[Discussion] MLO EAPOL M2 fails to conform to standard

Tue Dec 16 05:57:26 PST 2025

Dear all,

It seems like current EAPOL M2 message handling does not conform to the standard.

As per IEEE 802.11be-2024, 12.7.6.1,
> When more
> than one link is requested and included in message 2 for the initial 4-way handshake, an MLO Link
> KDE is included for each link and contains the LinkId field and corresponding affiliated STA MAC
> address received in the Basic Multi-Link element by the AP MLD in the (Re)Association Request
> frame. When included in message 2 for the rekeying, an MLO Link KDE is included for each setup
> link and contains the LinkId field and corresponding STA MAC address.
MLO Link KDEs in M2 should be handled differently when rekeying. But current implementation
does not account for rekeying.

In src/rsn_supp/wpa.c, wpa_supplicant_process_1_of_4():
> 	if (sm->mlo.valid_links) {
> 		u8 *pos;
> 
> 		/* Add MAC KDE */
> 		wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 2/4");
> 		pos = kde + kde_len;
> 		pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
> 				  ETH_ALEN);
> 
> 		/* Add MLO Link KDE */
> 		wpa_printf(MSG_DEBUG, "Add MLO Link KDE(s) into EAPOL-Key 2/4");
> 		pos = wpa_mlo_link_kde(sm, pos);
> 		kde_len = pos - kde;
> 	}
> 
> 	if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
> 				       sm->snonce, kde, kde_len, ptk) < 0)
> 		goto failed;
And in the same file, wpa_mlo_link_kde():
> static u8 * wpa_mlo_link_kde(struct wpa_sm *sm, u8 *pos)
> {
> 	int i;
> 	u8 hdr[1 + ETH_ALEN];
> 
> 	for_each_link(sm->mlo.req_links, i) {
> 		if (sm->mlo.assoc_link_id == i)
> 			continue;
> 
> 		wpa_printf(MSG_DEBUG,
> 			   "MLO: Add MLO Link %d KDE in EAPOL-Key 2/4", i);
> 		hdr[0] = i & 0xF; /* LinkID; no RSNE or RSNXE */
> 		os_memcpy(&hdr[1], sm->mlo.links[i].addr, ETH_ALEN);
> 		pos = rsn_add_kde(pos, RSN_KEY_DATA_MLO_LINK, hdr, sizeof(hdr));
> 	}
> 
> 	return pos;
> }
Association link is skipped when adding MLO Link KDE to M2.

hostapd is verifying the IEs.
In src/ap/wpa_auth.c, wpa_auth_validate_ml_kdes_m2():
> 		if (!sm->mld_links[i].valid || i == sm->mld_assoc_link_id) {
> 			wpa_printf(MSG_DEBUG,
> 				   "RSN: MLD: Invalid link ID=%u", i);
> 			return -1;
> 		}
> ...
> 	/* Must have the same number of MLO links (excluding the local one) */
> 	if (n_links != sm->n_mld_affiliated_links) {
> 		wpa_printf(MSG_DEBUG,
> 			   "RSN: MLD: Expecting %u MLD links in msg 2, but got %u",
> 			   sm->n_mld_affiliated_links, n_links);
> 		return -1;
> 	}
hostapd does not allow association link KDE to appear in M2.

It seems like the issue cannot be easily fixed without causing compatibility
problems with existing devices?

Regards,
Chien Wong