I'm confused about the question that if one ap(one
ssid) can have several bcast key for its different
How does madwifi realize it? One bcast key should
match one ssid? and one ssid should match one VAP?
1. I find the function "wpa_gmk_to_gtk", its
are gmk,wpa->auth_addr, gnonce, gtk, gtk len.
GMK was generated by the function "os_get_random".
And the 802.11i(Part 11: Wireless LAN Medium Access
Control (MAC) and Physical Layer (PHY) specifications)
The GTK shall be derived from the GMK by
GTK ← PRF-X(GMK, "Group key expansion" || AA ||
TKIP uses X = 256, CCMP uses X = 128 and WEP use
X = 40 or X = 104. AA is represented as an IEEE 802
address and GNonce as a bit string as defined in
So i think both the function "wpa_gmk_to_gtk" and IEEE
802.11i are declare that the gtk is the only one of
Does that mean when i have only ONE AP or VAP with
just ONE bssid, i can only create ONE group key(GTK)
for only ONE broadcast domain??
2. My imagination is as follow:
AP(only ONE VAP)
/ | \
A B C
That is: A B are in vlan1(or bcast domain1), C is in
vlan2(bcast domain2). Does AP(with only ONE ssid) can
encrypt these different bcast domain by differnet
If i create two VAP belongs to different bcast domains
(different bcast keys for encryption), when A
from bcast domain1 to bcast domain2, it have to
doassociated from VAP1 and associated to VAP2. It is
some burdon for sta A.
While if one AP or VAP can create two different bcast
domain with different bcast keys, and these keys can
generated from different vlan IDs, sta A transfer from
bcast domain1(vlan1) to bcast domain2(vlan2) (for
example, some authenticator ask AP to swith sta A
from vlan1 to vlan2, and give A more rights), then AP
tagged the messages from sta A(or A's MAC address)
vlan2 ID. Cause the bcast key2 was generated by
ID, AP update sta A's group key, and then sta A can
leave form bcast domain1 to bcast domain2. In all of
this process, sta A will do nothing to transfer vlans.
Has madwifi realized this function?
What does the function "ap_sta_bind_vlan" do with its
parameter "vlan_id"? I found it do nothing after get
"ifname" from "vlan_id" in function "madwifi_set_key"?
3. So do i have to create several Virtual APs and
each VAP should match only one broadcast domain, if 2
And when a station need to switch vlans, it has to
deassoicate from one VAP and associate to another VAP.
Thanks in advance!