[PATCH 2/3] mesh: Add an option to configure SAE Anti-Clogging Threshold

Nicolas Cavallari nicolas.cavallari at green-communications.fr
Thu Sep 18 08:31:39 PDT 2025 

In dense mesh networks, the threshold can be quickly reached if many
nodes start at the same time.

Allow the user to configure it so that it does not trigger if there is
no attack.

The configuration is not applied when wpa_supplicant is used to create
an access point instead of a mesh.

Signed-off-by: Nicolas Cavallari <nicolas.cavallari at green-communications.fr>
---
 wpa_supplicant/config.c            | 2 ++
 wpa_supplicant/config.h            | 1 +
 wpa_supplicant/config_file.c       | 3 +++
 wpa_supplicant/config_ssid.h       | 6 ++++++
 wpa_supplicant/mesh.c              | 1 +
 wpa_supplicant/wpa_supplicant.conf | 5 +++++
 6 files changed, 18 insertions(+)

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index a0f71cfc6..e0e5e9054 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2532,6 +2532,7 @@ static const struct parse_data ssid_fields[] = {
 	{ STR_KEY(sae_password) },
 	{ STR(sae_password_id) },
 	{ INT(sae_pwe) },
+	{ INT(anti_clogging_threshold) },
 	{ FUNC(proto) },
 	{ FUNC(key_mgmt) },
 	{ INT(bg_scan_period) },
@@ -3322,6 +3323,7 @@ void wpa_config_set_network_defaults(struct wpa_ssid *ssid)
 	ssid->proactive_key_caching = -1;
 	ssid->ieee80211w = MGMT_FRAME_PROTECTION_DEFAULT;
 	ssid->sae_pwe = DEFAULT_SAE_PWE;
+	ssid->anti_clogging_threshold = DEFAULT_ANTI_CLOGGING_THRESHOLD;
 #ifdef CONFIG_MACSEC
 	ssid->mka_priority = DEFAULT_PRIO_NOT_KEY_SERVER;
 #endif /* CONFIG_MACSEC */
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index c187d36ed..d09fb86b5 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -19,6 +19,7 @@
 #define DEFAULT_MAX_PEER_LINKS 99
 #define DEFAULT_MESH_MAX_INACTIVITY 300
 #define DEFAULT_MESH_FWDING 1
+#define DEFAULT_ANTI_CLOGGING_THRESHOLD 5
 /*
  * The default dot11RSNASAERetransPeriod is defined as 40 ms in the standard,
  * but use 1000 ms in practice to avoid issues on low power CPUs.
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index b1ba03ac5..da96d1ea3 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -777,6 +777,9 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
 	STR(sae_password);
 	STR(sae_password_id);
 	write_int(f, "sae_pwe", ssid->sae_pwe, DEFAULT_SAE_PWE);
+	write_int(f, "anti_clogging_threshold", ssid->anti_clogging_threshold,
+		  DEFAULT_ANTI_CLOGGING_THRESHOLD);
+
 	write_proto(f, ssid);
 	write_key_mgmt(f, ssid);
 	INT_DEF(bg_scan_period, DEFAULT_BG_SCAN_PERIOD);
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 530b5e963..b8cd13d34 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -1288,6 +1288,12 @@ struct wpa_ssid {
 	 */
 	enum sae_pwe sae_pwe;
 
+	/**
+	 * anti_clogging_threshold - Number of unfinished SAE exchanges
+	 * before requesting anti clogging in mesh mode.
+	 */
+	int anti_clogging_threshold;
+
 	/**
 	 * disable_eht - Disable EHT (IEEE 802.11be) for this network
 	 *
diff --git a/wpa_supplicant/mesh.c b/wpa_supplicant/mesh.c
index fdf5e68e3..67d61e83b 100644
--- a/wpa_supplicant/mesh.c
+++ b/wpa_supplicant/mesh.c
@@ -489,6 +489,7 @@ static int wpa_supplicant_mesh_init(struct wpa_supplicant *wpa_s,
 	bss->conf->ap_max_inactivity = wpa_s->conf->mesh_max_inactivity;
 	bss->conf->mesh_fwding = wpa_s->conf->mesh_fwding;
 	bss->conf->sae_pwe = wpas_get_ssid_sae_pwe(wpa_s, ssid);
+	bss->conf->anti_clogging_threshold = ssid->anti_clogging_threshold;
 
 	ieee80211_freq_to_chan(freq->center_freq1, &chan);
 	if (wpa_s->mesh_vht_enabled) {
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index f7852293b..5a3041c08 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -153,6 +153,11 @@ ap_scan=1
 # Enable 802.11s layer-2 routing and forwarding (dot11MeshForwarding)
 #mesh_fwding=1
 
+# SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold)
+# This parameter defines how many open SAE instances can be in progress at the
+# same time before the anti-clogging mechanism is used in mesh mode.
+#anti_clogging_threshold=5
+
 # cert_in_cb - Whether to include a peer certificate dump in events
 # This controls whether peer certificates for authentication server and
 # its certificate chain are included in EAP peer certificate events. This is
-- 
2.51.0

More information about the Hostap mailing list