On Sun, Mar 01, 2020 at 09:16:40AM +0000, Peer, Ilan wrote: > I cannot really guarantee that such a thing would be adequately implemented > by stations. As the anti-clogging token indexing is based on the station address > I can extend comeback_token_hash() to concatenate the authentication algorithm > ID with the address, to allow concurrent support for SAE and PASN. What do you think? The more I try to understand how comeback cookie mechanism in P802.11az/D2.0 is supposed to work, the more I start to think that it should really be designed differently.. This is similar to the SAE anti-clogging token design and that design is known to not really provide much protection since it does not require any significant calculation need on the attacker side. With that in mind, I'm not sure I have a good answer on how the current design should be implemented since I hope the current design changes before the implementation was this would be added.. Anyway, if we do need to move ahead with the current design, it would likely be a good idea to make the tokens distinct from the ones used in SAE. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
