From: Ido Schimmel <idosch@idosch.org>
To: "Hans J. Schultz" <netdev@kapio-technology.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
"Florian Fainelli" <f.fainelli@gmail.com>,
"Andrew Lunn" <andrew@lunn.ch>,
"Vladimir Oltean" <olteanv@gmail.com>,
"Eric Dumazet" <edumazet@google.com>,
"Paolo Abeni" <pabeni@redhat.com>,
"Kurt Kanzenbach" <kurt@linutronix.de>,
"Hauke Mehrtens" <hauke@hauke-m.de>,
"Woojung Huh" <woojung.huh@microchip.com>,
"maintainer:MICROCHIP KSZ SERIES ETHERNET SWITCH DRIVER"
<UNGLinuxDriver@microchip.com>,
"Sean Wang" <sean.wang@mediatek.com>,
"Landen Chao" <Landen.Chao@mediatek.com>,
"DENG Qingfang" <dqfext@gmail.com>,
"Matthias Brugger" <matthias.bgg@gmail.com>,
"Claudiu Manoil" <claudiu.manoil@nxp.com>,
"Alexandre Belloni" <alexandre.belloni@bootlin.com>,
"Clément Léger" <clement.leger@bootlin.com>,
"Jiri Pirko" <jiri@resnulli.us>,
"Ivan Vecera" <ivecera@redhat.com>,
"Roopa Prabhu" <roopa@nvidia.com>,
"Nikolay Aleksandrov" <razor@blackwall.org>,
"Russell King" <linux@armlinux.org.uk>,
"Christian Marangi" <ansuelsmth@gmail.com>,
"open list" <linux-kernel@vger.kernel.org>,
"moderated list:ARM/Mediatek SoC support"
<linux-arm-kernel@lists.infradead.org>,
"moderated list:ARM/Mediatek SoC support"
<linux-mediatek@lists.infradead.org>,
"open list:RENESAS RZ/N1 A5PSW SWITCH DRIVER"
<linux-renesas-soc@vger.kernel.org>,
"moderated list:ETHERNET BRIDGE"
<bridge@lists.linux-foundation.org>
Subject: Re: [PATCH net-next 0/5] ATU and FDB synchronization on locked ports
Date: Tue, 31 Jan 2023 21:25:21 +0200 [thread overview]
Message-ID: <Y9lrIWMnWLqGreZL@shredder> (raw)
In-Reply-To: <20230130173429.3577450-1-netdev@kapio-technology.com>
On Mon, Jan 30, 2023 at 06:34:24PM +0100, Hans J. Schultz wrote:
> This patch set makes it possible to have synchronized dynamic ATU and FDB
> entries on locked ports. As locked ports are not able to automatically
> learn, they depend on userspace added entries, where userspace can add
> static or dynamic entries. The lifetime of static entries are completely
> dependent on userspace intervention, and thus not of interest here. We
> are only concerned with dynamic entries, which can be added with a
> command like:
>
> bridge fdb replace ADDR dev <DEV> master dynamic
>
> We choose only to support this feature on locked ports, as it involves
> utilizing the CPU to handle ATU related switchcore events (typically
> interrupts) and thus can result in significant performance loss if
> exposed to heavy traffic.
Not sure I understand this reasoning. I was under the impression that
hostapd is installing dynamic entries instead of static ones since the
latter are not flushed when carrier is lost. Therefore, with static
entries it is possible to unplug a host (potentially plugging a
different one) and not lose authentication.
>
> On locked ports it is important for userspace to know when an authorized
> station has become silent, hence not breaking the communication of a
> station that has been authorized based on the MAC-Authentication Bypass
> (MAB) scheme. Thus if the station keeps being active after authorization,
> it will continue to have an open port as long as it is active. Only after
> a silent period will it have to be reauthorized. As the ageing process in
> the ATU is dependent on incoming traffic to the switchcore port, it is
> necessary for the ATU to signal that an entry has aged out, so that the
> FDB can be updated at the correct time.
Why mention MAB at all? Don't you want user space to always use dynamic
entries to authenticate hosts regardless of 802.1X/MAB?
>
> This patch set includes a solution for the Marvell mv88e6xxx driver, where
> for this driver we use the Hold-At-One feature so that an age-out
> violation interrupt occurs when a station has been silent for the
> system-set age time. The age out violation interrupt allows the switchcore
> driver to remove both the ATU and the FDB entry at the same time.
>
> It is up to the maintainers of other switchcore drivers to implement the
> feature for their specific driver.
>
> Hans J. Schultz (5):
> net: bridge: add dynamic flag to switchdev notifier
> net: dsa: propagate flags down towards drivers
> drivers: net: dsa: add fdb entry flags incoming to switchcore drivers
> net: bridge: ensure FDB offloaded flag is handled as needed
> net: dsa: mv88e6xxx: implementation of dynamic ATU entries
Will try to review tomorrow, but it looks like this set is missing
selftests. What about extending bridge_locked_port.sh?
WARNING: multiple messages have this Message-ID (diff)
From: Ido Schimmel <idosch@idosch.org>
To: "Hans J. Schultz" <netdev@kapio-technology.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
"Florian Fainelli" <f.fainelli@gmail.com>,
"Andrew Lunn" <andrew@lunn.ch>,
"Vladimir Oltean" <olteanv@gmail.com>,
"Eric Dumazet" <edumazet@google.com>,
"Paolo Abeni" <pabeni@redhat.com>,
"Kurt Kanzenbach" <kurt@linutronix.de>,
"Hauke Mehrtens" <hauke@hauke-m.de>,
"Woojung Huh" <woojung.huh@microchip.com>,
"maintainer:MICROCHIP KSZ SERIES ETHERNET SWITCH DRIVER"
<UNGLinuxDriver@microchip.com>,
"Sean Wang" <sean.wang@mediatek.com>,
"Landen Chao" <Landen.Chao@mediatek.com>,
"DENG Qingfang" <dqfext@gmail.com>,
"Matthias Brugger" <matthias.bgg@gmail.com>,
"Claudiu Manoil" <claudiu.manoil@nxp.com>,
"Alexandre Belloni" <alexandre.belloni@bootlin.com>,
"Clément Léger" <clement.leger@bootlin.com>,
"Jiri Pirko" <jiri@resnulli.us>,
"Ivan Vecera" <ivecera@redhat.com>,
"Roopa Prabhu" <roopa@nvidia.com>,
"Nikolay Aleksandrov" <razor@blackwall.org>,
"Russell King" <linux@armlinux.org.uk>,
"Christian Marangi" <ansuelsmth@gmail.com>,
"open list" <linux-kernel@vger.kernel.org>,
"moderated list:ARM/Mediatek SoC support"
<linux-arm-kernel@lists.infradead.org>,
"moderated list:ARM/Mediatek SoC support"
<linux-mediatek@lists.infradead.org>,
"open list:RENESAS RZ/N1 A5PSW SWITCH DRIVER"
<linux-renesas-soc@vger.kernel.org>,
"moderated list:ETHERNET BRIDGE"
<bridge@lists.linux-foundation.org>
Subject: Re: [PATCH net-next 0/5] ATU and FDB synchronization on locked ports
Date: Tue, 31 Jan 2023 21:25:21 +0200 [thread overview]
Message-ID: <Y9lrIWMnWLqGreZL@shredder> (raw)
In-Reply-To: <20230130173429.3577450-1-netdev@kapio-technology.com>
On Mon, Jan 30, 2023 at 06:34:24PM +0100, Hans J. Schultz wrote:
> This patch set makes it possible to have synchronized dynamic ATU and FDB
> entries on locked ports. As locked ports are not able to automatically
> learn, they depend on userspace added entries, where userspace can add
> static or dynamic entries. The lifetime of static entries are completely
> dependent on userspace intervention, and thus not of interest here. We
> are only concerned with dynamic entries, which can be added with a
> command like:
>
> bridge fdb replace ADDR dev <DEV> master dynamic
>
> We choose only to support this feature on locked ports, as it involves
> utilizing the CPU to handle ATU related switchcore events (typically
> interrupts) and thus can result in significant performance loss if
> exposed to heavy traffic.
Not sure I understand this reasoning. I was under the impression that
hostapd is installing dynamic entries instead of static ones since the
latter are not flushed when carrier is lost. Therefore, with static
entries it is possible to unplug a host (potentially plugging a
different one) and not lose authentication.
>
> On locked ports it is important for userspace to know when an authorized
> station has become silent, hence not breaking the communication of a
> station that has been authorized based on the MAC-Authentication Bypass
> (MAB) scheme. Thus if the station keeps being active after authorization,
> it will continue to have an open port as long as it is active. Only after
> a silent period will it have to be reauthorized. As the ageing process in
> the ATU is dependent on incoming traffic to the switchcore port, it is
> necessary for the ATU to signal that an entry has aged out, so that the
> FDB can be updated at the correct time.
Why mention MAB at all? Don't you want user space to always use dynamic
entries to authenticate hosts regardless of 802.1X/MAB?
>
> This patch set includes a solution for the Marvell mv88e6xxx driver, where
> for this driver we use the Hold-At-One feature so that an age-out
> violation interrupt occurs when a station has been silent for the
> system-set age time. The age out violation interrupt allows the switchcore
> driver to remove both the ATU and the FDB entry at the same time.
>
> It is up to the maintainers of other switchcore drivers to implement the
> feature for their specific driver.
>
> Hans J. Schultz (5):
> net: bridge: add dynamic flag to switchdev notifier
> net: dsa: propagate flags down towards drivers
> drivers: net: dsa: add fdb entry flags incoming to switchcore drivers
> net: bridge: ensure FDB offloaded flag is handled as needed
> net: dsa: mv88e6xxx: implementation of dynamic ATU entries
Will try to review tomorrow, but it looks like this set is missing
selftests. What about extending bridge_locked_port.sh?
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Ido Schimmel <idosch@idosch.org>
To: "Hans J. Schultz" <netdev@kapio-technology.com>
Cc: "Andrew Lunn" <andrew@lunn.ch>,
"Alexandre Belloni" <alexandre.belloni@bootlin.com>,
"Nikolay Aleksandrov" <razor@blackwall.org>,
"Kurt Kanzenbach" <kurt@linutronix.de>,
"Eric Dumazet" <edumazet@google.com>,
"Ivan Vecera" <ivecera@redhat.com>,
"Florian Fainelli" <f.fainelli@gmail.com>,
"moderated list:ETHERNET BRIDGE"
<bridge@lists.linux-foundation.org>,
"Russell King" <linux@armlinux.org.uk>,
"Roopa Prabhu" <roopa@nvidia.com>,
kuba@kernel.org, "Paolo Abeni" <pabeni@redhat.com>,
"Clément Léger" <clement.leger@bootlin.com>,
"Christian Marangi" <ansuelsmth@gmail.com>,
"Woojung Huh" <woojung.huh@microchip.com>,
"Landen Chao" <Landen.Chao@mediatek.com>,
"Jiri Pirko" <jiri@resnulli.us>,
"Hauke Mehrtens" <hauke@hauke-m.de>,
"Sean Wang" <sean.wang@mediatek.com>,
"DENG Qingfang" <dqfext@gmail.com>,
"Claudiu Manoil" <claudiu.manoil@nxp.com>,
"moderated list:ARM/Mediatek SoC support"
<linux-mediatek@lists.infradead.org>,
"Matthias Brugger" <matthias.bgg@gmail.com>,
"moderated list:ARM/Mediatek SoC support"
<linux-arm-kernel@lists.infradead.org>,
netdev@vger.kernel.org,
"open list" <linux-kernel@vger.kernel.org>,
"maintainer:MICROCHIP KSZ SERIES ETHERNET SWITCH DRIVER"
<UNGLinuxDriver@microchip.com>,
"open list:RENESAS RZ/N1 A5PSW SWITCH DRIVER"
<linux-renesas-soc@vger.kernel.org>,
"Vladimir Oltean" <olteanv@gmail.com>,
davem@davemloft.net
Subject: Re: [Bridge] [PATCH net-next 0/5] ATU and FDB synchronization on locked ports
Date: Tue, 31 Jan 2023 21:25:21 +0200 [thread overview]
Message-ID: <Y9lrIWMnWLqGreZL@shredder> (raw)
In-Reply-To: <20230130173429.3577450-1-netdev@kapio-technology.com>
On Mon, Jan 30, 2023 at 06:34:24PM +0100, Hans J. Schultz wrote:
> This patch set makes it possible to have synchronized dynamic ATU and FDB
> entries on locked ports. As locked ports are not able to automatically
> learn, they depend on userspace added entries, where userspace can add
> static or dynamic entries. The lifetime of static entries are completely
> dependent on userspace intervention, and thus not of interest here. We
> are only concerned with dynamic entries, which can be added with a
> command like:
>
> bridge fdb replace ADDR dev <DEV> master dynamic
>
> We choose only to support this feature on locked ports, as it involves
> utilizing the CPU to handle ATU related switchcore events (typically
> interrupts) and thus can result in significant performance loss if
> exposed to heavy traffic.
Not sure I understand this reasoning. I was under the impression that
hostapd is installing dynamic entries instead of static ones since the
latter are not flushed when carrier is lost. Therefore, with static
entries it is possible to unplug a host (potentially plugging a
different one) and not lose authentication.
>
> On locked ports it is important for userspace to know when an authorized
> station has become silent, hence not breaking the communication of a
> station that has been authorized based on the MAC-Authentication Bypass
> (MAB) scheme. Thus if the station keeps being active after authorization,
> it will continue to have an open port as long as it is active. Only after
> a silent period will it have to be reauthorized. As the ageing process in
> the ATU is dependent on incoming traffic to the switchcore port, it is
> necessary for the ATU to signal that an entry has aged out, so that the
> FDB can be updated at the correct time.
Why mention MAB at all? Don't you want user space to always use dynamic
entries to authenticate hosts regardless of 802.1X/MAB?
>
> This patch set includes a solution for the Marvell mv88e6xxx driver, where
> for this driver we use the Hold-At-One feature so that an age-out
> violation interrupt occurs when a station has been silent for the
> system-set age time. The age out violation interrupt allows the switchcore
> driver to remove both the ATU and the FDB entry at the same time.
>
> It is up to the maintainers of other switchcore drivers to implement the
> feature for their specific driver.
>
> Hans J. Schultz (5):
> net: bridge: add dynamic flag to switchdev notifier
> net: dsa: propagate flags down towards drivers
> drivers: net: dsa: add fdb entry flags incoming to switchcore drivers
> net: bridge: ensure FDB offloaded flag is handled as needed
> net: dsa: mv88e6xxx: implementation of dynamic ATU entries
Will try to review tomorrow, but it looks like this set is missing
selftests. What about extending bridge_locked_port.sh?
next prev parent reply other threads:[~2023-01-31 19:25 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-30 17:34 [PATCH net-next 0/5] ATU and FDB synchronization on locked ports Hans J. Schultz
2023-01-30 17:34 ` [Bridge] " Hans J. Schultz
2023-01-30 17:34 ` Hans J. Schultz
2023-01-30 17:34 ` [PATCH net-next 1/5] net: bridge: add dynamic flag to switchdev notifier Hans J. Schultz
2023-01-30 17:34 ` [Bridge] " Hans J. Schultz
2023-01-30 17:34 ` Hans J. Schultz
2023-02-01 18:10 ` Ido Schimmel
2023-02-01 18:10 ` [Bridge] " Ido Schimmel
2023-02-01 18:10 ` Ido Schimmel
2023-02-02 7:28 ` netdev
2023-02-02 7:28 ` [Bridge] " netdev
2023-02-02 7:28 ` netdev
2023-02-02 16:11 ` Ido Schimmel
2023-02-02 16:11 ` [Bridge] " Ido Schimmel
2023-02-02 16:11 ` Ido Schimmel
2023-02-02 16:38 ` netdev
2023-02-02 16:38 ` [Bridge] " netdev
2023-02-02 16:38 ` netdev
2023-02-03 16:14 ` Ido Schimmel
2023-02-03 16:14 ` [Bridge] " Ido Schimmel
2023-02-03 16:14 ` Ido Schimmel
2023-02-03 16:26 ` Vladimir Oltean
2023-02-03 16:26 ` [Bridge] " Vladimir Oltean
2023-02-03 16:26 ` Vladimir Oltean
2023-02-03 16:27 ` netdev
2023-02-03 16:27 ` [Bridge] " netdev
2023-02-03 16:27 ` netdev
2023-02-03 17:06 ` Ido Schimmel
2023-02-03 17:06 ` [Bridge] " Ido Schimmel
2023-02-03 17:06 ` Ido Schimmel
2023-01-30 17:34 ` [PATCH net-next 2/5] net: dsa: propagate flags down towards drivers Hans J. Schultz
2023-01-30 17:34 ` [Bridge] " Hans J. Schultz
2023-01-30 17:34 ` Hans J. Schultz
2023-01-30 17:34 ` [PATCH net-next 3/5] drivers: net: dsa: add fdb entry flags incoming to switchcore drivers Hans J. Schultz
2023-01-30 17:34 ` [Bridge] " Hans J. Schultz
2023-01-30 17:34 ` Hans J. Schultz
2023-01-31 18:54 ` Simon Horman
2023-01-31 18:54 ` [Bridge] " Simon Horman
2023-01-31 18:54 ` Simon Horman
2023-02-02 16:45 ` netdev
2023-02-02 16:45 ` [Bridge] " netdev
2023-02-02 16:45 ` netdev
2023-02-03 8:17 ` Simon Horman
2023-02-03 8:17 ` [Bridge] " Simon Horman
2023-02-03 8:17 ` Simon Horman
2023-02-03 18:41 ` netdev
2023-02-03 18:41 ` [Bridge] " netdev
2023-02-03 18:41 ` netdev
2023-01-30 17:34 ` [PATCH net-next 4/5] net: bridge: ensure FDB offloaded flag is handled as needed Hans J. Schultz
2023-01-30 17:34 ` [Bridge] " Hans J. Schultz
2023-01-30 17:34 ` Hans J. Schultz
2023-02-01 18:24 ` Ido Schimmel
2023-02-01 18:24 ` [Bridge] " Ido Schimmel
2023-02-01 18:24 ` Ido Schimmel
2023-02-02 7:32 ` netdev
2023-02-02 7:32 ` [Bridge] " netdev
2023-02-02 7:32 ` netdev
2023-01-30 17:34 ` [PATCH net-next 5/5] net: dsa: mv88e6xxx: implementation of dynamic ATU entries Hans J. Schultz
2023-01-30 17:34 ` [Bridge] " Hans J. Schultz
2023-01-30 17:34 ` Hans J. Schultz
2023-01-31 18:56 ` Simon Horman
2023-01-31 18:56 ` [Bridge] " Simon Horman
2023-01-31 18:56 ` Simon Horman
2023-02-02 17:00 ` netdev
2023-02-02 17:00 ` [Bridge] " netdev
2023-02-02 17:00 ` netdev
2023-02-03 8:20 ` Simon Horman
2023-02-03 8:20 ` [Bridge] " Simon Horman
2023-02-03 8:20 ` Simon Horman
2023-02-03 20:44 ` Vladimir Oltean
2023-02-03 20:44 ` [Bridge] " Vladimir Oltean
2023-02-03 20:44 ` Vladimir Oltean
2023-02-04 8:12 ` Simon Horman
2023-02-04 8:12 ` [Bridge] " Simon Horman
2023-02-04 8:12 ` Simon Horman
2023-02-04 8:48 ` netdev
2023-02-04 8:48 ` [Bridge] " netdev
2023-02-04 8:48 ` netdev
2023-02-06 16:02 ` Simon Horman
2023-02-06 16:02 ` [Bridge] " Simon Horman
2023-02-06 16:02 ` Simon Horman
2023-02-14 21:14 ` Hans Schultz
2023-02-14 21:14 ` [Bridge] " Hans Schultz
2023-02-14 21:14 ` Hans Schultz
2023-02-17 17:44 ` Vladimir Oltean
2023-02-17 17:44 ` [Bridge] " Vladimir Oltean
2023-02-17 17:44 ` Vladimir Oltean
2023-02-20 14:11 ` Simon Horman
2023-02-20 14:11 ` [Bridge] " Simon Horman
2023-02-20 14:11 ` Simon Horman
2023-01-31 19:25 ` Ido Schimmel [this message]
2023-01-31 19:25 ` [Bridge] [PATCH net-next 0/5] ATU and FDB synchronization on locked ports Ido Schimmel
2023-01-31 19:25 ` Ido Schimmel
2023-02-02 7:37 ` netdev
2023-02-02 7:37 ` [Bridge] " netdev
2023-02-02 7:37 ` netdev
2023-02-02 15:43 ` Ido Schimmel
2023-02-02 15:43 ` [Bridge] " Ido Schimmel
2023-02-02 15:43 ` Ido Schimmel
2023-02-02 16:19 ` netdev
2023-02-02 16:19 ` [Bridge] " netdev
2023-02-02 16:19 ` netdev
2023-02-02 16:36 ` Ido Schimmel
2023-02-02 16:36 ` [Bridge] " Ido Schimmel
2023-02-02 16:36 ` Ido Schimmel
2023-02-03 21:14 ` Vladimir Oltean
2023-02-03 21:14 ` [Bridge] " Vladimir Oltean
2023-02-03 21:14 ` Vladimir Oltean
2023-02-02 17:18 ` netdev
2023-02-02 17:18 ` [Bridge] " netdev
2023-02-02 17:18 ` netdev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y9lrIWMnWLqGreZL@shredder \
--to=idosch@idosch.org \
--cc=Landen.Chao@mediatek.com \
--cc=UNGLinuxDriver@microchip.com \
--cc=alexandre.belloni@bootlin.com \
--cc=andrew@lunn.ch \
--cc=ansuelsmth@gmail.com \
--cc=bridge@lists.linux-foundation.org \
--cc=claudiu.manoil@nxp.com \
--cc=clement.leger@bootlin.com \
--cc=davem@davemloft.net \
--cc=dqfext@gmail.com \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=hauke@hauke-m.de \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=kurt@linutronix.de \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-renesas-soc@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=matthias.bgg@gmail.com \
--cc=netdev@kapio-technology.com \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=sean.wang@mediatek.com \
--cc=woojung.huh@microchip.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.