Hi Everyone
I changed the following:
@@ -1221,6 +1221,10 @@ bridge_process(struct ifnet *ifp, struct
m);
if (m == NULL)
goto bad;
+ } else if (eh->ether_dhost[ETHER_ADDR_LEN - 1] == 3) {
+ if (ntohs(eh->ether_type) != ETHERTYPE_EAPOL) {
+ goto bad;
+ }
} else if (eh->ether_dhost[ETHER_ADDR_LEN - 1] <= 0xf)
goto bad;
}
@@ -1465,6 +1469,7 @@ bridge_blocknonip(struct ether_header *e
case ETHERTYPE_REVARP:
case ETHERTYPE_IP:
case ETHERTYPE_IPV6:
+case ETHERTYPE_EAPOL:
return (0);
}
These changes aim to enable 802.1X wired authentication inside the OpenBSD firewall bridge. However, I am concerned about the potential security implications of this modification, particularly since,
by default, OpenBSD blocks 802.1X packets to prevent unauthorized access and spoofing.
I would appreciate your insights on the following:
I made modifications to the OpenBSD bridge code (/sys/net/if_bridge.c) to allow the forwarding of 802.1X EAPOL packets between interfaces of the bridge.
I changed the following:
@@ -1221,6 +1221,10 @@ bridge_process(struct ifnet *ifp, struct
m);
if (m == NULL)
goto bad;
+ } else if (eh->ether_dhost[ETHER_ADDR_LEN - 1] == 3) {
+ if (ntohs(eh->ether_type) != ETHERTYPE_EAPOL) {
+ goto bad;
+ }
} else if (eh->ether_dhost[ETHER_ADDR_LEN - 1] <= 0xf)
goto bad;
}
@@ -1465,6 +1469,7 @@ bridge_blocknonip(struct ether_header *e
case ETHERTYPE_REVARP:
case ETHERTYPE_IP:
case ETHERTYPE_IPV6:
+case ETHERTYPE_EAPOL:
return (0);
}
These changes aim to enable 802.1X wired authentication inside the OpenBSD firewall bridge. However, I am concerned about the potential security implications of this modification, particularly since,
by default, OpenBSD blocks 802.1X packets to prevent unauthorized access and spoofing.
I would appreciate your insights on the following:
- What are the best practices for ensuring that allowing 802.1X packets to pass through a bridge does not compromise the overall security model of OpenBSD?
- Are there any specific mechanisms or configurations you recommend implementing in conjunction with these code changes to maintain a secure and stable OpenBSD firewall?
- How would you suggest monitoring or mitigating any unforeseen security issues that might arise as a result of this modification?
Thanks and Regards
Yogendra
National Institute of Technology, Karnataka
No comments:
Post a Comment