| Message ID | 20241023163503.530897-2-tim@seoss.co.uk |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/2] Improve MKPDU 802.1X conformance, don't require pae group dest address | expand |
On Wed, Oct 23, 2024 at 05:35:02PM +0100, Tim Small wrote: > 802.1X-2010 and 802.1X-2020 both specify that MKPDU packets should be > discarded if their destination address is "an individual address". > ieee802_1x_kay_mkpdu_validity_check() previously also rejected all > destination addresses other than 01:80:c2:00:00:03 "Nearest non-TPMR > Bridge group address" (in contradiction to its comments). > > This restriction may be a carry-over from 802.1X-2004, but is explicitly > discouraged in the 2010 and 2020 revisions (see section 11.1.1 and its > references). > > The additional restriction prevented wpa_supplicant and hostapd from > participating in MACsec communication in environments such as > third-party ("supplier") layer 2 networks. Thanks, applied.
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index b0a418ef08..230c69d197 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -3125,9 +3125,9 @@ static int ieee802_1x_kay_mkpdu_validity_check(struct ieee802_1x_kay *kay, be_to_host16(eth_hdr->ethertype)); /* the destination address shall not be an individual address */ - if (!ether_addr_equal(eth_hdr->dest, pae_group_addr)) { + if (!is_multicast_ether_addr(eth_hdr->dest)) { wpa_printf(MSG_DEBUG, - "KaY: ethernet destination address is not PAE group address"); + "KaY: ethernet destination address is not a multicast adddress"); return -1; }
802.1X-2010 and 802.1X-2020 both specify that MKPDU packets should be discarded if their destination address is "an individual address". ieee802_1x_kay_mkpdu_validity_check() previously also rejected all destination addresses other than 01:80:c2:00:00:03 "Nearest non-TPMR Bridge group address" (in contradiction to its comments). This restriction may be a carry-over from 802.1X-2004, but is explicitly discouraged in the 2010 and 2020 revisions (see section 11.1.1 and its references). The additional restriction prevented wpa_supplicant and hostapd from participating in MACsec communication in environments such as third-party ("supplier") layer 2 networks. Signed-off-by: Tim Small <tim@seoss.co.uk> --- src/pae/ieee802_1x_kay.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)