Thursday, October 24, 2024

About 802.1x support

Hi Everyone

I made modifications to the OpenBSD bridge code (/sys/net/if_bridge.c) to allow the forwarding of 802.1X EAPOL packets between interfaces of the bridge.

I changed the following:

@@ -1221,6 +1221,10 @@ bridge_process(struct ifnet *ifp, struct
    m);
    if (m == NULL)
        goto bad;
+   } else if (eh->ether_dhost[ETHER_ADDR_LEN - 1] == 3) {
+       if (ntohs(eh->ether_type) != ETHERTYPE_EAPOL) {
+           goto bad;
+       }
    } else if (eh->ether_dhost[ETHER_ADDR_LEN - 1] <= 0xf)
        goto bad;
    }
@@ -1465,6 +1469,7 @@ bridge_blocknonip(struct ether_header *e
 case ETHERTYPE_REVARP:
 case ETHERTYPE_IP:
 case ETHERTYPE_IPV6:
+case ETHERTYPE_EAPOL:
    return (0);
}

These changes aim to enable 802.1X wired authentication inside the OpenBSD firewall bridge. However, I am concerned about the potential security implications of this modification, particularly since,
by default, OpenBSD blocks 802.1X packets to prevent unauthorized access and spoofing.

I would appreciate your insights on the following:

  1.  What are the best practices for ensuring that allowing 802.1X packets to pass through a bridge does not compromise the overall security model of OpenBSD?
  2.  Are there any specific mechanisms or configurations you recommend implementing in conjunction with these code changes to maintain a secure and stable OpenBSD firewall?
  3. How would you suggest monitoring or mitigating any unforeseen security issues that might arise as a result of this modification?

Thanks and Regards
Yogendra
National Institute of Technology, Karnataka

No comments:

Post a Comment