag in combination, to see which kind of learning is desired on a port (secure, CPU based learning or autonomous learning).
Am I not making sense?
I will try to summarize what I learned from past discussions because I think it is not properly explained in the commit messages.
If you look at the hostapd fork by Westermo [1], you will see that they are authorizing hosts by adding dynamic FDB entries from user space, not static ones. Someone from Westermo will need to confirm this, but I guess the reasons are that a) They want hosts that became silent to lose their authentication after the aging time b) They want hosts to lose their authentication when the carrier of the bridge port goes down. This will cause the bridge driver to flush dynamic FDB entries, but not static ones. Otherwise, an attacker with physical access to the switch and knowledge of the MAC address of the authenticated host can connect a different (malicious) host that will be able to communicate through the bridge.
In the above scenario, learning does not need to be on for the bridge to populate its FDB, but rather for the bridge to refresh the dynamic FDB entries installed by hostapd. This seems like a valid use case and one needs a good reason to break it in future kernels.
Regarding learning from link-local frames, this can be mitigated by [2] without adding additional checks in the bridge. I don't know why this bridge option was originally added, but if it wasn't for this use case, then now it has another use case.
Regarding MAB, from the above you can see that a pure 802.1X implementation that does not involve MAB can benefit from locked bridge ports with learning enabled. It is therefore not accurate to say that one wants MAB merely by enabling learning on a locked port. Given that MAB is a proprietary extension and much less secure than 802.1X, we can assume that there will be deployments out there that do not use MAB and do not care about notifications regarding locked FDB entries. I therefore think that MAB needs to be enabled by a separate bridge port flag that is rejected unless the bridge port is locked and has learning enabled.
Regarding hardware offload, I have an idea (needs testing) on how to make mlxsw work in a similar way to mv88e6xxx. That is, does not involve injecting frames that incurred a miss to the Rx path. If you guys want, I'm willing to take a subset of the patches here, improve the commit message, do some small changes and submit them along with an mlxsw implementation. My intention is not to discredit anyone (I will keep the original authorship), but to help push this forward and give another example of hardware offload.
[1] https://github.com/westermo/hostapd/commit/10c584b875a63a9e58b0ad39835282545... [2] https://git.kernel.org/pub/scm/network/iproute2/iproute2-next.git/commit/?id...