Re: [PATCH net-next 0/5] ATU and FDB synchronization on locked ports

From: netdev
Date: Thu Feb 02 2023 - 12:18:21 EST

Next message: Arend Van Spriel: "Re: [PATCH v2 1/5] brcmfmac: Drop all the RAW device IDs"
Previous message: Kees Cook: "Re: [PATCH 5/6] driver core: Add __alloc_size hint to devm allocators"
In reply to: Vladimir Oltean: "Re: [PATCH net-next 0/5] ATU and FDB synchronization on locked ports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2023-01-31 20:25, Ido Schimmel wrote:

command like:

bridge fdb replace ADDR dev <DEV> master dynamic

We choose only to support this feature on locked ports, as it involves
utilizing the CPU to handle ATU related switchcore events (typically
interrupts) and thus can result in significant performance loss if
exposed to heavy traffic.

Not sure I understand this reasoning. I was under the impression that
hostapd is installing dynamic entries instead of static ones since the
latter are not flushed when carrier is lost. Therefore, with static
entries it is possible to unplug a host (potentially plugging a
different one) and not lose authentication.

Both auth schemes 802.1X and MAB install dynamic entries as you point out, and both use locked ports.
In the case of non locked ports, they just learn normally and age and refresh their entries, so the use case of a userspace added dynamic FDB entry is hard for me to see. And having userspace being notified of an ordinary event that a FDB entry has been aged out could maybe be used, but for the reasons mentioned it is not supported here.

On locked ports it is important for userspace to know when an authorized
station has become silent, hence not breaking the communication of a
station that has been authorized based on the MAC-Authentication Bypass
(MAB) scheme. Thus if the station keeps being active after authorization,
it will continue to have an open port as long as it is active. Only after
a silent period will it have to be reauthorized. As the ageing process in
the ATU is dependent on incoming traffic to the switchcore port, it is
necessary for the ATU to signal that an entry has aged out, so that the
FDB can be updated at the correct time.

Why mention MAB at all? Don't you want user space to always use dynamic
entries to authenticate hosts regardless of 802.1X/MAB?

Yes, you are right about that. I guess it came about as this was developed much in the same time and with the code of MAB.

Next message: Arend Van Spriel: "Re: [PATCH v2 1/5] brcmfmac: Drop all the RAW device IDs"
Previous message: Kees Cook: "Re: [PATCH 5/6] driver core: Add __alloc_size hint to devm allocators"
In reply to: Vladimir Oltean: "Re: [PATCH net-next 0/5] ATU and FDB synchronization on locked ports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]