wpa_supplicant 2.6 HWMP routes no traffic
j at w1.fi
Wed Oct 5 01:53:13 PDT 2016
On Tue, Oct 04, 2016 at 07:20:38AM -0400, Bob Copeland wrote:
> Note there were a number of issues with encrypted networks not
> correctly implementing the standard that were resolved recently.
> These will cause backwards-compatibility issues, though I'm not
> sure if they landed in 2.6. The changes are:
All the changes were added in wpa_supplicant v2.6.
> And in the kernel:
> - self-protected management frames (HWMP) were integrity protected
> (with that MGTK-as-IGTK) instead of encrypted with MGTK as required
> by the standard. This was fixed in 4.8.
And likely depend on this change being present as well.
I don't think there is much point in trying to make this work with some
kind of mix of kernel and user space components that pull in partial
subset of the fixes. This kind of worked with the old version (but not
in a way the standard was supposed to work) and all the known issues
were fixed in the updates.
My recommendation would be to use the latest version of both
wpa_supplicant and kernel. If there are issues in upgrading the full
kernel, I'd pull in the applicable mesh fixes from the current kernel
tree into whatever old version is used as the base kernel in the system.
The other option would be to continue to use old versions of both, but I
cannot really recommend this taken into account the identified issues.
While these might not be considered critical from security view point,
there are some potential implications to the security do to that odd
reuse of MGTK as IGTK. Furthermore, one would get stuck with the old
version that won't work with anything newer which is not really a good
place to be since it makes it difficult to get other updates in.
Jouni Malinen PGP id EFC895FA
More information about the Hostap