dynamic vlan with ath10k not working - regression

Guenther Kelleter Guenther.Kelleter at devolo.de
Fri May 13 04:46:21 PDT 2016


> -----Original Message-----
> From: Hostap [mailto:hostap-bounces at lists.infradead.org] On Behalf Of M. Braun
> Sent: Friday, May 13, 2016 9:19 AM
> To: hostap at lists.infradead.org
> Subject: Re: dynamic vlan with ath10k not working - regression
> Hi,
> Am 12.05.2016 um 17:28 schrieb Guenther Kelleter:
> >> What exactly is not working in the static VLAN case?
> >> I can configure an SSID to be part of a non-dynamic vlan in OpenWrt,
> >> i.e. that all stations are put in the configured vlan-bridge. This
> >> doesn't create a wlan0.<VLAN-ID> interface but uses the plain wlan0.
> >> I can't see anything not working in this case before this fix was
> >> added.
> >> Maybe you're talking about a different thing?
> When configuring non-wildcard vlans with config option vlan_file ,
> hostapd will create the AP_VLAN (= wlan0.xyz) interfaces during process
> startup and possibly add them to a bridge. This is what I call
> "static" VLANs, as their AP_VLAN interfaces are present all the time
> while hostapd runs.
> That way the (static) AP_VLAN interfaces might already transmit
> broadcast or multicast frames even when there is no station associated
> in this VLAN.
> If hostapd does not configure any WPA group key to the AP_VLAN
> interface, it will transmit unencrypted.
> > Adding this patch the station can associate again and the tagged wlan
> interface is created and put into the vlan-bridge. But I don't know what
> negative consequences it could cause:
> I guess it basically makes hostapd believe it already configured a group
> key to the AP_VLAN interface and thus nullifies the fix. I might as well
> also break other things.
> Regards,
> M. Braun

Let me sum up what I did understand so far:
An AP_VLAN interface is created with every VLAN on a specific SSID. There is always an AP_VLAN with ID 0 created for the base interface of an SSID. When more VLANs are configured, either by static configuration in a vlan_file or by dynamic assignment through 802.1X RADIUS, an extra AP_VLAN interface is created per configured VLAN.
All AP_VLANs of an SSID must use their own group keys, to separate broadcast and multicast traffic. If they had no group key set broadcasts from lets say VLAN-1 would be transmitted unencrypted and then could be received by all the stations which are associated to the same SSID but assigned to another VLAN.

Is this correct?
How can I check if an AP_VLAN has a group key? I want to make sure that the dynamic VLANs are properly encrypted when I'm patching this to work on ath10k.
How to check if a GTK-rekey is executed for all AP_VLANs? (In debug log I only see " daemon.debug hostapd: wlan0: WPA rekeying GTK" but not e.g. " daemon.debug hostapd: wlan0.20: WPA rekeying GTK" for the tagged wlan interface.

Finally, is there any useful doc about those complex internals of hostapd? It's really difficult to know this by only looking at the code. And 802.11 doesn't mention how VLANs fit into it at all.


More information about the Hostap mailing list