Key server election on peer-to-peer MACsec with MKA
Michael Siedzik
msiedzik at extremenetworks.com
Mon Sep 14 14:11:30 EDT 2020
Hi Emond,
A couple of months ago Mickael Chazaux posted a thread on this very topic:
http://lists.infradead.org/pipermail/hostap/2020-July/038651.html
So it looks like the existing code is incorrectly handling key server elections with more than two peers, and GroupCAs in general. Mickael was on the right track with his attempted patches, but additional work and testing of 3-peer networks is required. Part of his solution was to remove parameter block failures in certain circumstances. The initial implementation of mka ignored all parameter block failures, which was causing error recovery problems in my 2-peer network. My following commit changed that behavior such that (nearly) any parameter block error invalidates the entire MKDPU (i.e., packet is dropped and live peer timers are not refreshed):
https://w1.fi/cgit/hostap/commit/src/pae/ieee802_1x_kay.c?id=db9ca18bbff101da67c0cd7f482fe29ae694dc04
Perhaps some parameter block failures need to be allowed in the 3-peer case. I have no need for GroupCAs so I've never delved into 3-peer scenarios; I chimed in on your tread because I do have experience in the 2-peer scenarios. The problem is certainly fixable but it will take an in-depth knowledge of IEEE802.X-2010 and a some knowledge of C.
Sincerely,
- Mike Siedzik
More information about the Hostap
mailing list