DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Simplify wpa_deny_ptk0_rekey documentation

Browse source 
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
This commit is contained in:
Alexander Wetzel 2020-02-23 22:15:52 +01:00 committed by Jouni Malinen
parent a5944db04a
commit 0e05e8781a
2 changed files with 9 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
hostapd/hostapd.conf
View file

@ -1618,24 +1618,10 @@ own_ip_addr=127.0.0.1
# Workaround for PTK rekey issues # Workaround for PTK rekey issues
# #
# Rekeying the PTK without using "Extended Key ID for Individually Addressed # PTK0 rekeys (rekeying the PTK without "Extended Key ID for Individually
# Frames" (two different Key ID values for pairwise keys) can, depending on the # Addressed Frames") can degrade the security and stability with some cards.
# used cards/drivers, impact the security and stability of connections. Both # To avoid such issues hostapd can replace those PTK rekeys (including EAP
# ends can accidentally trick one end to drop all packets send by it until the # reauthentications) with disconnects.
# connection is torn down or rekeyed again. Additionally, some drivers may
# skip/break the encryption for the time window the key is updated (normally a
# few milliseconds).
#
# To avoid such issues, hostapd can now replace all PTK rekeys using only keyid
# 0 (PTK0 rekeys) with disconnection that forces the remote stations to
# reconnect instead.
#
# EAP reauthentication depends on replacing the PTK and is therefore just
# another way to rekey the PTK and is affected by this parameter, too.
#
# "Extended Key ID for Individually Addressed Frames" is avoiding the issues
# using two separate keys and this parameter will be ignored when using it
# (i.e., PTK rekeying is allowed regardless of this parameter value).
# #
# Available options: # Available options:
# 0 = always rekey when configured/instructed (default) # 0 = always rekey when configured/instructed (default)

24
wpa_supplicant/wpa_supplicant.conf
View file

@ -1101,25 +1101,11 @@ fast_reauth=1
# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
# #
# wpa_deny_ptk0_rekey: Control PTK0 rekeying # wpa_deny_ptk0_rekey: Workaround for PTK rekey issues
# # PTK0 rekeys (using only one Key ID value for pairwise keys) can degrade the
# Rekeying the PTK without using "Extended Key ID for Individually Addressed # security and stability with some cards.
# Frames" (two different Key ID values for pairwise keys) can, depending on the # To avoid the issues wpa_supplicant can replace those PTK rekeys (including
# used cards/drivers, impact the security and stability of connections. Both # EAP reauthentications) with fast reconnects.
# ends can accidentally trick one end to drop all packets send by it until the
# connection is torn down or rekeyed again. Additionally, some drivers may
# skip/break the encryption for the time window the key is updated (normally a
# few milliseconds).
#
# To avoid such issues, wpa_supplicant can now replace all PTK rekeys using only
# keyid 0 (PTK0 rekeys) with fast reconnects.
#
# EAP reauthentication depends on replacing the PTK and is therefore just
# another way to rekey the PTK and is affected by the parameter, too.
#
# "Extended Key ID for Individually Addressed Frames" is avoiding the issues
# using two separate keys and this parameter will be ignored when using it
# (i.e., PTK rekeying is allowed regardless of this parameter value).
# #
# Available options: # Available options:
# 0 = always rekey when configured/instructed (default) # 0 = always rekey when configured/instructed (default)