The case of the bogus SSID

[pigiron <pigiron@gmx.com>]

The kind folks at linux-wireless IRC suggested that I should probably bring this ugly topic over here.

I've been digging into this problem for the last few days, and am now in need of some guidance from you wireless guru's. I hope the you folks can follow my twisted path. Here's the scenario:

SYMPTOMS:
=========

Linux clients (and apparently *only* Linux clients) cannot associate with an AP running a brand new "flavor" of DD-WRT firmware. Myself and others have reported the same problem. The response from the chief DD-WRT person was basically, "tested and works on Windows and OSX, so it must be a Linux problem".

The Wicd network manager displays strange UTF-8 type characters for the SSID. This causes it to create an incorrect WPA PSK.

Also, two ESSIDs are returned for that MAC when running the "iwlist wlan0 scan" command using many different wireless devices. So far, I've found that ipw2200 and rta2870sta seem to be the only devices that don't report an "extra" ESSID with iwlist.

Not surprisingly, I can connect to the router by manually running wpa_supplicant.

The problem still exists when running compat-wireless-2010-04-26.


Here's an example of the "iwlist wlan0 scan" output with the router in it's "default" configuration:

Cell 02 - Address: 00:25:9C:XX:XX:XX
          Channel:6
          Frequency:2.437 GHz (Channel 6)
          Quality=70/70  Signal level=-33 dBm
          Encryption key:off
     ---> ESSID:"dd-wrt"
          Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                    9 Mb/s; 12 Mb/s; 18 Mb/s
          Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
     ---> ESSID:""
          Mode:Unknown/bug
          Extra:tsf=00000064b6ade4fb
          Extra: Last beacon: 4120ms ago
          IE: Unknown: 000664642D777274
          IE: Unknown: 010882848B960C121824
          IE: Unknown: 030106
          IE: Unknown: 2A0100
          IE: Unknown: 32043048606C
          IE: Unknown: DD180050F2020101020003A4000027A4000042435E00623

          IE: Unknown: 331A4C101BFFFF000000000000000000000000000000000

          IE: Unknown: 2D1A4C101BFFFF000000000000000000000000000000000

     >>>> IE: Unknown: 34160600190000000000000000000000000000000000000

          IE: Unknown: 3D160600190000000000000000000000000000000000000

          IE: Unknown: 4A0E14000A002C01C800140005001900
          IE: Unknown: 7F0101
          IE: Unknown: DD0900037F01010000FF7F
          IE: Unknown: DD0A00037F04010000000000

PROBLEM:
========

I tried to narrow the problem by firing up the debugger against iwlist. After iwlist performs a SIOGIWSCAN, it then retreives the AP response, and this contains a second, bogus SSID (specifically a SIOCGIWESSID), with data matching one of the Information Elements above... actually two. But here's the data that I think causes the problem:

          IE: Unknown: 34160600190000000000000000000000000000000000000

Both the Wireshark scan capture and my digging into the 802.11k-2008 specification show that line as being a "Neighbor Report" Information Element (0x34 = 52 decimal = Neighbor Report).

I noticed that decimal 52 is assigned to WLAN_EID_MESH_ID in the ieee80211.h file, and recently the same 52 was also assigned to WLAN_EID_NEIGHBOR_REPORT in the same enumerated ieee80211_eid{} structure.

BUT... before I go kernel diving, I have a question. I guess I'm trying to first determine if the problem may be in the router. From my reading of the 802.11k-2008 specification, I'm thinking that a Neighbor Report should not even be inside a scan response from the AP. Every reference to "Neighbor Report" that I can find in the specification *seems* to state that a Neighbor Report response should only arrive at the STA after the AP receives a "Neighbor Report Request" frame. And it should then be contained inside a  "Neighbor Report Response" frame. Is my thinking correct???  Or am I off base (yet again ;)???


FYI: The router is configured as a simple AP acting as a gateway to a cable modem. No vlans, no hotspot, etc...  i.e. nothing "exotic". In fact, no one has yet found a configuration setting that will make this problem disappear.

OBTW: All beacon frames coming from the router also contain this Neighbor Report.

Also, here is a snippet from a scan report using iw (notice that it's not confused by the Neighbor Report):

--------------------------   BEGIN NETLINK MESSAGE ---------------------------
  [HEADER] 16 octets
    .nlmsg_len = 312
    .nlmsg_type = 24 <0x18>
    .nlmsg_flags = 2 <MULTI>
    .nlmsg_seq = 1273073208
    .nlmsg_pid = 6127
  [PAYLOAD] 296 octets
    22 01 00 00 08 00 2e 00 c5 00 00 00 08 00 03 00 03 00 ".................
    00 00 14 01 2f 00 0a 00 01 00 00 25 9c XX XX XX 00 00 ..../......%......
    ce 00 06 00 00 06 64 64 2d 77 72 74 01 08 82 84 8b 96 ......dd-wrt......
    0c 12 18 24 03 01 06 2a 01 00 32 04 30 48 60 6c dd 18 ...$...*..2.0H`l..
    00 50 f2 02 01 01 02 00 03 a4 00 00 27 a4 00 00 42 43 .P..........'...BC
    5e 00 62 32 2f 00 33 1a 4c 10 1b ff ff 00 00 00 00 00 ^.b2/.3.L.........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2d 1a ................-.
    4c 10 1b ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 L.................
    00 00 00 00 00 00 00 00 34 16 06 00 19 00 00 00 00 00 ........4.........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 3d 16 06 00 ..............=...
    19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..................
    00 00 4a 0e 14 00 0a 00 2c 01 c8 00 14 00 05 00 19 00 ..J.....,.........
    7f 01 01 dd 09 00 03 7f 01 01 00 00 ff 7f dd 0a 00 03 ..................
    7f 04 01 00 00 00 00 00 00 00 0c 00 03 00 10 69 af ac ...............i..
    77 00 00 00 06 00 04 00 64 00 00 00 06 00 05 00 21 04 w.......d.......!.
    00 00 08 00 02 00 85 09 00 00 08 00 0a 00 e7 11 00 00 ..................
    08 00 07 00 54 f2 ff ff                               ....T...
---------------------------  END NETLINK MESSAGE   ---------------------------
BSS 00:25:9c:XX:XX:XX (on wlan0)
        TSF: 513998285072 usec (5d, 22:46:38)
        freq: 2437
        beacon interval: 100
        capability: ESS ShortPreamble ShortSlotTime (0x0421)
        signal: -35.00 dBm
        last seen: 4583 ms ago
        SSID: dd-wrt
        Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
        DS Parameter set: channel 6
        ERP: <no flags>
        Extended supported rates: 24.0 36.0 48.0 54.0
        WMM:     * Parameter version 1
                 * BE: CW 15-1023, AIFSN 3
                 * BK: CW 15-1023, AIFSN 7
                 * VI: CW 7-15, AIFSN 2, TXOP 3008 usec
                 * VO: acm CW 3-7, AIFSN 2, TXOP 1504 usec
        Unknown IE (51): 4c 10 1b ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        HT capabilities:
                Capabilities: 0x104c
                        HT20
                        SM Power Save disabled
                        RX HT40 SGI
                        No RX STBC
                        Max AMSDU length: 7935 bytes
                        DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: 1/2 usec (0x02)
                HT RX MCS rate indexes supported: 0-15
                HT TX MCS rate indexes are undefined
        Unknown IE (52): 06 00 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Unknown IE (61): 06 00 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Unknown IE (74): 14 00 0a 00 2c 01 c8 00 14 00 05 00 19 00
        Extended capabilities: HT Information Exchange Supported
        Vendor specific: OUI 00:03:7f, data: 01 01 00 00 ff 7f
        Vendor specific: OUI 00:03:7f, data: 04 01 00 00 00 00 00