On Tue, Jan 08, 2019 at 10:51:37AM +0100, Arend Van Spriel wrote:
> I added FT here because in brcmfmac two related commits were added by
> Cypress folks:
>
> commit a858376cdbb3 ("brcmfmac: add 4-way handshake offload detection for
> FT-802.1X")
> commit 4ad298da9392 ("brcmfmac: add FT-based AKMs in brcmf_set_key_mgmt()
> for FT support")
>
> And there is also a patch pending in linux-wireless patchwork ("brcmfmac:
> send port authorized event for FT-802.1X [1]") regarding roaming behavior
> for FT protocol. However, I can imagine not all drivers could do this and we
> may need another feature flag for this or a list of supported AKM suites for
> offload.
> [1] https://patchwork.kernel.org/patch/10748067/
Interesting. I'd be fine adding back the FT AKM, but I'd like to see a
wpa_supplicant debug log showing a sequence of initial mobility domain
association followed by FT protocol roaming. The key derivation for this
case is quite a bit different, but then again, I'd also assume that in
this case both the 4-way handshake and FT protocol exchange are actually
offloaded to the driver/firmware, so that might work fine. Well,
assuming it also takes care of PTK/GTK rekeying exchanges (i.e.,
offloads all EAPOL-Key frame handling).
Even EAPOL-Key error reporting (e.g., Michael MIC failures for TKIP, but
that's not the only use case for these) should be made sure to work when
it is initiated by wpa_supplicant.. That's one part where the derived
PTK (KEK and KCK) need to be synchronized and I had not realized there
would be sufficient functionality for this in upstream cfg80211/nl80211
design yet.
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
