Re: [PATCH] MFP: Don't use MFP if it is optional and not supported by hardware

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2019-01-08 at 19:31 -0600, Dan Williams wrote:
> On Wed, 2019-01-09 at 01:39 +0200, Jouni Malinen wrote:
> > On Tue, Jan 08, 2019 at 10:18:28AM -0600, Dan Williams wrote:
> > > Perhaps I don't fully understand, but wouldn't pmf=1 try to
> > > enable
> > > PMF
> > > for all SSIDs if supported by SSID/driver, even if the user does
> > > not
> > > actually want to use PMF on that SSID?
> > 
> > Global pmf=1 would make wpa_supplicant try to use PMF for all RSN
> > (WPA2)
> > connections if the AP advertises support for this. This should
> > really
> > be
> > the default behavior for everything now and I don't see much of a
> > use
> > case for the user to try to not use PMF. (And if there is such a
> > use
> > case, ieee80211w=0 in the network profile can be used to override
> > the
> > global pmf=1).
> 
> Ok, that seems like an acceptable override behavior to allow users to
> turn it off per-SSID if for some reason they don't want it.  I'll
> pass
> that along.

Follow-up... Beniamino is working on the NM changes to make this
happen.

Dan

> Thanks!
> Dan
> 
> > > Usually NetworkManager tries to have per-SSID switches for
> > > things,
> > > because there are times when a network advertises a feature that
> > > you
> > > don't actually want to use for whatever reason (it's broken on
> > > one
> > > side
> > > but still advertised, or has some drawbacks that certain users
> > > don't
> > > want to accept, etc).
> > 
> > Other than some conformance/protocol testing purposes, I'm not sure
> > why
> > PMF would not be used. I guess working around a broken AP could be
> > one
> > reason, but I'm not aware of such cases and even if that were to be
> > the
> > case, I'd claim that global pmf=1 and network profile specific
> > possibility to disable that would be better approach here.
> > 
> > Please also note that I'm planning on changing the default value
> > for
> > the
> > global pmf parameter to be 1 instead 0 in the next wpa_supplicant
> > release, i.e., enabling PMF automatically unless it has been
> > explicitly
> > disabled with pmf=0 or network profile specific ieee80211w=0.
> > 
> 
> _______________________________________________
> Hostap mailing list
> Hostap@xxxxxxxxxxxxxxxxxxx
> http://lists.infradead.org/mailman/listinfo/hostap


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux