Am 20.05.2016 um 15:16 schrieb Guenther Kelleter: > However, I might be wrong, but I think that trying to set a HW-crypt > key for an AP_VLAN vif the driver doesn't know about is wrong in the > first place. The AP_VLAN's (I)GTK should be passed via the > corresponding AP vif to ieee80211_key_enable_hw_accel() instead(?) We need different GTK per AP/AP_VLAN netdev in order to achieve per-VLAN isolation. So the correct correct GTK when encrypting the broadcast/multicast frame must be choosen. As AP_VLAN is within a single BSS, BSSID cannot be used to select here. As GTK is for broadcast/multicast frames, destination mac address cannot be used as well. So there is nothing except the AP_VLAN ifindex here to make the driver or firmware choose the correct GTK. Passing all GTK to the AP interface will essentially not allow for multiple (per VLAN) GTK to be stored/used. Instead, the GTK for one VLAN would override the one for another VLAN. > Is the PTK for station on an AP_VLAN set on the corresponding AP vif > resp. passed to AP's driver vdev? Or is AP_VLAN crypto not > hw-accelerated? As PTK is used for unicast traffic, the correct key can be selected using the destination mac address (station). Thus AP_VLAN does not matter with PTK. Regards, M. Braun _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
