[PATCH 1/2] Improve MKPDU 802.1X conformance, don't require pae group dest address
Jouni Malinen
j at w1.fi
Thu Dec 26 13:44:39 PST 2024
On Wed, Oct 23, 2024 at 05:35:02PM +0100, Tim Small wrote:
> 802.1X-2010 and 802.1X-2020 both specify that MKPDU packets should be
> discarded if their destination address is "an individual address".
> ieee802_1x_kay_mkpdu_validity_check() previously also rejected all
> destination addresses other than 01:80:c2:00:00:03 "Nearest non-TPMR
> Bridge group address" (in contradiction to its comments).
>
> This restriction may be a carry-over from 802.1X-2004, but is explicitly
> discouraged in the 2010 and 2020 revisions (see section 11.1.1 and its
> references).
>
> The additional restriction prevented wpa_supplicant and hostapd from
> participating in MACsec communication in environments such as
> third-party ("supplier") layer 2 networks.
Thanks, applied.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list