Re: Re: Key server election on peer-to-peer MACsec with MKA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Emond,

A couple of months ago Mickael Chazaux posted a thread on this very topic:

http://lists.infradead.org/pipermail/hostap/2020-July/038651.html

So it looks like the existing code is incorrectly handling key server elections with more than two peers, and GroupCAs in general.  Mickael was on the right track with his attempted patches, but additional work and testing of 3-peer networks is required.  Part of his solution was to remove parameter block failures in certain circumstances.  The initial implementation of mka ignored all parameter block failures, which was causing error recovery problems in my 2-peer network.  My following commit changed that behavior such that (nearly) any parameter block error invalidates the entire MKDPU (i.e., packet is dropped and live peer timers are not refreshed):

https://w1.fi/cgit/hostap/commit/src/pae/ieee802_1x_kay.c?id=db9ca18bbff101da67c0cd7f482fe29ae694dc04

Perhaps some parameter block failures need to be allowed in the 3-peer case.  I have no need for GroupCAs so I've never delved into 3-peer scenarios; I chimed in on your tread because I do have experience in the 2-peer scenarios.  The problem is certainly fixable but it will take an in-depth knowledge of IEEE802.X-2010 and a some knowledge of C.

Sincerely,
- Mike Siedzik

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux