[PATCH 0/5] mka: Correct the interpretation of CP and PN exhaustion
Thomas.Winter at alliedtelesis.co.nz
Tue Aug 10 15:28:55 PDT 2021
I requested 2 patches to be reverted but it didn't get done.
Adhering to the MKA standard more closely resulted in breaking compatibility with a Cisco switch we tried to interop with. That Cisco switch had numerous deviations from the MKA standard and/or bugs which was part of the problem.
From: Thomas Winter
Sent: 31 October 2019 18:14
To: Jouni Malinen
Cc: hostap at lists.infradead.org
Subject: Re: [PATCH 0/5] mka: Correct the interpretation of CP and PN exhaustion
> On Tue, Aug 27, 2019 at 03:55:33PM +1200, Thomas Winter wrote:
> > Hostap's implemented an interpretation of the CP state
> > machine and PN exhaustion in IEEE 802.1X-2010 that is incorrect.
> > A proposed amendment describes this interpretation
> > and why it is wrong:
> > http://grouper.ieee.org/groups/802/1/files/public/docs2017/xck-seaman-mka-pn-exhaustion-0917-v1.pdf
> > This amendment was included into IEEE 802.1Xck-2018
> > To abide by this, the RECEIVE and RETIRE states are
> > changed to match Figure 12-2. Then the correct PN needs
> > to be inspected to determine exhaustion. This could be
> > the "latest" or "old" key depending on where we are in
> > the CP state machine. As stated in the amendment, the
> > method implemented should maintain backwards compatibility.
> > This also includes a couple of other fixes:
> > * The ABANDON->RECEIVE state change was impossible.
> > * Key values are cleared out on CHANGE.
> > Thomas Winter (5):
> > mka: Change RECEIVE and RETIRE states to standard
> > mka: Don't set newSAK to FALSE on ABANDON
> > mka: Clear out old/latest key values on CHANGE
> > mka: Check OLPN for exhaustion on SAKuse encode
> > mka: Check OLPN for exhaustion on SAKuse decode
> Thanks, applied with some cleanup.
> Jouni Malinen PGP id EFC895FA
Can the following commits please be reverted?
0fedfba2e20 ("mka: Change RECEIVE and RETIRE states to match the standard")
84851007d9 ("mka: Check OLPN for exhaustion on SAKuse encode")
These ended up breaking compatibility with CISCO.
More information about the Hostap