[PATCH 2/2] wpa_supplicant: EAPOL MAC address customisation with eapol_dest_addr.

[Jouni Malinen]

On Wed, Oct 23, 2024 at 05:35:03PM +0100, Tim Small wrote:
> wpa_supplicant previously hard-coded the destination MAC address for
> EAPOL packets to 01:80:c2:00:00:03 (the "PAE Group Address"). The PAE
> Group Address continues to be the default value for the newly introduced
> wpa_supplicant per-network eapol_dest_addr configuration setting, but
> alternative multicast addresses (e.g. 01:80:c2:00:00:1f - the "EDE-CC
> PEP Address") can now be specified so that outgoing packets can reach
> the desired destination station(s) in a wider variety of operating
> environments.
> 
> For example third party ISP switches providing layer 2 forwarding
> services to a customer should filter or terminate packets which use the
> PAE Group Address according to 802.1D ("Ethernet MAC bridges").  This
> will effectively prevent a customer creating their own secure 802.1X +
> MACsec links atop the ISP-provided layer 2 network.  The same ISP
> switches should instead forward packets which use the ECE-CC PEP Address
> (or a variety of other multicast addresses which may be better suited to
> the particular usage scenario).
> ---

This needs a Signed-off-by: line (similarly to the one that was included
in patch 1/2).

>  src/ap/ap_config.h           |  1 +
>  src/ap/wpa_auth_kay.c        |  1 +
>  src/common/ieee802_1x_defs.h |  8 ++++++
>  src/pae/ieee802_1x_kay.c     | 12 ++++-----
>  src/pae/ieee802_1x_kay.h     |  5 +++-
>  wpa_supplicant/config.c      | 51 ++++++++++++++++++++++++++++++++++++
>  wpa_supplicant/config_ssid.h | 11 ++++++++
>  wpa_supplicant/wpas_kay.c    |  1 +
>  8 files changed, 83 insertions(+), 7 deletions(-)

This misses hostapd/config_file.c and hostapd/hostapd.conf changes to
match this change in src/ap/ap_config.h:

> diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
> @@ -301,6 +301,7 @@ struct hostapd_bss_config {
> +	u8 eapol_dest_addr[ETH_ALEN];

I.e., this new configuration parameter needs to be actually filled in
based on hostapd configuration.


> diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
> @@ -2549,6 +2598,7 @@ static const struct parse_data ssid_fields[] = {
> +	{ FUNC(eapol_dest_addr) },

This covers parsing of the new wpa_supplicant network profile parameter,
but writing it to a configuration file on update needs to be covered in
wpa_supplicant/config_file.c, wpa_config_write_network().

> diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
> @@ -418,6 +418,17 @@ struct wpa_ssid {
>  	 */
>  	unsigned int eap_workaround;
>  
> +	/**
> +	 * eapol_dest_addr - mac addr for EAPOL packets (802.11AE-2018+ etc.)
> +	 * EAPOL packets may have their destination MAC address set to any
> +	 * non-individual (i.g. multi-cast) address, including the ethernet
> +	 * broadcast address (ff:ff:ff:ff:ff:ff).  Choice of destination
> +	 * address is dictated by which types of entity (should) filter them
> +	 * out vs. act on their contents vs. relay them.
> +	 * See 802.11X-2020 Table 11-1
> +	 */
> +        u8 eapol_dest_addr[ETH_ALEN];
> +
>  #endif /* IEEE8021X_EAPOL */

It would probably make more sense to add this configuration parameter in
the same CONFIG_MACSEC block as all the other MACsec/MKA parameters
instead of IEEE8021X_EAPOL which is shared with Wi-Fi use cases.

-- 
Jouni Malinen                                            PGP id EFC895FA