[PATCH 0/1] Remove PAE group address restriction for MACsec etc.

Tim Small tim at seoss.co.uk
Thu Oct 10 08:44:36 PDT 2024


When using hostapd and wpa_supplicant to configure MACsec with 802.1X
authentication...

The current implementation restricts usage to LAN segments which don't
cross switches (except for managed switches which allow the user to
disable 802.1D compliance and forwarding frames which should otherwise
be filtered e.g. Cisco "eapol-relay", and Linux's "group_fwd_mask"
etc.).

The code currently hard-codes the "PAE Group Address"
(01:80:c2:00:00:03) when creating EAPOL packets.  It also filters
received MKPDU packets which don't have their destination address set to
01:80:c2:00:00:03. 

The receive filtering doesn't appear to conform with 802.1X-2010 or
802.1X-2020 which both state that these packets shouldn't have a unicast
destination address, but don't place any other restrictions on the
destination address.

The attached patch improves standards compliance by dropping the receive
packet filter restriction, allowing negotiation to succeed in some
circumstances when it otherwise would fail. 

Time permitting, I'll follow-up with patches to allow hostapd and
wpa_supplicant users to specify alternative destination MAC addresses as
per 802.1X-2020, 802.1AE-2018  (other devices already allow this e.g.
Cisco "eapol destination-address", Juniper "eapol-address" and HP
Procurve "eapol-destination-mac").

Tim Small (1):
  Improve MKPDU 802.1X conformance, don't require pae group dest address

 src/pae/ieee802_1x_kay.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

-- 
2.39.5




More information about the Hostap mailing list