mka: Loss of live peers to result in connect PENDING not AUTHENTICATED

When the number of live peers becomes 0 the KaY was setting
kay->authenticated true and telling the CP to connect AUTHENTICATED.
Per IEEE Std 802.1X-2010 Clause 12.2, MKA.authenticated means "the Key
Server has proved mutual authentication but has determined that
Controlled Port communication should proceed without the use of MACsec",
which means port traffic will be passed in the clear.

When the number of live peers becomes 0 the KaY must instead set
kay->authenticated false and tell the CP to connect PENDING. Per Clause
12.3 connect PENDING will "prevent connectivity by clearing the
controlledPortEnabled parameter."

Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
This commit is contained in:
Mike Siedzik 2018-02-20 14:28:34 -05:00 committed by Jouni Malinen
parent 8fb546d8e6
commit 5762855abd

View file

@ -2399,7 +2399,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
participant->orx = FALSE;
participant->is_key_server = FALSE;
participant->is_elected = FALSE;
kay->authenticated = TRUE;
kay->authenticated = FALSE;
kay->secured = FALSE;
kay->failed = FALSE;
kay->ltx_kn = 0;
@ -2416,7 +2416,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
ieee802_1x_delete_transmit_sa(kay, txsa);
}
ieee802_1x_cp_connect_authenticated(kay->cp);
ieee802_1x_cp_connect_pending(kay->cp);
ieee802_1x_cp_sm_step(kay->cp);
} else {
ieee802_1x_kay_elect_key_server(participant);