diff options
| author | Michael Brown <mcb30@ipxe.org> | 2021-01-19 12:37:50 +0000 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2021-01-19 13:01:46 +0000 |
| commit | 9c2e8bad1143e1095205d67dbe6b3032d39af0ab (patch) | |
| tree | 484f4fab39cd546fad64fdd764f3ba3828b5880b /src/include | |
| parent | 274ad690120620df718144556687a05e2f371e66 (diff) | |
| download | ipxe-9c2e8bad1143e1095205d67dbe6b3032d39af0ab.zip ipxe-9c2e8bad1143e1095205d67dbe6b3032d39af0ab.tar.gz ipxe-9c2e8bad1143e1095205d67dbe6b3032d39af0ab.tar.bz2 | |
[eap] Treat an EAP Request-Identity as indicating a blocked link
A switch port using 802.1x authentication will send EAP
Request-Identity packets once the physical link is up, and will not be
forwarding packets until the port identity has been established.
We do not currently support 802.1x authentication. However, a
reasonably common configuration involves using a preset list of
permitted MAC addresses, with the "authentication" taking place
between the switch and a RADIUS server. In this configuration, the
end device does not need to perform any authentication step, but does
need to be prepared for the switch port to fail to forward packets for
a substantial time after physical link-up. This exactly matches the
"blocked link" semantics already used when detecting a non-forwarding
switch port via LACP or STP.
Treat a received EAP Request-Identity as indicating a blocked link.
Unlike LACP or STP, there is no way to determine the expected time
until the next EAP packet and so we must choose a fixed timeout.
Erroneously assuming that the link is blocked is relatively harmless
since we will still attempt to transmit and receive data even over a
link that is marked as blocked, and so the net effect is merely to
prolong DHCP attempts. In contrast, erroneously assuming that the
link is unblocked will potentially cause DHCP to time out and give up,
resulting in a failed boot.
The default EAP Request-Identity interval in Cisco switches (where
this is most likely to be encountered in practice) is 30 seconds, so
choose 45 seconds as a timeout that is likely to avoid gaps during
which we falsely assume that the link is unblocked.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/ipxe/eap.h | 69 | ||||
| -rw-r--r-- | src/include/ipxe/eapol.h | 3 | ||||
| -rw-r--r-- | src/include/ipxe/errfile.h | 1 |
3 files changed, 73 insertions, 0 deletions
diff --git a/src/include/ipxe/eap.h b/src/include/ipxe/eap.h new file mode 100644 index 0000000..6fe7018 --- /dev/null +++ b/src/include/ipxe/eap.h @@ -0,0 +1,69 @@ +#ifndef _IPXE_EAP_H +#define _IPXE_EAP_H + +/** @file + * + * Extensible Authentication Protocol + * + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <stdint.h> +#include <ipxe/netdevice.h> +#include <ipxe/timer.h> + +/** EAP header */ +struct eap_header { + /** Code */ + uint8_t code; + /** Identifier */ + uint8_t id; + /** Length */ + uint16_t len; +} __attribute__ (( packed )); + +/** EAP request */ +#define EAP_CODE_REQUEST 1 + +/** EAP request */ +struct eap_request { + /** Header */ + struct eap_header hdr; + /** Type */ + uint8_t type; +} __attribute__ (( packed )); + +/** EAP identity */ +#define EAP_TYPE_IDENTITY 1 + +/** EAP success */ +#define EAP_CODE_SUCCESS 3 + +/** EAP failure */ +#define EAP_CODE_FAILURE 4 + +/** EAP packet */ +union eap_packet { + /** Header */ + struct eap_header hdr; + /** Request */ + struct eap_request req; +}; + +/** Link block timeout + * + * We mark the link as blocked upon receiving a Request-Identity, on + * the basis that this most likely indicates that the switch will not + * yet be forwarding packets. + * + * There is no way to tell how frequently the Request-Identity packet + * will be retransmitted by the switch. The default value for Cisco + * switches seems to be 30 seconds, so treat the link as blocked for + * 45 seconds. + */ +#define EAP_BLOCK_TIMEOUT ( 45 * TICKS_PER_SEC ) + +extern int eap_rx ( struct net_device *netdev, const void *data, size_t len ); + +#endif /* _IPXE_EAP_H */ diff --git a/src/include/ipxe/eapol.h b/src/include/ipxe/eapol.h index 612dd36..952d6c7 100644 --- a/src/include/ipxe/eapol.h +++ b/src/include/ipxe/eapol.h @@ -26,6 +26,9 @@ struct eapol_header { /** 802.1X-2001 */ #define EAPOL_VERSION_2001 1 +/** EAPoL-encapsulated EAP packets */ +#define EAPOL_TYPE_EAP 0 + /** EAPoL key */ #define EAPOL_TYPE_KEY 5 diff --git a/src/include/ipxe/errfile.h b/src/include/ipxe/errfile.h index 3437a52..d317ce5 100644 --- a/src/include/ipxe/errfile.h +++ b/src/include/ipxe/errfile.h @@ -287,6 +287,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #define ERRFILE_xsigo ( ERRFILE_NET | 0x00480000 ) #define ERRFILE_ntp ( ERRFILE_NET | 0x00490000 ) #define ERRFILE_httpntlm ( ERRFILE_NET | 0x004a0000 ) +#define ERRFILE_eap ( ERRFILE_NET | 0x004b0000 ) #define ERRFILE_image ( ERRFILE_IMAGE | 0x00000000 ) #define ERRFILE_elf ( ERRFILE_IMAGE | 0x00010000 ) |