On Fri, Jul 22, 2016 at 03:59:47PM +0000, Amitkumar Karwar wrote: > I am trying to understand the problem you mentioned during IGTK rekeying. Today I ran tests with two stations connecting an AP. MFP is enabled on all of them. > > On hostapd side, my observation is add_key() is always called followed by set_default_mgmt_key(). set_default_mgmt_key() sets the key added by add_key() as default key. > > We are ignoring set_default_mgmt_key() and updating Tx key index during add_key() itself. > > Your concerns is we should not update Tx key index during add_key(). Reason is IGTK rekeying is not yet completed with all stations. Right? Correct. set_default_mgmt_key() does not have much effect for the very first IGTK configuration, but whenever doing IGTK rekeying, hostapd behaves just like it does with GTK rekeying. In other words, a different Key ID is selected (alternating between 4 and 5), a random new IGTK is generated, the new IGTK is configured to the local driver (but the old IGTK is still supposed to be used for TX), each associated STA is notified of the new IGTK, the new IGTK is taken into use once the group key handshake has completed with each associated STA. It is that last operation that needs set_default_mgmt_key() to allow this rekeying to work correctly. If you update the TX Key ID on add_key(), you'll risk sending out frames that some of the associated STAs do not yet have a key to validate. -- Jouni Malinen PGP id EFC895FA -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
