Rekeying Problems

Tobias Schrage tobias.schrage at puresolution.de
Wed May 13 09:44:45 EDT 2015


 

Hi at all, 

I am running wpa_supplicant 2.4 with ath9k on Linux ARM 3.10.17 with
wireless backports 3.18.1 and I get sporadic rekeying problems. 

Normal key exchange upon connection establishment seems to work
flawlessly, the rekeying procedure however is not always completed
successfully. 

I set the PTK rekeying intervall to 15 seconds on my access point and
get about ~15 errors in an hour. The wpa_supplicant log shows no errors
at all, the 4-way handshake is successfully completed and a few seconds
later the AP sends a deauthentification frame to the client. 

I sniffed the traffic with wireshark and see all 4 key frames exchanged
between AP and client, all packets got acknowledged by the AP and
client, even the 4th key frame. However, after receiving key 4/4 and
sending an ACK to the client, the AP repeats key 3 a few times (which
all get ACKed by the client but do not appear in wpa_supplicant, I guess
the encryption/decryption key has already been changed to the new value
and therefore these frames can't be decrypted anymore). Debug
information obtained from the APs log shows that keyframe 4/4 has never
been received and the rekeying procedure finishes with a timeout. 

Unfortunately Wireshark can't decrypt captured frames anymore after a
rekeying sequence but I was "lucky" to sniff a rekeying error directly
after the connection has been established. I noticed that key 1,2 and 3
could be decrypted by Wireshark, key 4 however was shown as "data"
frame, without any further information about its payload. This made me
think about a timing error between installation of the new key and
transmission of the 4th key frame. I put a usleep of 50ms between the
commands to send key 4 and the install ptk call and I get less errors, I
observed this in several tests. Does this make any sense? 

My accesspoint is a linux box with Intel7260ac wifi (iwlwifi-mvm) and
hostapd. The same problem occurs with the Cisco APs of our customer. 

I observed a similiar behaviour with my Ubuntu Laptop with
wpa_supplicant 2.2 and Intel Wifi 6235 (iwlwifi-dvm). 

Any ideas? 

Tobi 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150513/dad2bf93/attachment-0001.htm>


More information about the HostAP mailing list