[PATCH 1/2] Improve MKPDU 802.1X conformance, don't require pae group dest address

Tim Small tim at seoss.co.uk
Wed Oct 23 09:35:02 PDT 2024


802.1X-2010 and 802.1X-2020 both specify that MKPDU packets should be
discarded if their destination address is "an individual address".
ieee802_1x_kay_mkpdu_validity_check() previously also rejected all
destination addresses other than 01:80:c2:00:00:03 "Nearest non-TPMR
Bridge group address" (in contradiction to its comments).

This restriction may be a carry-over from 802.1X-2004, but is explicitly
discouraged in the 2010 and 2020 revisions (see section 11.1.1 and its
references).

The additional restriction prevented wpa_supplicant and hostapd from
participating in MACsec communication in environments such as
third-party ("supplier") layer 2 networks.

Signed-off-by: Tim Small <tim at seoss.co.uk>
---
 src/pae/ieee802_1x_kay.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index b0a418ef08..230c69d197 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3125,9 +3125,9 @@ static int ieee802_1x_kay_mkpdu_validity_check(struct ieee802_1x_kay *kay,
 		   be_to_host16(eth_hdr->ethertype));
 
 	/* the destination address shall not be an individual address */
-	if (!ether_addr_equal(eth_hdr->dest, pae_group_addr)) {
+	if (!is_multicast_ether_addr(eth_hdr->dest)) {
 		wpa_printf(MSG_DEBUG,
-			   "KaY: ethernet destination address is not PAE group address");
+			   "KaY: ethernet destination address is not a multicast adddress");
 		return -1;
 	}
 
-- 
2.39.5




More information about the Hostap mailing list