Dropped frames (unauthorized port) in AP mode

Mihai Moldovan ionic at ionic.de
Sat Jul 20 13:36:28 EDT 2013


* On 20.07.2013 03:25 PM, Jouni Malinen wrote:
> On Mon, Jul 15, 2013 at 04:20:47AM +0200, Mihai Moldovan wrote:
>> Got it! After checking every single option I've been using against Ben's config,
>> turning features off and back on, I was able to isolate the WEP entries as the
>> troublemaker.
>>
>> Right after commenting wep_default_key(=0) and wep_key0(=somekey), hostapd
>> started behaving normally, even without a monitor interface.
>>
>> Is specifying both WPA and WEP options known to cause such problems? It did work
>> fine in the past, but now it doesn't.
> What do you mean with working fine? What did you try to do with that
> wep_key0 parameter if the network was configured for WPA? I don't think
> WPA with static WEP would be supported.

Those WEP parameters were leftovers from an initial WEP configuration when not
all devices were yet supporting WPA.
Then, I enabled WPA, but kept the WEP entries as-were (if I ever had to disable
WPA again.) Hostapd came up with WPA support and ignored the defined WEP stuff.
Or so I thought.


> Yes, wep_key# parameters should probably be rejected if wpa != 0. I
> don't think that wep_default_key=0 would have any effect on the
> functionality in your case, though.

Oh but it does. This bug is easily reproducible with my card (at least), a WPA
configuration and:

auth_algs=3
wep_default_key=0
wep_key0=123456789a

Indefinitely, rejecting WEP parameters if wpa != 0 is a great idea and would fix
the issue.


> That said, it could also be finally time to consider removing WEP
> support from hostapd completely or at least do that for the default
> build. I don't see any other use for WEP apart from being able to run
> some test cases for station functionality to allow interoperability with
> old networks..

I guess only disabling WEP at build time wouldn't do a lot, as most distros
would be turning it on anyway. I'm not sure how much old hardware is out there
only supporting WEP (and thus the implications of removing WEP support), but I
guess an unencrypted network is just as good  as one encrypted with WEP (for
that matter, users should take matters into hand and for instance setup a VPN
with strong encryption to be used over the unencrypted connections only.)

WEP is probably causing more trouble than it's worth. If you're up to it, start
an RFC/poll on the mailing list and let especially people working with big
networks comment on it.


Best regards,



Mihai

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4506 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20130720/0180d47e/attachment.bin>


More information about the HostAP mailing list