[Discussion] MLO EAPOL M2 fails to conform to standard
Pablo MARTIN-GOMEZ
pmartin-gomez at freebox.fr
Wed Dec 17 06:32:07 PST 2025
Hello,
On 16/12/2025 14:57, Chien Wong wrote:
> Dear all,
>
> It seems like current EAPOL M2 message handling does not conform to the standard.
[...]
> hostapd is verifying the IEs.
> In src/ap/wpa_auth.c, wpa_auth_validate_ml_kdes_m2():
>
>> if (!sm->mld_links[i].valid || i == sm->mld_assoc_link_id) {
>> wpa_printf(MSG_DEBUG,
>> "RSN: MLD: Invalid link ID=%u", i);
>> return -1;
>> }
>> ...
>> /* Must have the same number of MLO links (excluding the local one) */
>> if (n_links != sm->n_mld_affiliated_links) {
>> wpa_printf(MSG_DEBUG,
>> "RSN: MLD: Expecting %u MLD links in msg 2, but got %u",
>> sm->n_mld_affiliated_links, n_links);
>> return -1;
>> }
> hostapd does not allow association link KDE to appear in M2.
>
> It seems like the issue cannot be easily fixed without causing compatibility
> problems with existing devices?
Even if we break compatibility with current hostapd implementation, what
is going to happen is that hostapd is going to disconnect the STA with
reason WLAN_REASON_PREV_AUTH_NOT_VALID and the STA is going to
reassociate right after. So it is "just" a small downtime when an MLD
STA has to rekey.
Best regards,
Pablo MG
>
> Regards,
> Chien Wong
More information about the Hostap
mailing list