Hi, I have an issue with the blocking and clogging of a mesh network. Blocking: I noticed that when I have more peers in a mesh (>5), stations did get into a blocked state (PLINK_BLOCKED) after too many connection attempts and would stay there. The blocking state is not mentioned in the standard, so I removed this transition to blocking. There has been a short discussion about the PLINK_BLOCKED state here: https://patchwork.ozlabs.org/project/hostap/patch/20190218120442.77624-1-nbd@xxxxxxxx/#2332826 I did add a timer which is fired one more time (if it is not cancelled in the meantime) after which the station is deleted. That way the connection attempts can start over again (you can still set it blocked manually) Clogging: When I start my mesh (with >5 peers), I get log messages which tell me the anti-clogging token is invalid: Comeback: Invalid anti-clogging token from xx:xx:xx:xx:xx:xx - token_idx 0x0001, expected 0x0000 The anti clogging token is set, but is imo reset too soon. If a message is received, it is checked against the token and the token is reset and the process continues. If however the reception is bad and a message needs to be resend, the token is no longer set, which leads to the "invalid anti-clogging token" message. I have changed two things: - reset the anti-clogging token when the SAE state is ACCEPTED (i did not find anything in the standard as to when to reset a token) - only check the anti-clogging token when it is required, otherwise just process the message (i.e there are more than "sae_anti_clogging_threshold" SAE sessions). This is also mentioned in the standard (IEEE Std 802.11-2020, at 12.4.6) However this does not solve it entirely; - from time to time I still get the "invalid anti-clogging token" message, but not so often and not so many anymore - I now get these messages sometimes in the log: wlan0: Mesh RSN invalid peer nonce I have tried to use sae_pwe=1 in the wpa_supplicant config file, but unfortunately I get: "wlan0: skip - SAE H2E required, but not supported by the AP", so it seems I cannot use this with my devices. So now I am a bit stuck and have 2 questions which I keep wondering about and of which I was hoping someone could help me with: 1) Should the anti-clogging token be reset at any other point than it originally was, because this implies that multiple messages can be send with the same token until the token is reset 2) How to check whether to use the anti-clogging or not? Since the number of SAE sessions changes over time, it can occur that an anti-clogging token is received, but that the number of SAE sessions is below the threshold, so the token is not checked and the message is processed further, which I then suspect of causing the "invalid peer nonce" message. - I am using the master branch commit -> 00b2fb2d04595faa1179c61b5b686e887f1945bb (tests: DPP3 protocol version during network introduction) Here are the changes I made: do not set blocking: diff --git a/wpa_supplicant/mesh_rsn.c b/wpa_supplicant/mesh_rsn.c index 4b8d6c469..3fc5edb16 100644 --- a/wpa_supplicant/mesh_rsn.c +++ b/wpa_supplicant/mesh_rsn.c @@ -50,13 +50,13 @@ void mesh_auth_timer(void *eloop_ctx, void *user_data) return; } - /* block the STA if exceeded the number of attempts */ - wpa_mesh_set_plink_state(wpa_s, sta, PLINK_BLOCKED); - sta->sae->state = SAE_NOTHING; - wpa_msg(wpa_s, MSG_INFO, MESH_SAE_AUTH_BLOCKED "addr=" - MACSTR " duration=%d", - MAC2STR(sta->addr), - hapd->conf->ap_max_inactivity); + unsigned int rnd = 5 + (rand() % MESH_AUTH_TIMEOUT ); + eloop_register_timeout(rnd, 0, mesh_auth_timer, wpa_s, sta); + + wpa_msg(wpa_s, MSG_INFO, "STATION WAIT addr=" + MACSTR " duration=%d", + MAC2STR(sta->addr), + rnd); } sta->sae_auth_retry++; } update anti-clogging: diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index db4104928..f946a7251 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -771,8 +771,6 @@ static int check_comeback_token(struct hostapd_data *hapd, const u8 *addr, os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0) return -1; - hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */ - return 0; } @@ -1147,8 +1145,14 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, sta->sae->sync = 0; sae_set_retransmit_timer(hapd, sta); } else { - if (sae_check_big_sync(hapd, sta)) + if (sae_check_big_sync(hapd, sta)) { + u8 idx; + if (comeback_token_hash(hapd, sta->addr, &idx) > 0) { + hapd->comeback_pending_idx[idx] = 0; + } + return WLAN_STATUS_SUCCESS; + } sta->sae->sync++; ret = auth_sae_send_confirm(hapd, sta, bssid); @@ -1471,7 +1475,10 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, goto remove_sta; } - if (token && + int useClogging = use_anti_clogging(hapd); + + if (useClogging && + token && check_comeback_token(hapd, sta->addr, token, token_len) < 0) { wpa_printf(MSG_DEBUG, "SAE: Drop commit message with " _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
