Re: [ipw3945-devel] iwl3945/mac80211 cannot connect to dynamic wep network

[Jouni Malinen <j@w1.fi>]

On Sun, Oct 28, 2007 at 06:54:45PM +0100, Johannes Berg wrote:

> Hmm. Is there a good explanation of all these values? I still haven't
> understood what all the IW_AUTH_* means. I'm fairly sure though that
> this particular instance hasn't changed in terms of behaviour since the
> original devicescape code (not that this means it's bug-free, of course)

The only documentation for these that I'm aware of is linux/wireless.h.
The original code was not doing this right either (it was implemented
before WE-18, if I remember correctly). The odd part is that I'm sure
this used to work long time ago..

IW_AUTH_* values were designed to provide mechanism for notifying the
driver on number of parameters related to authentication (and
association, in practice). WPA_VERSION, CIPHER_PAIRWISE, CIPHER_GROUP,
KEY_MGMT, 80211_AUTH_ALG, WPA_ENABLED, PRIVACY_INVOKED are parameters
describing the enabled security configuration for associations. Number
of these parameters are bitfields and can include multiple enabled modes
(e.g., both TKIP and CCMP could be allowed as the group cipher). I would
assume most of these parameters be obvious from the field and bitfield
value names.

PRIVACY_INVOKED is describing whether any sort of encryption is to be
used (boolean). If mixed-cell mode (for which there does not seem to be
configuration options in WE) is enabled, any privacy flag combination is
allowed. If mixed-cell is disabled, the PRIVACY_INVOKED has to match
with the Privacy flag advertized in the Beacon/ProbeRsp frames.

TKIP_COUNTERMEASURES is used to notify the driver of a two Michael MIC
failures within 60 seconds to trigger TKIP countermeasures (i.e.,
disable all TKIP encryption/decryption and prevent new associations that
would use TKIP). For client mode, it is also possible that this is
implemented in the driver, so some drivers do not need this. Anyway, for
AP mode, the notification is needed since the driver would not get
notifications of MIC errors detected at clients (which are reported to
the AP in EAPOL-Key frames).

DROP_UNENCRYPTED is a flag for configuring whether any unencrypted
non-EAPOL data frames are allowed through. There is a MIB variable for
this for WEP, but this is of limited use nowadays. I would expect all
WPA configuration to prevent unencrypted data frames (apart from initial
EAPOL frames) anyway.

RX_UNENCRYPTED_EAPOL is used to configure whether unencrypted EAPOL
frames are to be received when pairwise keys are set. This is needed for
IEEE 802.1X (i.e., non-WPA) which never encrypted EAPOL frames. With
WPA, EAPOL frames are encrypted when pairwise keys are set and as such,
unencrypted EAPOL frames should be dropped after the pairwise keys are
configured.

ROAMING_CONTROL can be used to enable/disable roaming decision in the
driver/firmware. The original need for this came from the Prism2
firmware design that has a configuration option for indicating which
component is responsible for roaming (selecting a new BSS if the current
one is likely to end up getting out of range).

-- 
Jouni Malinen                                            PGP id EFC895FA