[PATCH 09/13] SME: Accept authentication frame from an MLD AP

Otcheretianski, Andrei andrei.otcheretianski at intel.com
Mon Nov 28 08:50:15 PST 2022 

> > The underline driver is expected to translate the link addresses to
> > MLD addresses when processing an authentication frame from a MLD AP.
> > Thus, accept authentication frame when the peer matches the expected
> > MLD address.
> 
Hi Jouni,
Thank you for reviewing 😊

> Where is that behavior defined? Is this design here implying that the
> Authentication are send to/from userspace with different header address
> field values that are used in the actual frame over air?

This is the current mac80211's behavior. We had several conversations with Johannes about all the addressing stuff - though I don't think it is clearly documented anywhere.
Indeed the addressing over the air is different from the frame header.
Here is the mac80211 patch that does the translation on rx, for example:
https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/commit/?id=42fb9148c078004d07b4c39bd7b1086b6165780c

> Which component is
> enforcing the authentication, association, and initial EAPOL-Key 4-way
> handshake to be using the same link?

Prior to 4-way handshake completion there's only one active link, so there are no other options.
Both for auth and assoc commands there's link_id parameters, to select a specific link for authentication/association.
wpa_supplicant ensures that the same link_id is used for auth and assoc.
For control port tx, it is possible to add link id as well, though it's not needed for station mode, as the drivers shouldn't enable any other link prior authorization.
> 
> What happens with association frames? Does this have any impact on how
> the protection for those, e.g., with FILS, works since that needs to use the
> actual link addresses for deriving KeyAuth? What if something similar would
> be needed in Authentication frames?

I'm not familiar with FILS enough and we didn't try to enable it with MLD.
I tried to look up in the ieee802.11be/D.2.2, and I don't see any changes with respect to FILS. For example 12.11.2.6.3 (in REVme) should be updated at least to include per link MLO GTK etc.
Maybe the addressing for FILS should be updated in the spec as well?
In any case nl80211 reports link_id for the received mgmt. frames, so link addresses should be known to wpa_supplicant, if needed.

Andrei
> 
> --
> Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list