iapp and security blocks

[Jouni Malinen]

On Wed, Jan 04, 2006 at 09:31:36AM -0800, Rusty Chris Holleman wrote:

> I'm putting together a number of APs that will be running hostapd and would like to know how much work would be involved in extending the current IAPP code to handle passing 802.1x information between APs.

What exactly would you do with this information in the other APs?

>  For basic purposes, bssid->ip mappings can be kept in a text file and managed manually, and I can limit access to the ethernet portion of the network (so iapp encryption/validation/esp are not critical).

I would be quite careful with such a statement.. Even if the network
itself is assumed to be of limitted access, there would need to be
strict filtering on all borders of the network (including all APs) to
make sure that no keying material can be accessed.

>  My question:  what is the scope of the work involved to add 'move-notify' and 'cache-notify' support to iapp.c ?  My goal is to speed up roaming and reassociation.  Has anyone started working on this, or researched it to know how much new code would be needed?  Any pointers on where to start?

So far, I have not heard of anyone using IEEE 802.11F and one reason for
this is that it does not really define what kind of information is
transmitted and how that information is going to be used. I would
suggest going through this part first before even thinking about how the
data is going to be transmitted between the APs.

Please also note that IEEE 802.11F was a trial-use recommended practice
that has now expired and IEEE 802.11 actually withdrew this document
some time ago. In practice, it is dead and unlikely to come back.. I
have no plans on adding any more IEEE 802.11F code into hostapd and
would rather consider removing the existing code. Some working groups
in IETF may be more likely to come up with a standard for AP-to-AP
communication that could achieve more real world use.

-- 
Jouni Malinen                                            PGP id EFC895FA