[PATCH v2 00/33] Improvements for roaming

Benjamin Berg benjamin at sipsolutions.net
Mon Sep 26 10:07:42 PDT 2016


On Sa, 2016-09-24 at 23:07 +0200, M. Braun wrote:
> With respect to the changes from Benjamin Berg from 2016-09-19, I
> don't think
> they really supersede this series, but they are not really superseded by this
> series either. I can rebase this series on that series if needed.
> 
> Regarding using R0-Identifier = R0-BSSID: This series uses an extra broadcast
> step, but does not interfere with RADIUS NAS-Identifier.

Your implementation seems sane to me, and I don't see any advantage of
having two separate solutions for the same issue. I'll run some test
using your patchset.

> Regarding cache limitation: This series makes cache time configurable and
> triggers cache purge by time. This series lacks cache size limitation.

Probably not really necessary in almost all cases. The two potential
corner cases that might be relevant are rogue clients trying to
generate cache entries and weird configurations where the timeouts are
set so that cached items never expire.

> Regarding his 6/6 "l2: Add outgoing listener to catch packets from other
> hostapd". This should also be covered by using the new ft_iface due to the way
> MACVLAN "bridge"-mode works, thought I'm unsure about platform support.

Sounds like it should work fine with MACVLAN enabled. It might make
sense to at least document the limitation if MACVLAN support is not
enabled.

Could ft_iface collide with rsn_preauth_interfaces if the same
interface is used?

Benjamin

> Sincerely,
> M. Braun
> 
> Michael Braun (33):
>   FT: generate PMK_R0 and PMK_R1 for FT-PSK locally
>   test: FT with locally generated PMK_R0/PMK_R1 from PSK
>   test: FT: EAP test for mismatching keys
>   FT: add support for wildcard R0KH / R1KH
>   test: FT with broadcasts
>   FT: cache newly detected R0KH / R1KH when using wildcard
>   FT: resend pull request
>   FT: negative caching when using wilcard r0kh
>   FT: new rrb message format
>   FT: add expiration to PMK-R0 and PMK-R1 cache
>   FT: add IEEE vlan support (including tagged vlans)
>   test: FT-EAP with VLAN
>   test: FT-PSK with VLAN
>   FT: add r1_max_key_lifetime
>   802.11 Factor out authentication code for reuse with FT-over-DS
>   FT-over-DS: use macaddr_acl
>   tests: FT test macaddr-acl
>   factor out ifconfig for use with macvlan
>   FT: separate RRB interface
>   test: FT ft_macvlan generation
>   FT: include identity and radius_cui in pull/resp frames
>   tests: FT with CUI
>   FT: add session_timeout to push/resp
>   Prepare 802.11i pre-authentication for full dynamic vlan.
>   Enable 802.11i pre-authentication with full dynamic vlans
>   test: pre-authentification with full dynamic vlans
>   STA: avoid driver warning when configuring not connected STAs for
> WPA
>   FT: radius accounting after roaming
>   FT: handle OVER_DS reassociate client retry
>   FT: convert r0_key_lifetime to seconds
>   FT OVER_DS with fullstate station driver
>   nl80211: fix CMD_FRAME used with VLANs
>   FT: do not change ANonce during re-sent auth request
> 
>  hostapd/Makefile                    |   32 +-
>  hostapd/config_file.c               |   23 +
>  hostapd/defconfig                   |   11 +
>  hostapd/hostapd.conf                |   81 +-
>  src/ap/ap_config.c                  |   32 +
>  src/ap/ap_config.h                  |   22 +
>  src/ap/ap_drv_ops.c                 |   15 +-
>  src/ap/ap_drv_ops.h                 |    3 +
>  src/ap/hostapd.h                    |    6 +
>  src/ap/ieee802_11.c                 |  171 ++--
>  src/ap/ieee802_11.h                 |    4 +
>  src/ap/ieee802_11_auth.c            |  110 ++-
>  src/ap/ieee802_11_auth.h            |   24 +-
>  src/ap/ieee802_1x.c                 |   18 +-
>  src/ap/l2_snoop.h                   |   72 ++
>  src/ap/l2_snoop_pcap.c              |  134 +++
>  src/ap/macvlan.c                    |  130 +++
>  src/ap/macvlan.h                    |   10 +
>  src/ap/preauth_auth.c               |  278 +++++-
>  src/ap/preauth_auth.h               |   19 +
>  src/ap/sta_info.c                   |   29 +-
>  src/ap/sta_info.h                   |    6 +-
>  src/ap/vlan_full.c                  |   23 +-
>  src/ap/vlan_ifconfig.c              |    9 +-
>  src/ap/vlan_ifconfig.h              |   16 +
>  src/ap/vlan_init.c                  |   20 +
>  src/ap/vlan_util.h                  |    3 -
>  src/ap/wpa_auth.c                   |    6 +-
>  src/ap/wpa_auth.h                   |  150 +--
>  src/ap/wpa_auth_ft.c                | 1834
> ++++++++++++++++++++++++++++++-----
>  src/ap/wpa_auth_glue.c              |  430 +++++++-
>  src/ap/wpa_auth_i.h                 |    4 +-
>  src/common/defs.h                   |    5 +
>  src/common/wpa_common.c             |    3 +
>  src/common/wpa_common.h             |    3 +
>  src/drivers/driver.h                |    3 +-
>  src/drivers/driver_atheros.c        |    3 +-
>  src/drivers/driver_hostap.c         |   10 +-
>  src/drivers/driver_nl80211.c        |   53 +-
>  tests/hwsim/auth_serv/eap_user.conf |    5 +
>  tests/hwsim/example-hostapd.config  |    3 +
>  tests/hwsim/test_ap_ft.py           |  466 ++++++++-
>  tests/hwsim/test_pmksa_cache.py     |   19 +
>  wpa_supplicant/driver_i.h           |    2 +-
>  44 files changed, 3773 insertions(+), 527 deletions(-)
>  create mode 100644 src/ap/l2_snoop.h
>  create mode 100644 src/ap/l2_snoop_pcap.c
>  create mode 100644 src/ap/macvlan.c
>  create mode 100644 src/ap/macvlan.h
>  create mode 100644 src/ap/vlan_ifconfig.h
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20160926/d4db685e/attachment.sig>


More information about the Hostap mailing list