On Fri, Mar 02, 2018 at 03:10:57PM -0500, msiedzik@xxxxxxxxxxxxxxxxxxx wrote: > The purpose of the Lowest Acceptable PN (lpn) parameters in the MACsec > SAK Use parameter set is to enforce delay protection. Per > IEEE802.1X-2010 Clause 9, "Each SecY uses MKA to communicate the lowest > PN used for transmission with the SAK within the last two seconds, > allowing receivers to bound transmission delays." > > When encoding the SAK Use parameter set the KaY should set llpn and > olpn to the lowest PN transmitted by the latest SAK and oldest SAK (if > active) within the last two seconds. Because MKPDU's are transmitted > every 2 seconds (MKA_HELLO_TIME), the solution implemented here > calculates lpn based on the txsc->next_pn read during the previous MKPDU > transmit. > > Upon receiving and decoding a SAK Use parameter set with delay > protection enabled, the KaY will update the SecY's lpn if the delay > protect lpn is greater than the SecY's current lpn (which is a product > of last PN received and replay protection and window size). Thanks, applied. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
