From 0e05e8781aac6d7ac588188f4116e118288992eb Mon Sep 17 00:00:00 2001 From: Alexander Wetzel Date: Sun, 23 Feb 2020 22:15:52 +0100 Subject: [PATCH] Simplify wpa_deny_ptk0_rekey documentation Signed-off-by: Alexander Wetzel --- hostapd/hostapd.conf | 22 ++++------------------ wpa_supplicant/wpa_supplicant.conf | 24 +++++------------------- 2 files changed, 9 insertions(+), 37 deletions(-) diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 0f8461d49..bc5d1a7f6 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1618,24 +1618,10 @@ own_ip_addr=127.0.0.1 # Workaround for PTK rekey issues # -# Rekeying the PTK without using "Extended Key ID for Individually Addressed -# Frames" (two different Key ID values for pairwise keys) can, depending on the -# used cards/drivers, impact the security and stability of connections. Both -# ends can accidentally trick one end to drop all packets send by it until the -# connection is torn down or rekeyed again. Additionally, some drivers may -# skip/break the encryption for the time window the key is updated (normally a -# few milliseconds). -# -# To avoid such issues, hostapd can now replace all PTK rekeys using only keyid -# 0 (PTK0 rekeys) with disconnection that forces the remote stations to -# reconnect instead. -# -# EAP reauthentication depends on replacing the PTK and is therefore just -# another way to rekey the PTK and is affected by this parameter, too. -# -# "Extended Key ID for Individually Addressed Frames" is avoiding the issues -# using two separate keys and this parameter will be ignored when using it -# (i.e., PTK rekeying is allowed regardless of this parameter value). +# PTK0 rekeys (rekeying the PTK without "Extended Key ID for Individually +# Addressed Frames") can degrade the security and stability with some cards. +# To avoid such issues hostapd can replace those PTK rekeys (including EAP +# reauthentications) with disconnects. # # Available options: # 0 = always rekey when configured/instructed (default) diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 15121c386..f3a750e3c 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -1101,25 +1101,11 @@ fast_reauth=1 # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. # -# wpa_deny_ptk0_rekey: Control PTK0 rekeying -# -# Rekeying the PTK without using "Extended Key ID for Individually Addressed -# Frames" (two different Key ID values for pairwise keys) can, depending on the -# used cards/drivers, impact the security and stability of connections. Both -# ends can accidentally trick one end to drop all packets send by it until the -# connection is torn down or rekeyed again. Additionally, some drivers may -# skip/break the encryption for the time window the key is updated (normally a -# few milliseconds). -# -# To avoid such issues, wpa_supplicant can now replace all PTK rekeys using only -# keyid 0 (PTK0 rekeys) with fast reconnects. -# -# EAP reauthentication depends on replacing the PTK and is therefore just -# another way to rekey the PTK and is affected by the parameter, too. -# -# "Extended Key ID for Individually Addressed Frames" is avoiding the issues -# using two separate keys and this parameter will be ignored when using it -# (i.e., PTK rekeying is allowed regardless of this parameter value). +# wpa_deny_ptk0_rekey: Workaround for PTK rekey issues +# PTK0 rekeys (using only one Key ID value for pairwise keys) can degrade the +# security and stability with some cards. +# To avoid the issues wpa_supplicant can replace those PTK rekeys (including +# EAP reauthentications) with fast reconnects. # # Available options: # 0 = always rekey when configured/instructed (default)