Search Linux Wireless

Re: [PATCH] nl80211: add an option to allow MFP without requiring it

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2017-08-14 at 13:36 -0700, Igor Mitsyanko wrote:
> On 08/14/2017 01:13 PM, Grumbach, Emmanuel wrote:
> > > It is kind of not clear right now for drivers where to get
> > > information from:
> > > - NL attributes passed from userspace and forwarded to a driver
> > 
> > Since those exist, it seems to make more sense to me to use those
> > rather than any in-driver decided policy. Usually, deciding upon
> > policies from lower levels is frowned upon I'd say.
> 
> I agree, what I mean is that drivers should know where to take this 
> information from, if there are multiple sources.
> 
> An example are HT/VHT capabilities for start_ap command: they can be 
> parsed directly by drivers by looking at beacon's IEs in 
> "cfg80211_ap_settings". At the same time those are also parsed by 
> nl80211 which fills cfg80211_ap_settings::ht_cap, 
> cfg80211_ap_settings::vht_cap.
> Why HT/VHT caps are not passed directly from usespace as one of NL 
> attributes? I guess because there is not much point in it since 
> userspace passes entire IE set anyway, which can be used by lower
> levels.

I understand your point about the information being conveyed to the
kernel through multiple pipes. But note that for HT/VHT in AP mode, the
decision maker is the user space. User space can get it from a the user
himself (hostapd.conf) or from internal knowledge (OBSS parameters in
AP mode that are handled internally in hostapd), but it essentially
doesn't matter. The kernel does nothing else but implementing the
policy decided by the user space.

When you start thinking about firmwares with more logic, the picture is
different. When Jouni added MFP support in the kernel in 2009 he wrote:

  Since we are currently using nl80211 for MFP only with drivers that
  use user space SME, only MFP disabled and required values are
  used. However, the NL80211_ATTR_USE_MFP attribute is an enum that can
  be extended with MFP optional in the future, if that is needed with
  some drivers (e.g., if the RSN IE is generated by the driver).

(See commit dc6382ced07d6bad61d0b591fb12ab5da7ca632c).

Here is the thing: until now, MFP was supported only for drivers that
use user space SME, meaning drivers that let the user space decide
about pretty much everything: it sends the Assoc Request which means
that it knows _everything_ about the AP it connects to. When you don't
use user space SME (meaning you use NL80211_CMD_CONNECT and not
NL80211_CMD_{AUTHENTICATE,ASSOCIATE}), the user space may not know much
about the AP including not its RSN caps. Essentially, the user space is
sending a supplicant's network block to the kernel and asks the kernel
to connect to that thing. The user space may not even know that this
network is in the vicinity (which is what ap_scan=2 in the wpa_s means
IIUC).

So what I am trying to do here to shift the power of the decision from
the user space to the kernel in certain cases, or at least to allow the
user space to tell the kernel how to behave in several scenarios since
the user space doesn't have all the information in hand.

NL80211_MFP_NO is clear: you can't associate to an AP that has MFPC=1
MFPR=1
NL80211_MFP_REQUIRED is clear: you can't associate to an AP that has
MFPC=0 MFPR=0

This is possible when the user space knows how the RSN IE of the AP
looks like. If it doesn't, then it'd mean that the user space has no
way to say: I want to use MFP if required by the AP, but don't care all
that much if the AP doesn't support it, and this is exactly what the
NL80211_MFP_OPTIONAL comes to add.

I wrote this to explain that I can't use the IEs for this since I am
adding NL80211_MFP_OPTIONAL precisely because the user space doesn't
have the IEs.

Regarding the backward compatibility, this is a real problem. I am not
even sure that adding a feature flag will help since in case wpa_s
doesn't know the IEs of the AP, it can't really know what MFP
parameters to send (REQ or NO assuming wpa_s detected that the kernel
wouldn't support OPTIONAL). Note that all this is really relevant only
for ap_scan=2 configuration in wpa_s which is not really supported well
in nl80211 driver right now (at least based on the comments in the
wpa_s code). Asking why I am adding this in nl80211 kernel side if the
only user would be wpa_s with nl80211 and ap_scan=2 (which is
reportedly not really working) is a fair question :)
I am basically working in the context of a firmware that does the scan
before connect internally.

> 
> 
> > 
> > > - IEs passed from userspace, parsed by nl80211 and forwarded to a
> > > driver
> > > - IEs that are passed from userspace and parsed by drivers
> > > directly
> > > 
> > > > 
> > > > Thanks,
> > > > Arend
> > > 
> > > 
> 




[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux