On Sun, Mar 01, 2020 at 08:30:56AM +0000, Peer, Ilan wrote: > > From: Jouni Malinen <j@xxxxx> > > On Mon, Feb 24, 2020 at 11:14:34AM +0200, Ilan Peer wrote: > > > PASN authentication requires that group management cipher suite would > > > be set to 00-0F-AC:7 in the RSN IE, so allow this value when parsing > > > and validating the RSN IE. > > > > Can you please point me to the location in P802.11az/D2.0 that describes > > this? > > See section 12.13.2.2 (PASN Frame Construction and Processing). Thanks. I'm not sure how I did not find that when searching through the draft.. Anyway, that is quite clear on the design. > > This looks problematic for PMF.. Are you sure this does not result in > > unexpected behavior for BIP with Robust Management frames? This would > > likely need some changes in other locations and clear understanding on what > > to expect to happen with IGTK. The drivers would need to be able to drop > > any unprotected group-addressed Robust Management frame in such > > configuration. That would depend on there being an IGTK configured. That > > would either need to be a random value from the AP or a random value > > generated by wpa_supplicant internally if no IGTK is received from the AP. > > I'm not sure about this. From what I understand, during PASN not multicast > frames are allowed, so drivers are expected to drop any multicast frames. I'm not that worried about the part of using this for PASN; I'm worried about the implications of this particular change to non-PASN cases of using PMF since 00-0F-AC:7 has not been used as a group management cipher suite selector in the existing use cases. I'm not at all convinced it would work securely and that's why it is important for the parser to reject that group management cipher suite. If this patch alone were applied that could result in the station accepting any unprotected group-addressed Robust Management frame which is clearly not what should happen. For this change to be acceptable, the 00-0F-AC:7 case with group management cipher suite needs to be first confirmed to work correctly in today's (non-PASN) PMF cases without introducing security vulnerabilities. That's what the steps noted in that paragraphs are needed (make sure a random IGTK value gets configured into the driver regardless of whether the AP sends an IGTK). -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
