WPA and ad-hoc proposal.

[Leonardo Maccari]

as I said before, I'm dealing with a research project in which we need a
prototype of ad-hoc network with WPA. We thought hostAP could do this but
since it doesn't, now the focus of my research could move to implement
this missing hostap features and merge it to the existent code,
contributing to the project.
still I have to convince the supporters of the project this is the way to
go and it wold not take a lifetime to achieve it, so I need help from the list to
figure out how big it would be such an effort, to see if it can enter the
research project. so this is what I've came to:


protocol 802.11i,  says in 5.9.3.3, (IBSS IEEE 802.1X
Example):

"The EAPOL-Start and EAP-Request/Identity messages are initiated when a
protected Data frame (indicated via a
MLME-PROTECTEDFRAMEDROPPED.indication primitive), an IEEE 802.1X message,
Beacon or Probe Response is received from a MAC address with which the
station has not completed IEEE 802.1X authentication. If the SME wants to
set up a security association to the peer STA and if it does not know the
security policy of the peer, it should send a Probe Request to the peer
STA to find its security policy before setting up a security association
to the peer STA."



then in 8.5.6, RSNA Supplicant Key Management state machine:

[briefly, the state machine is:
----->INITIALIZE ----> AUTHENTICATION ---> STAKEYSTART]
 
"The Management entity will send an AuthenticationRequest event when it
wants an Authenticator authenti-cated, this can be before or after the
STA associates to the AP. In an IBSS environment the event will be
generated when a Probe Response is received."

"AUTHENTICATION: A STA's Supplicant enters this state when it sends an
IEEE 802.1X Authentication-Request to authenticate to a SSID."


so the correct procedure is (machine A entering a network machine B is
part of) 
   
   STA A          STA B
   probe -------> 
         <------  probe reply (with RSNIE)

STA A changes to AUTHENTICATION state, sending the first EAPOL frame

    EAPOL-start--->
    

from this moment on everything should work as on a normal ESS.
the prerequisite is that machine B is already connected to the network,
having a route to a RADIUS server or carrying one on its own.

in wpa_supplicant the EAPOL state machine is initalized when the
association event is triggered. I guess it would be correct, in an IBSS
environment, that a different EAPOL SM could be initialized when a probe
request is sent. this way it could  be possible to have multiple WPA
connections.

so first changes to be made to the supplicant would concern mainly this.
the authenticator would need little changes I guess, and at an initial
stage it would be ok to have supplicant/authenticator on two different
interfaces, then maybe merge things (actually there is a difference in how
GTK are treated but I don't consider it now).

some of my doubts now deal with ad-hoc mode, what exactly the firmware of a
card in ibss mode is supposed to do? does it just send beacons and
responds to probes?  
and what is the difference with pseudo_ibss under this point of view ?

any help is extremely appreciated, I would really like to contribute to
this project and to do it, in this phase, I need to have clearer ideas
about what is to be done.

ciao,
leonardo.

-- 
   Key fingerprint = 3129 C583 F03B 2E73 0115  C040 3489 0185 B592 19FE
 Obviously -thisaintpartofmyaddress- is not part of my real email address 



>> PRIVACY DISCLAIMER
This e-mail and any attached files, sent by LENST e-mail system,
contains confidential and/or privileged information and is
intended only for the person or entity explicitely addressed and
only for the purposes therein set forth.
If you are not the intended recipient please notify the LENST
administrators immediately at postmaster at lenst.det.unifi.it.