Am 13.05.2016 um 13:46 schrieb Guenther Kelleter: > Let me sum up what I did understand so far: > ... > Is this correct? Yes. To be more precise, that "base" interface is per BSS and has type "AP", but that does not really make a difference here. Please also note that also with dynamic vlans, there might be some time (and protocol steps) between hostapd creating the new AP_VLAN interface but not yet binding the station there. > then could be received by all the stations which are associated to > the same SSID but assigned to another VLAN. The stations should not accept those packets because they should expect all frames to be encrypted. But those packets could be sniffed by any possibly unconnected station and thus leak data. > How can I check if an AP_VLAN has a group key? I want to make sure > that the dynamic VLANs are properly encrypted when I'm patching this > to work on ath10k. You can hook into the set_key function and debug print it. Or you generate some packets on that interface (e.g. with some distinguishing source mac address ) and then sniff it. As the mac address is not encrypted, you can easily filter for these packets and inspect them for encryption. Properly encrypted would also require the keys used to be sufficiently random, thought that cannot be verified that easily. > How to check if a GTK-rekey is executed for all AP_VLANs? (In debug > log I only see " daemon.debug hostapd: wlan0: WPA rekeying GTK" but > not e.g. " daemon.debug hostapd: wlan0.20: WPA rekeying GTK" for the > tagged wlan interface. see src/ap/wpa_auth.c function wpa_rekey_gtk which creates that debug print. It iterates over all struct wpa_group ( aka VLAN ) of that BSS and triggers rekeying. So the main point for making sure WPA rekeying happens for all VLANs is by ensuring that for each AP_VLAN interface, there is a corresponding struct wpa_group entry. This is also how 7cebc8e2 fixed its issue. Of course you can just add debug statements into that loop. > Finally, is there any useful doc about those complex internals of > hostapd? It's really difficult to know this by only looking at the > code. And 802.11 doesn't mention how VLANs fit into it at all. Hostapd has doxygen docs [1]. Apart of that, I have been reading the source of hostapd and mac80211 for some years now. Regards, M. Braun [1] http://w1.fi/wpa_supplicant/devel/ _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap