Hi Everyone
I made modifications to the OpenBSD bridge code (/sys/net/if_bridge.c) to
allow the forwarding of 802.1X EAPOL packets between interfaces of the
bridge.
I changed the following:
@@ -1221,6 +1221,10 @@ bridge_process(struct ifnet *ifp, struct
m);
if (m == NULL)
goto bad;
+ } else if (eh->ether_dhost[ETHER_ADDR_LEN - 1] == 3) {
+ if (ntohs(eh->ether_type) != ETHERTYPE_EAPOL) {
+ goto bad;
+ }
} else if (eh->ether_dhost[ETHER_ADDR_LEN - 1] <= 0xf)
goto bad;
}
@@ -1465,6 +1469,7 @@ bridge_blocknonip(struct ether_header *e
case ETHERTYPE_REVARP:
case ETHERTYPE_IP:
case ETHERTYPE_IPV6:
+case ETHERTYPE_EAPOL:
return (0);
}
These changes aim to enable 802.1X wired authentication inside the OpenBSD
firewall bridge. However, I am concerned about the potential security
implications of this modification, particularly since,
by default, OpenBSD blocks 802.1X packets to prevent unauthorized access
and spoofing.
I would appreciate your insights on the following:
1. What are the best practices for ensuring that allowing 802.1X
packets to pass through a bridge does not compromise the overall security
model of OpenBSD?
2. Are there any specific mechanisms or configurations you recommend
implementing in conjunction with these code changes to maintain a secure
and stable OpenBSD firewall?
3. How would you suggest monitoring or mitigating any unforeseen
security issues that might arise as a result of this modification?
Thanks and Regards
Yogendra
National Institute of Technology, Karnataka
