[PATCH 09/13] SME: Accept authentication frame from an MLD AP

Otcheretianski, Andrei andrei.otcheretianski at intel.com
Wed Nov 30 01:24:36 PST 2022

> This assumes that encryption/decryption is always based on the MLD
> addresses.. One might hope that to be the case, but it is not that clear yet, so
> unless P802.11be gets extended to make this obvious, there is some risk in
> this design.

This is true for management frames, and anyway nl80211 provides link id so link addresses
may be reconstructed if needed in the future.

> There may be need to verify that EAPOL-Key msg 1/4 and 3/4 are exchanged
> on the same channel/link, so it would be good to have that available for the
> rekeying cases for both AP and STA sides.

There is already link_id in the nl80211 api for control port tx.
Anyway, why is it required to rekey on the same link?
Wpa_supplicant has an API to kernel to query about the active links and if needed it will be able to force tx on whatever link it selects.

> FILS encodes STA-MAC and AP-BSSID into Key-Auth derivation. I'd guess this
> would be modified to use MLD addresses in P802.11be. In addition to that,
> FILS encrypts parts of the Association Request/Response frames and AAD for
> that includes the BSSID/STA Mac address which would map to link addresses
> and might or might not be mapped to MLD addresses since this case a bit
> special (only the association step and verifying that the addresses used to
> transmit the frame were correct). It would probably be fine to use MLD
> addresses in FILS AAD case as well, but clearly that has not yet been done in
> P802.11be (which seems to point towards no one having really thought much
> about FILS in this context so far).

Yeah.. It indeed looks that FILS wasn't covered yet in the 802.11be/D.2.2.
I also raised it with our relevant people in IEEE, so it will be further discussed.

> If the link addresses used for Authentication and (Re)Association
> Request/Response frames is made available to use space somehow in RX
> path, that should be sufficient for most of these needs. The main exception
> to that would be the very first Authentication frame, so there is some risk for
> corner cases or unknown/future definitions of Authentication frame use.
> This may be acceptable, but the constraint and expected use of addresses in
> nl80211 commands for MLO should be clearly spelled out in nl80211.h.

Link id is available to supplicant for management and EAP frames.
There is no translation for the first authentication frame (in AP mode) since the kernel isn't aware of the station at this stage yet.
In general address translation starts after the station is added.
I'll document this properly with Johannes in nl80211.h

> --
> Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list