TKIP GroupKey Problem

michael-dev michael-dev
Fri Feb 8 10:57:53 PST 2013


I'm running P1020 WLAN / OpenWRT (kernel 3.3.8, hostapd git 
62cab3b737f061a29ff2171115adb04240fefd6f (today)) based APs with two 
AR9300 miniPCIe cards.
One card runs 2.4 Ghz, the other 5 Ghz. Each card has one unencrypted 
bss, one wpa-psk bss and one wpa-eap bss. Both latter bss authenticate 
against radius and assign STAs into VLANs. There is no SSID-Sharing. 
WPA-PSK enables both WPA and RSN with CCMP+TKIP.

Now I'm facing a loss of all incoming broadcasts packets on some 
BSS/VLAN combinations on STA side. The STAs then face an loss of IPv6 
connectivity, which is reported by users. The RouterAdvertisments (RA) 
can still be seen at the aps bridge and I see undecryptable broadcast 
packets on the air which closely match the RAs seen on the bridge. While 
some BSS/VLANs are broken, others work fine and this changes over time 
(i.e. loss can happen on all interfaces, some, other or none).

Debugging this issue I patched driver_nl80211.c to print the keys set 
by hostapd. On the test AP, there are only my laptop (ubuntu) and my 
smartphone (android 4.0.4) connected to the same BSS (PSK on 2.4 Ghz) 
and both devices are assigned to the same VLAN (501). I started 
connecting my laptop, which then was seeing broadcast traffic from the 
gateway. Several minutes later my smartphone connected and since then, 
no RA is seen. RAs come every 5 seconds and expire after 5min, hostapd 
rekeys ever 60s (strict rekeying is also on).

AP Logs: Since my laptop is online, hostapd generates two 
wpa_driver_nl80211_set_key call every 60s, one with 16bytes key and one 
with 32bytes key both assigned to broadcast mac. The short has alg=2, 
the long has alg=4.

STA (Laptop) side: wpa supplicant every 60s generates
Feb  8 19:22:51 localhost wpa_supplicant[22798]: wlan0: WPA: Group 
rekeying completed with 66:65:6d:01:0d:02 [GTK=TKIP]
Feb  8 19:22:59 localhost wpa_supplicant[22798]: wlan0: WPA: EAPOL-Key 
Replay Counter did not increase - dropping packet
Feb  8 19:23:51 localhost wpa_supplicant[22798]: wlan0: WPA: Invalid 
EAPOL-Key MIC when using TPTK - ignoring TPTK
messages and sets a new key .
Comparing the keys the AP logs and those the STA logs, the key of those 
the AP logs is set on STA side, but not the shorter one.

The loss of broadcasts and ipv6 connectivity has also been reported 
before I updated hostapd from 20120910 git master HEAD to the current 
unstable version (i.e. before a5e1eb2092953e4a7717a547cbe0ccb2457e6ce0 
was applied).

Any hints?

  M. Braun

More information about the Hostap mailing list