From: Jouni Malinen <j@w1.fi>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: Volker Braun <volker.braun@physik.hu-berlin.de>,
Linux Wireless <linux-wireless@vger.kernel.org>,
Michael Wu <flamingice@sourmilk.net>
Subject: Re: [PATCHv3] mac80211: dynamic wep
Date: Mon, 20 Aug 2007 20:05:59 -0700 [thread overview]
Message-ID: <20070821030559.GL1415@jm.kir.nu> (raw)
In-Reply-To: <1187363345.6090.2.camel@johannes.berg>
On Fri, Aug 17, 2007 at 05:09:05PM +0200, Johannes Berg wrote:
> On Fri, 2007-08-17 at 10:16 -0400, Volker Braun wrote:
> > Now granted, Cisco also violates it, but in a way
> > that is never visible to standards-compliant STAs. We must set the
> > keyindex to zero on outgoing pairwise key-encrypted data, but that is
> > kind of irrelevant since the AP is forced to ignore that key index on
> > receive.
>
> But then I don't understand why we try to set a non-zero key index for
> the key.
If I remember correctly, Cisco APs in IEEE 802.1X/dynamic WEP
configuration rotate between key indexes 0 and 1 for broadcast/multicast
keys and indexes 2 and 3 for unicast. In standard IEEE 802.1X, doing
rekeying for broadcast keys by using two key indexes can be used to
allow the change to happen without any packets being lost (send the new
key first to all clients and only after that start using the new key).
I would assume that Cisco is trying to do the same kind of smooth
rekeying for unicast here (not that I have verified that this is the
case, but that sounds semi-logical). Consequently, we would actually
need to configure two pairwise keys at the same time and not only set
the non-zero key index but to actually use these keys when decrypting
frames.. My guess would be that this is expected to work by using
broadcast WEP keys instead of unicast keymapping keys, but it is
somewhat broken design. Anyway, that is what has been deployed in number
of networks. Eventually, this will hopefully go away once the networks
are updated to WPA/WPA2, but some organizations take long time to change
this kind of things..
wpa_supplicant is just blindly following what the AP tells it to when
setting keys (EAPOL-Key frames include the key index). Consequently, the
driver/mac80211 ends up being told to use this non-zero key indexes for
unicast keys.
--
Jouni Malinen PGP id EFC895FA
next prev parent reply other threads:[~2007-08-21 3:07 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-15 4:12 [PATCHv3] mac80211: dynamic wep Volker Braun
2007-08-15 6:55 ` Michael Wu
2007-08-15 15:24 ` Volker Braun
2007-08-16 4:58 ` Michael Wu
2007-08-16 18:26 ` Volker Braun
2007-08-17 10:21 ` Johannes Berg
2007-08-16 23:50 ` Johannes Berg
2007-08-17 11:28 ` Johannes Berg
2007-08-17 14:16 ` Volker Braun
2007-08-17 15:09 ` Johannes Berg
2007-08-21 3:05 ` Jouni Malinen [this message]
2007-08-21 4:35 ` Volker Braun
-- strict thread matches above, loose matches on Subject: below --
2007-09-05 14:05 dragoran
2007-09-05 14:11 ` Johannes Berg
2007-09-05 16:48 ` dragoran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070821030559.GL1415@jm.kir.nu \
--to=j@w1.fi \
--cc=flamingice@sourmilk.net \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=volker.braun@physik.hu-berlin.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).