"MLME-REPLAYFAILURE" messages

[Jouni Malinen]

On Sat, Jan 22, 2005 at 10:46:12AM -0800, Gilbert Mendoza wrote:

> Just wanted to see if anyone knows what is causing
> this error and if it's safe to ignore.  I am not
> experiencing any loss in performance or packet
> transfer, but notice the messages while in debug mode.
>  Also wanted to know if this poses any type of
> security threat.

What driver is this? Host AP driver does not generate this kind of
message.

> Custom wireless event:
> 'MLME-REPLAYFAILURE.indication(keyid=2 broadcast
> addr=01:00:5e:00:00:01)'
> Wireless event: cmd=0x8c02 len=83

I would assume this means that the driver noticed a packet with the same
(or smaller than current) sequence number and dropped it as a possible
replay attack. In this case, the packet is a multicast packet from the
AP. The driver you are using may have some additional debug options
available for finding out more details of the packet. Alternatively, you
could use a wireless sniffer to verify whether the AP is incrementing
packet number for the multicast packets.

Multicast packets are not retransmitted, so this could indicate a bug in
the AP or something else replaying already sent messages.

-- 
Jouni Malinen                                            PGP id EFC895FA