On Sun, 2020-03-01 at 17:16 +0200, Jouni Malinen wrote: > On Sun, Mar 01, 2020 at 08:30:56AM +0000, Peer, Ilan wrote: > > > From: Jouni Malinen <j@xxxxx> > > > On Mon, Feb 24, 2020 at 11:14:34AM +0200, Ilan Peer wrote: > > > > PASN authentication requires that group management cipher suite would > > > > be set to 00-0F-AC:7 in the RSN IE, so allow this value when parsing > > > > and validating the RSN IE. > > > > > > Can you please point me to the location in P802.11az/D2.0 that describes > > > this? > > > > See section 12.13.2.2 (PASN Frame Construction and Processing). > > Thanks. I'm not sure how I did not find that when searching through the > draft.. Anyway, that is quite clear on the design. > > > > This looks problematic for PMF.. Are you sure this does not result in > > > unexpected behavior for BIP with Robust Management frames? This would > > > likely need some changes in other locations and clear understanding on > > > what > > > to expect to happen with IGTK. The drivers would need to be able to drop > > > any unprotected group-addressed Robust Management frame in such > > > configuration. That would depend on there being an IGTK configured. That > > > would either need to be a random value from the AP or a random value > > > generated by wpa_supplicant internally if no IGTK is received from the > > > AP. > > > > I'm not sure about this. From what I understand, during PASN not multicast > > frames are allowed, so drivers are expected to drop any multicast frames. > > I'm not that worried about the part of using this for PASN; I'm worried > about the implications of this particular change to non-PASN cases of > using PMF since 00-0F-AC:7 has not been used as a group management > cipher suite selector in the existing use cases. I'm not at all > convinced it would work securely and that's why it is important for the > parser to reject that group management cipher suite. If this patch alone > were applied that could result in the station accepting any unprotected > group-addressed Robust Management frame which is clearly not what should > happen. > I think I understand your concern now. At least from what I can tell about mac80211 it does not have any handling for such a case, i.e., not allow any group addressed frames. I do not know how other drivers would handle this. > For this change to be acceptable, the 00-0F-AC:7 case with group > management cipher suite needs to be first confirmed to work correctly in > today's (non-PASN) PMF cases without introducing security > vulnerabilities. That's what the steps noted in that paragraphs are > needed (make sure a random IGTK value gets configured into the driver > regardless of whether the AP sends an IGTK). > I can change the implementation so this would be allowed only in the case of PASN. This should be simple enough. If you want me to do it differently let me know. Regards, Ilan. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
