-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hostapd: correct IEEE 802.11r options #1382
Conversation
I think they used those default values because they want use the same default values as the upstream hostap project. (Extracted from https://w1.fi/cgit/hostap/tree/hostapd/hostapd.conf)
But I don't know why (for example) they used
while in the upstream config is
|
Anyway you should do
and fix your commit message adding the package name and your sign at the end.
|
This commit https://w1.fi/cgit/hostap/commit/?id=96590564d658cf344778e9c84bcd58d39764e11d confirms that
|
Im a new GitHub user, please tell me where and what in GitHub Desktop for Windows should I fix? As for your comment on default values, please read my whole message. They already calculate them by default (they are going to deprecate them sooner or later - maybe only for very specific reason someone needs them), thats why we dont need them. Our special option should enable 80211r by default, at the moment it does not. |
I don't use Windows neither a gui for git :-/ Yes, I agree with your comment about default values, my response was only a clarification about why they used them. |
2712ba1
to
17dcbd3
Compare
There, please merge, got more coming up |
@stintel could you review and accept this? |
In LUCI only these are then mandatory per BSS (non advanced): |
Try converting 00004f577274 (r1_key_holder default) from hex to ascii :-) For nasid, to be truly unique, I suggest interface_name.fqdn |
For true uniqueness per BSS, even that does not apply to my situation where I have both bands bridged to the same interface. So.... BIG thank you for stimulating my brain into this matter yet again. True uniqueness is yet again BSSID. |
Is the
So what about moving |
If its necessary, im actually using Im manually patching my APs to have default here |
IOW |
Ahh okay, sorry I misunderstood |
What about generating a default Then optionally the user can change the mobility_domain. Whit this change, a user using PSK must only set |
there is already as for |
Yes sorry for my oversight about For set_default mobility_domain $(echo -n "$ssid" | md5sum | head -c 4) |
I just dont understand why is it taking so long to accept this PR. I had more stuff like this to push here but now I just don't care anymore... |
I think they are focused on others tasks at the time. |
People reviewing and merging are not paid for this and they also have a job and a life. It's normal to wait for months before someone shows up. As said by BigNerd95, you should plan accordingly and keep your changes in a branch you keep synced to mainline, so you can use them for your own builds while you wait. |
By default, hostapd assumes r1_key_holder equal to bssid. If LEDE configures the same static r1 key holder ID on two different APs (BSSes) the RRB exchanges fails behind them. Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
Could you please rebase this on top of current ,master and also squash all patches into one. |
cc5a8b2
to
6919f95
Compare
Done. |
Nothing is perfect, I would use "improve 802.11r options" in subject. Next to that, the commit message now no longer contains any explanation. Please add that again. |
46a4715
to
eb4813b
Compare
Done. |
json_get_values r1kh r1kh | ||
|
||
set_default r0_key_lifetime 10000 | ||
set_default r1_key_holder "${macaddr//\:}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why don't you use this here:
[ -n "$r1_key_holder" ] && append bss_conf "r1_key_holder=$r1_key_holder" "$N"
It says "Defaults to BSSID."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
line 417: set_default r1_key_holder "${macaddr//\:}"
here it defaults
line 421: append bss_conf "r1_key_holder=$r1_key_holder" "$N"
here it writes
if user wants to change r1_key_holder
, he can, otherwise by doing only (changing default) ft_psk_generate_local **0**
LEDE will auto-write BSSID if r1_key_holder
left unadded/unchanged by user ---
because then 80211r needs a unique r1_key_holder
per BSS, it wont auto generate it unique atm non-working state --- r1_key_holder
needs to exist --- defaulting BSSID fixes auto non-working state only.
logic is different, coding style is the same as before.
line 411: if [ "$ft_psk_generate_local" -eq "0" ]; then
user wants to change keys (don't need to) and forgets to actually add/change them
line 417: set_default r1_key_holder "${macaddr//\:}"
this only sets BSSID if user did not add/change r1_key_holder
[ -n "$r1_key_holder" ]
doesn't make sense because r1_key_holder
needs to exist
line 421: append bss_conf "r1_key_holder=$r1_key_holder" "$N"
im appending r1_key_holder
in line 421 where it was before.
previously it was
line 400: set_default r1_key_holder "00004f577274"
<-- wrong default value, it needs to be unique for multi SSID and per AP (like BSSID is)
line 408: append bss_conf "r1_key_holder=$r1_key_holder" "$N"
<-- write
someone deleted both lines in commit 09f90b7 where I referenced it and added:
line 407: [ -n "$r1_key_holder" ] && append bss_conf "r1_key_holder=$r1_key_holder" "$N"
which doesnt make any sense --- it only shows r1_key_holder
is not needed if someone wants to change ft_psk_generate_local
to 1 --- which it should be by default -- which it is also in my PR in line 401
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand what you mean now, you mean upstream hostap defaults to BSSID? it can be removed, but maybe its better to be left like that, so noone readds something stupid later on?
eb4813b
to
905bbc9
Compare
> SHORT: for an absolute minimal working IEEE 802.11r, `option ieee80211r '1'` is all that is needed in LEDE everything else is optional > LONG: IEEE 802.11r has *many sub-options* inside it's hostapd block of options in LEDE, we have a *UCI special option* (option ieee80211r '1') that is not present in hostapd.conf and it *enables* these hostapd.conf sub-options hostapd.conf sub-options' default values do *not* enable a working IEEE 802.11r configuration `ft_psk_generate_local 1` from man: > This avoids use of PMK-R1 push/pull from other APs with FT-PSK networks as the required information (PSK and other session data) is already locally available. -------------------------------------------------------------------------------- 1) it would be logical, that *UCI special option* `option ieee80211r '1'` actually enables a *default working* IEEE 802.11r from the start, with minimal sub-options defined 2) if we agree on this logic, it would be best that we start with a default value of 1 in `ft_psk_generate_local 1` if it's 0 (previous default), user anyway has to provide unique `r1_key_holder` `r0kh` and `r1kh` as they are not locally generated if per BSS, `ft_psk_generate_local 1` is the new default value left unchanged by user, previous default value of `r1_key_holder` is left unchanged by user and `r0kh` and `r1kh` are not provided by user, default configuration of `option ieee80211r '1'` is in a **non-working or kind of working** default state of IEEE 802.11r 3) then default values of these are not wanted/needed anymore (they can only break something): `r0_key_lifetime 1000` `r1_key_holder "00004f577274"` 4) also then, this value *wants* to be 0: `pmk_r1_push 0` 5) also then lastly, these *want* to be left empty: `r0kh` `r1kh` 4) `nasid` is mandatory for a working IEEE 802.11r, so a check here would be nice. nasid needs to be unique per BSS, so it can atleast be made from BSSID per BSS 5) `mobility_domain` is also mandatory for a working IEEE 802.11r, so a default value can be hashed, so it's identical per BSS and also unique if there are multi SSIDs per AP 6) `r1_key_holder` proper default value is BSSID per BSS - and upstream hostap assigns BSSID by default 7) sum of all mandatory options for a minimal working setup BEFORE this commit: `option ieee80211r 1` `option mobility_domain '<unique per BSS>'` `option nasid '<unique per AP, can be bssid>'` `option ft_psk_generate_local '1'` `cannot disable r0kh r1kh` <-- *thats why its a non-working or kind of working setup* 7) sum of all mandatory options for a minimal working setup AFTER this commit: `option ieee80211r 1` 8) ALL this does NOT break behaviour in our `option ieee80211r '1'`, it only disables mistakes and supercharges it Signed-off-by: Gospod Nassa devianca@gmail.com
set_default r0_key_lifetime 10000 | ||
set_default pmk_r1_push 0 | ||
|
||
[ -n "$r1_key_holder" ] && append bss_conf "r1_key_holder=$r1_key_holder" "$N" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this better without set_default r1_key_holder "${macaddr//\:}"
?
imo with set_default r1_key_holder "${macaddr//\:}"
was failproof.
With the remerge in progress, all PRs on the lede-project organisation will be closed. Please help getting this merged or rebase/post it on the openwrt project page (https://github.com/openwrt/openwrt/pulls). All remaining PRs will be closed in 30 days. |
@devianceluka Could you please re-open this pull request on the OpenWRT Github page? I think I speak for many that a simple 802.11r configuration would be a very welcome addition for OpenWRT. |
Use ft_psk_generate_local=1 by default, as it makes everything else fairly trivial. All of the r0kh/r1kh and key management stuff goes away and hostapd fairly much does it all for us. We do need to provide nas_identifier, which can be derived from the BSSID, and we need to generate a mobility_domain, for which we default to the first four chars of the md5sum of the SSID. The complex manual setup should also still work, but the defaults also now work easily out of the box. Verified by manually running hostapd (with the autogenerated config) and watching the debug output: wlan2: STA ac:37:43:a0:a6:ae WPA: FT authentication already completed - do not start 4-way handshake This was previous submitted to LEDE in #1382 [dwmw2: Rewrote commit message] Signed-off-by: Gospod Nassa <devianca@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Use ft_psk_generate_local=1 by default, as it makes everything else fairly trivial. All of the r0kh/r1kh and key management stuff goes away and hostapd fairly much does it all for us. We do need to provide nas_identifier, which can be derived from the BSSID, and we need to generate a mobility_domain, for which we default to the first four chars of the md5sum of the SSID. The complex manual setup should also still work, but the defaults also now work easily out of the box. Verified by manually running hostapd (with the autogenerated config) and watching the debug output: wlan2: STA ac:37:43:a0:a6:ae WPA: FT authentication already completed - do not start 4-way handshake This was previous submitted to LEDE in lede-project/source#1382 [dwmw2: Rewrote commit message] Signed-off-by: Gospod Nassa <devianca@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Use ft_psk_generate_local=1 by default, as it makes everything else fairly trivial. All of the r0kh/r1kh and key management stuff goes away and hostapd fairly much does it all for us. We do need to provide nas_identifier, which can be derived from the BSSID, and we need to generate a mobility_domain, for which we default to the first four chars of the md5sum of the SSID. The complex manual setup should also still work, but the defaults also now work easily out of the box. Verified by manually running hostapd (with the autogenerated config) and watching the debug output: wlan2: STA ac:37:43:a0:a6:ae WPA: FT authentication already completed - do not start 4-way handshake This was previous submitted to LEDE in lede-project/source#1382 [dwmw2: Rewrote commit message] Signed-off-by: Gospod Nassa <devianca@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org> (cherry picked from commit 3cc56a5)
Use ft_psk_generate_local=1 by default, as it makes everything else fairly trivial. All of the r0kh/r1kh and key management stuff goes away and hostapd fairly much does it all for us. We do need to provide nas_identifier, which can be derived from the BSSID, and we need to generate a mobility_domain, for which we default to the first four chars of the md5sum of the SSID. The complex manual setup should also still work, but the defaults also now work easily out of the box. Verified by manually running hostapd (with the autogenerated config) and watching the debug output: wlan2: STA ac:37:43:a0:a6:ae WPA: FT authentication already completed - do not start 4-way handshake This was previous submitted to LEDE in lede-project/source#1382 [dwmw2: Rewrote commit message] Signed-off-by: Gospod Nassa <devianca@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Use ft_psk_generate_local=1 by default, as it makes everything else fairly trivial. All of the r0kh/r1kh and key management stuff goes away and hostapd fairly much does it all for us. We do need to provide nas_identifier, which can be derived from the BSSID, and we need to generate a mobility_domain, for which we default to the first four chars of the md5sum of the SSID. The complex manual setup should also still work, but the defaults also now work easily out of the box. Verified by manually running hostapd (with the autogenerated config) and watching the debug output: wlan2: STA ac:37:43:a0:a6:ae WPA: FT authentication already completed - do not start 4-way handshake This was previous submitted to LEDE in lede-project/source#1382 [dwmw2: Rewrote commit message] Signed-off-by: Gospod Nassa <devianca@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org> (cherry picked from commit 3adf631)
for an absolute minimal working IEEE 802.11r,
option ieee80211r '1'
is all that is needed in LEDEeverything else is optional
IEEE 802.11r has many sub-options inside it's hostapd block of options
in LEDE, we have a UCI special option (option ieee80211r '1') that is not present in hostapd.conf and it enables these hostapd.conf sub-options
hostapd.conf sub-options' default values do not enable a working IEEE 802.11r configuration
ft_psk_generate_local 1
from man:it would be logical, that UCI special option
option ieee80211r '1'
actually enables a default working IEEE 802.11r from the start, with minimal sub-options definedif we agree on this logic, it would be best that we start with a default value of 1 in
ft_psk_generate_local 1
if it's 0 (previous default), user anyway has to provide unique
r1_key_holder
r0kh
andr1kh
as they are not locally generatedif per BSS,
ft_psk_generate_local 1
is the new default value left unchanged by user,previous default value of
r1_key_holder
is left unchanged by user andr0kh
andr1kh
are not provided by user, default configuration ofoption ieee80211r '1'
is in a non-working or kind of working default state of IEEE 802.11rthen default values of these are not wanted/needed anymore (they can only break something):
r0_key_lifetime 1000
r1_key_holder "00004f577274"
also then, this value wants to be 0:
pmk_r1_push 0
also then lastly, these want to be left empty:
r0kh
r1kh
nasid
is mandatory for a working IEEE 802.11r, so a check here would be nice.nasid needs to be unique per BSS, so it can atleast be made from BSSID per BSS
mobility_domain
is also mandatory for a working IEEE 802.11r, so a default value can be hashed, so it's identical per BSS and also unique if there are multi SSIDs per APr1_key_holder
proper default value is BSSID per BSSsum of all mandatory options for a minimal working setup BEFORE this commit:
option ieee80211r 1
option mobility_domain '<unique per BSS>'
option nasid '<unique per AP, can be bssid>'
option ft_psk_generate_local '1'
cannot disable r0kh r1kh
<-- thats why its a non-working or kind of working setupsum of all mandatory options for a minimal working setup AFTER this commit:
option ieee80211r 1
ALL this does NOT break behaviour in our
option ieee80211r '1'
, it only disables mistakes and supercharges itSigned-off-by: Gospod Nassa devianca@gmail.com