wpa_supplicant 2.6 HWMP routes no traffic
Bob Copeland
me at bobcopeland.com
Tue Oct 4 04:20:38 PDT 2016
On Tue, Oct 04, 2016 at 12:44:32PM +0200, Jeroen Roovers wrote:
> Command:
> /usr/sbin/wpa_supplicant -c/etc/wpa-mesh.conf -s -i wlan1 -Dnl80211 -P
> /var/run/wpa.pid -B -d
>
> Configuration (/etc/wpa-mesh.conf):
> user_mpm=1
> update_config=1
>
> network={
> mode=5
> ssid="xxx"
> frequency=2412
> proto=RSN
> key_mgmt=SAE
> pairwise=CCMP
> group=CCMP
> psk="xxx"
> }
>
> This is an IEEE 802.11s network using a kernel 3.4.112 with a modified
> rt2800usb driver for the RT2870 USB wireless modules.
>
> With version 2.5 this gives me a nicely working secure mesh network.
> With 2.6 peering works, but I only see broadcast packets and no direct
> communications between peers are coming through. It looks like routing
> fails most of the time.
wpa_supplicant mostly isn't involved in HWMP besides installing the
group keys - once peering is done, the kernel handles the rest.
Note there were a number of issues with encrypted networks not
correctly implementing the standard that were resolved recently.
These will cause backwards-compatibility issues, though I'm not
sure if they landed in 2.6. The changes are:
In wpa_supplicant:
- an IGTK was installed whether or not ieee80211w was selected
- said IGTK was also the MGTK instead of a separate key
- AMPE element in peering frames didn't include IGTK (if desired)
- AMPE element incorrectly included keys in peering close frames
And in the kernel:
- self-protected management frames (HWMP) were integrity protected
(with that MGTK-as-IGTK) instead of encrypted with MGTK as required
by the standard. This was fixed in 4.8.
All of the above issues with wpa_supplicant were also fixed in the
master branch of authsae.
Do you have all of the devices on the same wpa_supplicant version?
If not, try that first.
If so, I might look at which keys are installed in the kernel; if
the kernel is expecting protected management frames for HWMP then they
will need to have the IGTK installed (ieee80211w enabled).
--
Bob Copeland %% http://bobcopeland.com/
More information about the Hostap
mailing list