Re: Nonzero key IDs for GCMP to fix PTK rekeying

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 24/05/2019 01:05, Alexander Wetzel wrote:

[snip]

>> Since writing my original mail and looking at the patches you linked above, I
>> realised that I do not actually need my .tx_control_port to block until the
>> frame is sent; instead I can just flush the TX queue before overwriting
>> PTK0. IIUC this is an incomplete solution with current userspace, because 4/4
>> may not have reached the HW ring before the flush happens. However if 4/4 is
>> sent using tx_control_port then the driver is empowered to know that it is
>> already in the ring when it gets the key installation, so a flush is guaranteed
>> to solve the problem. (Like in mac80211 - ieee80211_hw_key_replace says that
>> ieee80211_flush_queues "*may* help prevent the clear text leaks and freezes.";
>> if I'm not mistaken then if tx_control_port is in use and doesn't do any
>> intermediate queueing, it will *certainly* prevent the freezes). Realising that
>> I can solve the issue without having my cfg80211 hooks behave so differently
>> from mac80211 made me less dismissive of EAPoL-over-NL80211 as a solution.
>
> Agree:-)
>
> But when you have freezes:
> I would not expect (long) freezes when you send out EAPOL#4 encrypted with the wrong key: If memory serves me right  hostapd should disconnect you after some seconds (10s max), forcing  a reconnect. 
> Now that could well translate to around 30s without working transmissions, but nothing I would call a freeze.
Yeah think in our set up you actually get a new association within something like 5 seconds.
But for our use case we should be able to provide unbroken service when RF conditions
are good (in such use cases all nodes in the network will be our own HW).
> Re-associating seems to be a acceptable alternative to rekeying the connection, as long as this happens fast. I'm planning to teach wpa_supplicant and iwd to do that for drivers not supporting PTK0 
> rekey but probably not in the near future. (My patch so far is far too slow to reconnect to be acceptable.)
.

Anyway, CONTROL_PORT_OVER_NL80211 patch is incoming but currently fighting the
hwsim tests, I get loads of random failures on master so can't verify if my patch
breaks any tests...

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux