[rt2x00-users] [rt2800pci (AP) - ath9k] 802.11w: broken aggregation handling?

Andreas Hartmann andihartmann at 01019freenet.de
Tue May 8 02:28:33 EDT 2012

Hi Jouni, hi Helmut,

Jouni Malinen wrote:
> On Mon, May 07, 2012 at 01:04:29PM +0200, Helmut Schaa wrote:
>> I'm fine with enabling MFP in rt2800pci but I don't know enough about the
>> necessary requirements.
>> Jouni, are there any special requirements for MFP?
> The main requirements:
> - support CCMP encryption/decryption of unicast robust management frames
>   (subset of Action frames, Deauthentication, Disassociation)

I tested WPA-EAP-SHA256 with group key ccmp.

> - support BIP and IGTK configuration for group addressed robust
>   management frames (TX-only for AP, RX-only for STA); I would expect
>   most drivers to use software implementation on the host CPU for this
>   taken into account that there is only very limited use of group
>   addressed robust management frames

The IGTK is a single key (shared key). There are a maximum of 4 shared
keys designated in rt2x00mac.c for each BSS for use with hw encryption.

Since rt2800usb is working fine with nohwcrypt=1 (but not with
encryption done in hw), I assume, that there is no differentiation
between the encryption / decryption of different frame types. If hw
encryption is turned on, all types of frames are encrypted / decrypted
by hardware and vice versa.

I'm not sure how BIP is secured if hw encryption is enabled. BIP is
implemented in mac80211 as part of decryption. Is BIP done during hw
encryption, too? Or is it done by mac80211 w/ enabled hw encryption, too?

Grrr. Now I know, why I had to disable hw encryption for rt2800usb.
Because it was disabled for rt2800pci (AP), too. If mac80211 is doing
the job, 11w works fine. If encryption is done by hardware (AP), 11w is
broken: the ath9k station doesn't work any more, regardless if hw
encryption is switched on or off for ath9k.

11w		rt2800pci (AP)	ath9k sta		rt2800usb sta
1,3		nohwcrypt=1	nohwcrypt=[0|1]		nohwcrypt=1
2,4		nohwcrypt=0	nohwcrypt=[0|1]		nohwcrypt=1
2,5		nohwcrypt=0	nohwcrypt=[0|1]		nohwcrypt=0

1 = ath9k fine
2 = ath9k broken
3 = rt2800usb fine
4 = rt2800usb broken
5 = rt2800usb seems to work

This means for rt2x00: to get 11w working with hw encryption enabled,
there needs to be some differentiation for the encryption of management
frames: if management frame, let mac80211 do the job - all other frames
should be encrypted by hw.

> - SA Query mechanism (mac80211-based drivers get this pretty much
>   automatically from hostapd for AP mode and mac80211 for STA)
> - ability to configure RSN capabilities into RSN element and to
>   provide the received element to user space (again, most mac80211-based
>   drivers should work as-is)

Thank you very much for your explanations, Jouni!


More information about the HostAP mailing list