On Mon, Oct 29, 2018 at 05:35:58PM -0700, Richard D. Hornbaker wrote: > Recognizing that Protected Management Frames (802.11w) can be disabled > (0), enabled (1), or required (2)... why is the default still > "disabled"? > > I've just spent a chunk of time chasing a problem where wpa_supplicant > was uniquely unable to connect, and this proved to be the root cause. > Other supplicants and products worked fine, which suggests that the > industry has decided that any historical compatibility issues are long > resolved, and "enabled" is a now safe setting. > > FWIW, here's one vote to change the global default to pmf=1. Originally, I did not do this due to potential issues with PMF getting enabled on devices that either do not support PMF at all or have not received sufficient testing to confirm they are interoperable. This was before there was any kind of driver capability indication for PMF support, so having PMF enabled would have broken significant number of deployed systems. Now that at least nl80211 driver interface does provide capability information for PMF (based on whether the BIP cipher suite is advertised as supported) and PMF has been in use for multiple years, it might indeed make sense to move to enabling this by default with pmf=1 default. I don't want to do that before v2.7 release, but unless anyone comes up with reasons not to do this, I'd go ahead and change this after v2.7 gets out. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
