dynamic vlan with ath10k not working - regression

M. Braun michael-dev at fami-braun.de
Sun May 15 07:44:57 PDT 2016

Am 13.05.2016 um 13:46 schrieb Guenther Kelleter:
> Let me sum up what I did understand so far:
> ...
> Is this correct?


To be more precise, that "base" interface is per BSS and has type "AP",
but that does not really make a difference here.

Please also note that also with dynamic vlans, there might be some
time (and protocol steps) between hostapd creating the new AP_VLAN
interface but not yet binding the station there.

> then could be received by all the stations which are associated to
> the same SSID but assigned to another VLAN.

The stations should not accept those packets because they should expect
all frames to be encrypted. But those packets could be sniffed by any
possibly unconnected station and thus leak data.

> How can I check if an AP_VLAN has a group key? I want to make sure
> that the dynamic VLANs are properly encrypted when I'm patching this
> to work on ath10k.

You can hook into the set_key function and debug print it.
Or you generate some packets on that interface (e.g. with some
distinguishing source mac address ) and then sniff it. As the mac
address is not encrypted, you can easily filter for these packets and
inspect them for encryption.

Properly encrypted would also require the keys used to be sufficiently
random, thought that cannot be verified that easily.

> How to check if a GTK-rekey is executed for all AP_VLANs? (In debug
> log I only see " daemon.debug hostapd: wlan0: WPA rekeying GTK" but
> not e.g. " daemon.debug hostapd: wlan0.20: WPA rekeying GTK" for the
> tagged wlan interface.

see src/ap/wpa_auth.c function wpa_rekey_gtk which creates that debug
print. It iterates over all struct wpa_group ( aka VLAN ) of that BSS
and triggers rekeying. So the main point for making sure WPA rekeying
happens for all VLANs is by ensuring that for each AP_VLAN interface,
there is a corresponding struct wpa_group entry.
This is also how 7cebc8e2 fixed its issue.
Of course you can just add debug statements into that loop.

> Finally, is there any useful doc about those complex internals of
> hostapd? It's really difficult to know this by only looking at the
> code. And 802.11 doesn't mention how VLANs fit into it at all.

Hostapd has doxygen docs [1]. Apart of that, I have been reading the
source of hostapd and mac80211 for some years now.

 M. Braun

[1] http://w1.fi/wpa_supplicant/devel/

More information about the Hostap mailing list