issues ? Rekey GTK when any STA that possesses the current GTK is leaving the BSS

gig gig-tmb
Thu Aug 14 08:26:27 PDT 2008


http://s51.radikal.ru/i133/0808/f3/aab421cf73c9.jpg
Hi all !!!
systems:
openwrt(ap): trunk 12065, wrap2c ubiquiti SR5
openwrt2(sta): trunk 12065, rb532 ubiquiti SR5
linux machine: Ubuntu 7.10 server, vlan up, all work
connection permanently without any breaks, ping stable, BUT!

PROBLEM:

ping from sta linux machine->

root at OpenWrt:/home# ping 172.16.0.1 
PING 172.16.0.1 (172.16.0.1): 56 data bytes
64 bytes from 172.16.0.1: seq=0 ttl=64 time=5.800 ms
64 bytes from 172.16.0.1: seq=1 ttl=64 time=1.486 ms

ping from linux machine to sta->
root at fw:~# ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.
64 bytes from 172.16.0.2: icmp_seq=1 ttl=64 time=1.48 ms
64 bytes from 172.16.0.2: icmp_seq=2 ttl=64 time=1.35 ms

after waiting ~ 2 minutes ping again from linux machine to sta->
root at fw:~# ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.
>From 172.16.0.1 icmp_seq=2 Destination Host Unreachable
>From 172.16.0.1 icmp_seq=3 Destination Host Unreachable
>From 172.16.0.1 icmp_seq=4 Destination Host Unreachable

& if i ping again from sta to linux machine
root at OpenWrt:/home# ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1): 56 data bytes
64 bytes from 172.16.0.1: seq=0 ttl=64 time=115.823 ms
64 bytes from 172.16.0.1: seq=1 ttl=64 time=1.503 ms
64 bytes from 172.16.0.1: seq=2 ttl=64 time=1.514 ms

on linux machine
>From 172.16.0.1 icmp_seq=78 Destination Host Unreachable
>From 172.16.0.1 icmp_seq=79 Destination Host Unreachable
>From 172.16.0.1 icmp_seq=80 Destination Host Unreachable
64 bytes from 172.16.0.2: icmp_seq=81 ttl=64 time=415 ms
64 bytes from 172.16.0.2: icmp_seq=82 ttl=64 time=1.36 ms
64 bytes from 172.16.0.2: icmp_seq=83 ttl=64 time=1.56 ms
64 bytes from 172.16.0.2: icmp_seq=84 ttl=64 time=1.68 ms

TO PROBLEM AGAIN:
it looks like sta goes down & from linux machine i can't ping it. can't
ping it
& if i connect different client like notebook(winxp+atheros drivers)

i try do something with bridge like ->  # brctl setageing "bridgename"
"time"
it time of remove mac address from forwarding table. Try set long time
in secs.
or to 0, but it not help!!!

Try remove from bridge ath0 interface & add in bridge only eth0+eth0.3
but
problem repiated again!

PLEASE HELP !!!


------- Comment #1 From Dmitry Skryabin 2008-08-14 05:36:16 [reply] 
Something from linux machine strange behavior in arp table
root at fw:~# arp -na
? (172.16.0.15) at <incomplete> on eth0.3
? (10.0.2.15) at 00:13:8F:B7:54:8D [ether] on eth2
? (10.0.2.8) at <incomplete> on eth2
root at fw:~# ping 172.16.0.22
PING 172.16.0.22 (172.16.0.22) 56(84) bytes of data.

--- 172.16.0.22 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2008ms

root at fw:~# arp -na
? (172.16.0.15) at <incomplete> on eth0.3
? (10.0.2.200) at 00:0D:B9:03:70:A4 [ether] on eth2
? (10.0.2.15) at 00:13:8F:B7:54:8D [ether] on eth2
? (10.0.2.8) at <incomplete> on eth2
? (172.16.0.22) at <incomplete> on eth0.3[/code]
Tcpdump at that moment on bridge on ap
[code]root at OpenWrt:~# tcpdump -i br-vlan -vv
tcpdump: WARNING: br-vlan: no IPv4 address assigned
tcpdump: listening on br-vlan, link-type EN10MB (Ethernet), capture size
96
bytes
02:26:56.816817 00:15:6d:51:04:18 (oui Unknown) > Broadcast Null
Supervisory,
Receiver not Ready, rcv seq 64, Flags [Poll], length 6
02:26:56.818491 00:15:6d:51:04:18 (oui Unknown) > Broadcast Null
Unnumbered,
xid, Flags [Response], length 6: 01 02
02:26:59.822096 arp who-has 172.16.0.22 tell 172.16.0.1
02:27:00.822153 arp who-has 172.16.0.22 tell 172.16.0.1
02:27:01.822163 arp who-has 172.16.0.22 tell 172.16.0.1
02:27:03.822182 arp who-has 172.16.0.22 tell 172.16.0.1
02:27:04.739632 [|llc]00:13:46:fe:66:1b (oui Unknown) >
00:80:48:7e:9b:0a (oui
Unknown), 802.3, length 14: 
02:27:04.822202 arp who-has 172.16.0.22 tell 172.16.0.1
02:27:04.904278 [|llc]00:13:46:fe:66:1b (oui Unknown) >
00:80:48:7e:9b:0a (oui
Unknown), 802.3, length 14: 
02:27:05.822197 arp who-has 172.16.0.22 tell 172.16.0.1

sta answer on arp request only when i ping linux machine

------- Comment #2 From Dmitry Skryabin 2008-08-14 08:12:33 [reply] 
after some searching i found strange behavior of hostapd with GTK
rekeying that
crypts brcast/multicast packets

# Rekey GTK when any STA that possesses the current GTK is leaving the
BSS.
#wpa_strict_rekey=1

I set ?wpa_strict_rekey to 0 & after more then 10 min pingging sta fine.
It look like sta sleep, ap identify it like sta ?leaving the BSS &
hostapd rekeying GTK, but sta still connected, after that ap
reinitialize connection with sta with new GTK, but sta have old key.

May be i'm wrong? fix me!

At now moment i solved my problem by shorter
wpa_group_rekey=60
wpa_strict_rekey=0

But may be exist another way?
-- 
__
BeST Ltd.
Skryabin Dmitry




More information about the Hostap mailing list