Client-Client communication not possible before "wpa_group_rekey"

Jouni Malinen j
Wed May 7 01:46:09 PDT 2008


On Tue, May 06, 2008 at 08:28:20AM +0200, Dennis Borgmann wrote:

> I am facing problems using hostapd with two nodes, that want to 
> communicate with one another. If I connect a machine to an accesspoint 
> running hostapd, everything works fine, I am able to ping the 
> accesspoint from the client and ping the client from the accesspoint. If 
> I try to ping the clients themselves from client to client, this won't 
> work, until a "wpa_group_rekey" has occurred. If I set this value within 
> hostapd.conf to "60", it takes exactly one minute until I am able to 
> ping one client from the other one.

It sounds like the ARP request (broadcast) would not work in this case
prior to the first group rekeying, i.e., the clients would not be able
to use the group key received from the initial handshake. However, I'm
somewhat surprised that the ping from AP to the client would work in
this case.. I would assume ARP cache on the AP could have been filled
based on a frame received from the client in that case, though. You
could test this by stopping all transmits from client and on the AP,
first remove the ARP entry ("ip nei del <client IP addr> dev <ifname>";
if you are using bridging, the ifname would be your bridge interface
otherwise it would be ath0) and then try to ping the client.

> hostapd.conf
> wpa=1
> wpa_pairwise=TKIP

> wpa_supplicant.conf (on both client-machines):
>     proto=RSN WPA
>        pairwise=CCMP TKIP

Are you disabling WPA2 (RSN) and CCMP on the AP on purpose (these are
enabled in the client configuration)? You could try testing what happens
if WPA2 is used instead (it uses a bit different mechanism for
configuring the group key) with CCMP.

I would also be interested in seeing debug log from all three devices,
i.e., something that shows the initial handshake and key configuration
for a case where pinging between clients does not work. If you are using
a test PSK (i.e., don't care about it being revealed), I would suggest
using -ddKt on the command line for both hostapd and wpa_supplicant to
enable verbose debugging output that includes the derived keys.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list