From: Johannes Berg <johannes@sipsolutions.net>
To: Amitkumar Karwar <akarwar@marvell.com>,
linux-wireless@vger.kernel.org,
hostap <hostap@lists.infradead.org>, Jouni Malinen <j@w1.fi>,
Ilan Peer <ilan.peer@intel.com>
Cc: yangzy@marvell.com, Cathy Luo <cluo@marvell.com>,
Nishant Sarmukadam <nishants@marvell.com>,
lihz <lihz@marvell.com>
Subject: Re: [PATCH] cfg80211: add key management offload feature
Date: Tue, 27 Sep 2016 14:36:15 +0200 [thread overview]
Message-ID: <1474979775.5141.27.camel@sipsolutions.net> (raw)
In-Reply-To: <1474973796-1873-1-git-send-email-akarwar@marvell.com> (sfid-20160927_125737_815734_5AE7ADB1)
> #define WLAN_CIPHER_SUITE_SMS4 0x00147201
> +#define WLAN_CIPHER_SUITE_PMK 0x00147202
> +#define WLAN_CIPHER_SUITE_PMK_R0 0x00147203
> +#define WLAN_CIPHER_SUITE_PMK_R0_NAME 0x00147204
Err, what? No, things can't work that way. This is the Chinese
company's OUI, you can't just assign it to PMK stuff.
> + * @NL80211_ATTR_AUTHORIZED: flag attribute, if set indicates that the
> + * connection is authorized.
> + *
> * @NUM_NL80211_ATTR: total number of nl80211_attrs available
> * @NL80211_ATTR_MAX: highest attribute number currently defined
> * @__NL80211_ATTR_AFTER_LAST: internal use
> @@ -2267,6 +2270,8 @@ enum nl80211_attrs {
>
> NL80211_ATTR_MESH_PEER_AID,
>
> + NL80211_ATTR_AUTHORIZED,
This already exists, no?
NL80211_STA_FLAG_AUTHORIZED should be more or less equivalent, if you
do it per station (or just for the AP in case of managed connection)
> /* add attributes here, update the policy in nl80211.c */
>
> __NL80211_ATTR_AFTER_LAST,
> @@ -3687,6 +3692,9 @@ enum nl80211_key_attributes {
> NL80211_KEY_DEFAULT_MGMT,
> NL80211_KEY_TYPE,
> NL80211_KEY_DEFAULT_TYPES,
> + NL80211_KEY_REPLAY_CTR,
> + NL80211_KEY_KCK,
> + NL80211_KEY_KEK,
I don't think we should conflate the (P)MK and *TK concepts in nl80211,
they're both keys, but they're completely separate in terms of expected
usage.
Ilan and I looked at this, considering 4-way-HS offload after 1X
authentication, and think that the more natural API would be to add all
the necessary data to the PMKSA cache entry. Thus, a PMKSA cache entry
for a device that does 4-way-handshake offloading would include the PMK
(or perhaps MSK?), and for FT it would also including the PMK-R0,
PMKR0Name (and possibly the MDID, or can it be derived?)
However, I'm wondering what exactly the offloads here do. Jouni, could
you also chime in with the QCA (vendor command) design?
In particular, with key management offloaded, it's not clear to me what
exactly the roles of the device and host are here. I'm considering that
the device would handle the 4-way and 2-way handshakes, but then you
wouldn't need the KEK/KCK/ReplayCounter in the host, so there wouldn't
be much point in giving them to it.
But if the device doesn't do that, what exactly *does* it do?
Thanks,
johannes
next prev parent reply other threads:[~2016-09-27 12:36 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-27 10:56 [PATCH] cfg80211: add key management offload feature Amitkumar Karwar
2016-09-27 10:56 ` [PATCH] nl80211: " Amitkumar Karwar
2016-09-27 11:24 ` Arend Van Spriel
2016-10-14 13:38 ` Jouni Malinen
2016-09-27 11:27 ` Arend Van Spriel
2016-09-27 11:14 ` [PATCH] cfg80211: " Kalle Valo
2016-09-27 12:36 ` Johannes Berg [this message]
2016-10-14 13:52 ` Jouni Malinen
2016-10-20 12:53 ` Johannes Berg
2016-10-26 12:11 ` Johannes Berg
2016-10-26 12:26 ` [RFC] cfg80211: support 4-way-handshake offload with PSK and 802.1X Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1474979775.5141.27.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=akarwar@marvell.com \
--cc=cluo@marvell.com \
--cc=hostap@lists.infradead.org \
--cc=ilan.peer@intel.com \
--cc=j@w1.fi \
--cc=lihz@marvell.com \
--cc=linux-wireless@vger.kernel.org \
--cc=nishants@marvell.com \
--cc=yangzy@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).