Question: blocking and clogging

eelco at eelco at
Sun Dec 12 23:21:06 PST 2021


I have an issue with the blocking and clogging of a mesh network.

I noticed that when I have more peers in a mesh (>5), stations did get
into a blocked state (PLINK_BLOCKED) after too many connection attempts
and would stay there. The blocking state is not mentioned in the standard,
so I removed this transition to blocking. There has been a short
discussion about the PLINK_BLOCKED state here:

I did add a timer which is fired one more time (if it is not cancelled in
the meantime) after which the station is deleted. That way the connection
attempts can start over again (you can still set it blocked manually)

When I start my mesh (with >5 peers), I get log messages which tell me the
anti-clogging token is invalid:

Comeback: Invalid anti-clogging token from xx:xx:xx:xx:xx:xx - token_idx
0x0001, expected 0x0000

The anti clogging token is set, but is imo reset too soon. If a message is
received, it is checked against the token and the token is reset and the
process continues. If however the reception is bad and a message needs to
be resend, the token is no longer set, which leads to the "invalid
anti-clogging token" message.

I have changed two things:

- reset the anti-clogging token when the SAE state is ACCEPTED (i did not
find anything in the standard as to when to reset a token)
- only check the anti-clogging token when it is required, otherwise just
process the message (i.e there are more than "sae_anti_clogging_threshold"
SAE sessions). This is also mentioned in the standard (IEEE Std
802.11-2020, at 12.4.6)

However this does not solve it entirely;

- from time to time I still get the "invalid anti-clogging token" message,
but not so often and not so many anymore
- I now get these messages sometimes in the log:
    wlan0: Mesh RSN invalid peer nonce

I have tried to use sae_pwe=1 in the wpa_supplicant config file, but
unfortunately I get: "wlan0:    skip - SAE H2E required, but not supported
by the AP", so it seems I cannot use this with my devices.

So now I am a bit stuck and have 2 questions which I keep wondering about
and of which I was hoping someone could help me with:

1) Should the anti-clogging token be reset at any other point than it
originally was, because this implies that multiple messages can be send
with the same token until the token is reset

2) How to check whether to use the anti-clogging or not? Since the number
of SAE sessions changes over time, it can occur that an anti-clogging
token is received, but that the number of SAE sessions is below the
threshold, so the token is not checked and the message is processed
further, which I then suspect of causing the "invalid peer nonce" message.

- I am using the master branch commit ->
00b2fb2d04595faa1179c61b5b686e887f1945bb (tests: DPP3 protocol version
during network introduction)

Here are the changes I made:

do not set blocking:

diff --git a/wpa_supplicant/mesh_rsn.c b/wpa_supplicant/mesh_rsn.c
index 4b8d6c469..3fc5edb16 100644
--- a/wpa_supplicant/mesh_rsn.c
+++ b/wpa_supplicant/mesh_rsn.c
@@ -50,13 +50,13 @@ void mesh_auth_timer(void *eloop_ctx, void *user_data)

-			/* block the STA if exceeded the number of attempts */
-			wpa_mesh_set_plink_state(wpa_s, sta, PLINK_BLOCKED);
-			sta->sae->state = SAE_NOTHING;
-			wpa_msg(wpa_s, MSG_INFO, MESH_SAE_AUTH_BLOCKED "addr="
-				MACSTR " duration=%d",
-				MAC2STR(sta->addr),
-				hapd->conf->ap_max_inactivity);
+			unsigned int rnd = 5 + (rand() % MESH_AUTH_TIMEOUT );
+			eloop_register_timeout(rnd, 0, mesh_auth_timer, wpa_s, sta);
+			wpa_msg(wpa_s, MSG_INFO, "STATION WAIT addr="
+							MACSTR " duration=%d",
+							MAC2STR(sta->addr),
+							rnd);

update anti-clogging:

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index db4104928..f946a7251 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -771,8 +771,6 @@ static int check_comeback_token(struct hostapd_data
*hapd, const u8 *addr,
 	    os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
 		return -1;

-	hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */
 	return 0;

@@ -1147,8 +1145,14 @@ static int sae_sm_step(struct hostapd_data *hapd,
struct sta_info *sta,
 			sta->sae->sync = 0;
 			sae_set_retransmit_timer(hapd, sta);
 		} else {
-			if (sae_check_big_sync(hapd, sta))
+			if (sae_check_big_sync(hapd, sta)) {
+			  u8 idx;
+			  if (comeback_token_hash(hapd, sta->addr, &idx) > 0) {
+  			  hapd->comeback_pending_idx[idx] = 0;
+  			}
+			}

 			ret = auth_sae_send_confirm(hapd, sta, bssid);
@@ -1471,7 +1475,10 @@ static void handle_auth_sae(struct hostapd_data
*hapd, struct sta_info *sta,
 			goto remove_sta;

-		if (token &&
+    int useClogging = use_anti_clogging(hapd);
+		if (useClogging &&
+		    token &&
 		    check_comeback_token(hapd, sta->addr, token, token_len)
 		    < 0) {
 			wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "

More information about the Hostap mailing list