MFP: How to generate frame with MMIE

Masashi Honma honma at ictec.co.jp
Thu Dec 10 19:47:20 EST 2009


On Thu Dec 10 05:52:05 EST 2009, Jouni Malinen wrote:

> BIP is not used to encrypt the frame, i.e., if you are looking for a
> frame with MMIE, it will still be unencrypted..  Did you verify whether
> the MMIE is included in the end of the frame?

Thanks for your reply.
Yes, I expect that unicast frame will be encrypted with CCMP, multicast
frame will not be encrypted and trailed by MMIE. I have verified the
broadcast SA query request frame, but it didn't include MMIE and
ofcourse it was't encrypted.

> I'm assuming you have
> configured hostapd to enable IEEE 802.11w and using a driver that
> supports MFP in the first place since it is up to driver to take care of
> BIP (i.e., derivation and addition of the MMIE to broadcast robust
> management frames).

Yes, I have set up hostapd/wpa_supplicant and seen both RSN capability
bit 6 was 1. Then the wpa_supplicant's deauth frame was encrypted with CCMP.

I think broadcast SA query request frame sent by hostapd will include MMIE.
Because it is multicast frame and action frame and it's cathegory code is 8.
i.e. it is allowed by include/linux/ieee80211.h#ieee80211_is_robust_mgmt_frame
function in linux kernel source.

My linux kernel is 2.6.31.2.
The hostapd/wpa_supplicant is GIT on [Thu, 1 Oct 2009 10:58:17 +0000 (13:58 +0300)].
Why my broadcast SA query request frame doesn't include MMIE ?

Regards,
Masashi Honma.


More information about the HostAP mailing list