Thread: [Madwifi-devel] Can I set two GTK (with the same bssid) on the ath5k?
Status: Beta
Brought to you by:
otaku
From: 王 <wan...@ya...> - 2008-09-24 09:23:35
|
Hi, all, I am confused if 2 GTK(same bssid) can be set on the ath5k? 1. I deployed madwifi and hostapd based on TP-LINK WN650G, which has AR5212 chipset in it, according to madwifi's docs. 2. I want to create 2 vlans encrypted by different GTKs for security. And 2 vlans are in the same bssid or same VAP. 3. the function "ath_keyset" call "ath_hal_keyset" and "ah->ah_setKeyCacheEntry" to set keys. its para are: struct ath_hal *ah, u_int16_t a1, ATH_KEY(k->wk_keyix) const HAL_KEYVAL *a2, &hk const u_int8_t *a3, mac int a4 AH_FALSE the MOST important question for me is: Do KEYs match with dest MAC in the chipset?? for example: sta1 MAC PTK1 sta2 MAC PTK2 33:33:00:00:00:01 GTK1 if there are 2 vlans multicast its IPv6 RA(mcast MAC 33:33:00:00:00:01), both RA will use the SAME GTK1 for encryption because the entry in chipset's table is: 33:33:00:00:00:01 GTK1 not the entry as follow: 33:33:00:00:00:01 vlan_id1 GTK1 33:33:00:00:00:01 vlan_id2 GTK2 So the sta who has the GTK1 will decrypt the both RA from 2 vlans, and it will bind 2 IPv6 address. the sta who doesn't have GTK1(some sta maybe in vlan2, and install the GTK2), will never decrypt the both RAs. Would some one kindly tell me that how the KEY-TABLE managed?? And, would you tell me what do the "ATH_KEY(k->wk_keyix)" and "AH_FALSE" mean in detail. What does the key index 's mean? Why not "AH_TRUE"? Thanks in advance! WangYue ___________________________________________________________ 雅虎邮箱,您的终生邮箱! http://cn.mail.yahoo.com/ |
From: Michael R. <mre...@ma...> - 2008-09-24 11:08:35
|
Hi. > I am confused if 2 GTK(same bssid) can be set on the > ath5k? ath5k-related questions should be asked on the ath5k-devel mailing list [1]. This one is for MadWifi. Bye, Mike [1] https://lists.ath5k.org/mailman/listinfo/ath5k-devel |
From: 王 <wan...@ya...> - 2008-09-25 00:53:54
|
thanks for ur guide. the chipset of my wlan nic in ath5k, but i have deployed madwifi(with HAL binaries not the ath5k opensource) in my system. the function "ath_keyset" "ath_hal_keyset" and "ah->ah_setKeyCacheEntry" are really the madwifi's source. So I want to know how the madwifi organize the KEY-TABLE for GTK? Does it like: destMAC KEY unicast MAC PTK bcast MAC(ff:ff:ff:ff:ff:ff) GTK1 mcast MAC(33:33:00:00:00:01) GTK2 In my imagination, if there are two bcast domain with one bssid, i can not maintain different bcast keys to encrypt different bcast domain in this table. So sta can decrypt both of the bcast domains's message if AP's KEY TABLE is the right key the sta has, or can neither decrypt any messages(sta has another GTK). VLAN1 VLAN2 \ / \ / GTK1 \ / GTK2 AP /\ / \ / \ staA staB AP will encrypt both VLAN's message with GTK1, so the staA(it has GTK1) will decrypt every messages not only from vlan1 but also from vlan2. While staB(use GTK2) can not decrypt anything. So the question is: AP can not manage different GTK based on different vlan, if the KEY TABLE is like that. Or can i changed the TABLE like this? MAC Vlan id GTK XXXX XXXX XXXXX Maybe one solution now is that create 2 VAP(2 bssid), and ONE VAP will match ONE vlan, or ONE bcast KEY. Then it can encrypt different messages with different KEYs. But when a sta want change its vlan to get different rights, it have to deassociate one VAP and associate to another VAP. It is not a good idea in my wireless system, because sta can somewhat select its AP for association. It will be dangerous. I hope to do this switch in AP, not in sta. So would you tell me if the KEY TABLE can be managed like destMAC----vlan----KEY?? thank you! WangYue --- Michael Renzmann <mre...@ma...>写道: > Hi. > > > I am confused if 2 GTK(same bssid) can be set on > the > > ath5k? > > ath5k-related questions should be asked on the > ath5k-devel mailing list > [1]. This one is for MadWifi. > > Bye, Mike > > [1] > https://lists.ath5k.org/mailman/listinfo/ath5k-devel > > ___________________________________________________________ 雅虎邮箱,您的终生邮箱! http://cn.mail.yahoo.com/ |
From: 王 <wan...@ya...> - 2008-09-25 03:37:06
|
Hi, all In madwifi's source, file "ath/if_ath.c" the function "ath_keyset" there is a piece of codes like this: if ((k->wk_flags & IEEE80211_KEY_GROUP) && sc->sc_mcastkey) { /* * Group keys on hardware that supports multicast frame * key search use a mac that is the sender's address with * the high bit set instead of the app-specified address. */ IEEE80211_ADDR_COPY(gmac, bss->ni_macaddr); gmac[0] |= 0x80; mac = gmac; } else mac = mac0; What does this mean? Why use sender's address instead of mcast/bcast mac? Why change the high bit of sender's address? Does it mean that when there is a mcast/bcast message will be send, it will be encrypted by GTK which matches the sender's address? Or ONE sender can only use ONE GTK for encryption. If I want to use different GTKs for different bcast domain, what can I do for it? May be I can save 2 different GTKs in hardware, but how can it decide which one to use for the right one bcast domain? Thanks in advance! WangYue --- 王 <wan...@ya...>写道: > thanks for ur guide. > the chipset of my wlan nic in ath5k, > but i have deployed madwifi(with HAL binaries not > the > ath5k opensource) in my system. > > the function "ath_keyset" "ath_hal_keyset" and > "ah->ah_setKeyCacheEntry" are really the madwifi's > source. So I want to know how the madwifi organize > the KEY-TABLE for GTK? > > Does it like: > destMAC KEY > unicast MAC PTK > bcast MAC(ff:ff:ff:ff:ff:ff) GTK1 > mcast MAC(33:33:00:00:00:01) GTK2 > > In my imagination, if there are two bcast domain > with > one bssid, i can not maintain different bcast keys > to encrypt different bcast domain in this table. > > So sta can decrypt both of the bcast domains's > message if AP's KEY TABLE is the right key the sta > has, > or can neither decrypt any messages(sta has another > GTK). > > VLAN1 VLAN2 > \ / > \ / > GTK1 \ / GTK2 > AP > /\ > / \ > / \ > staA staB > > AP will encrypt both VLAN's message with GTK1, so > the > staA(it has GTK1) will decrypt every messages not > only > from vlan1 but also from vlan2. > While staB(use GTK2) can not decrypt anything. > > So the question is: > AP can not manage different GTK based on different > vlan, if the KEY TABLE is like that. > Or can i changed the TABLE like this? > MAC Vlan id GTK > XXXX XXXX XXXXX > > > Maybe one solution now is that create 2 VAP(2 > bssid), > and ONE VAP will match ONE vlan, or ONE bcast KEY. > Then it can encrypt different messages with > different > KEYs. But when a sta want change its vlan to get > different rights, it have to deassociate one VAP and > associate to another VAP. > It is not a good idea in my wireless system, because > > sta can somewhat select its AP for association. It > will > be dangerous. > I hope to do this switch in AP, not in sta. > > So would you tell me if the KEY TABLE can be managed > > like destMAC----vlan----KEY?? > > thank you! > > WangYue > > --- Michael Renzmann <mre...@ma...>写道: > > > Hi. > > > > > I am confused if 2 GTK(same bssid) can be set on > > the > > > ath5k? > > > > ath5k-related questions should be asked on the > > ath5k-devel mailing list > > [1]. This one is for MadWifi. > > > > Bye, Mike > > > > [1] > > > https://lists.ath5k.org/mailman/listinfo/ath5k-devel > > > > > > > > > ___________________________________________________________ > > 雅虎邮箱,您的终生邮箱! > http://cn.mail.yahoo.com/ > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your > Move Developer's challenge > Build the coolest Linux based applications with > Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source > event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Madwifi-devel mailing list > Mad...@li... > https://lists.sourceforge.net/lists/listinfo/madwifi-devel > ___________________________________________________________ 雅虎邮箱,您的终生邮箱! http://cn.mail.yahoo.com/ |