d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[net80211] Use the unicast key when transmitting DWDS AP multicast frames.

Browse Source 
I'm still not sure whether this is the full solution, but here goes.

I have a two node DWDS setup - a main AP with the ethernet bridge uplink
and a satellite AP in the back of the house. They're both AR9344+AR9580
dual band 11n APs.

The problem was that multicast frames was not going from the DWDS AP to
the DWDS STA. Unicast frames are fine, and multicast frames from the
DWDS STA to AP are fine.

Now, multicast and unicast frames from the STA -> AP are just transmitted
using the unicast key.  That's fine.  However, the AP -> STA multicast
frames by default are transmitted using the current default / multicast
key, the shared one between all STAs in a BSS.  Now, the DWDS implementation
ignores non WDS frames - it only allows about 4 address frames outside
of management / EAPOL frames! - so the STA side ignores the normal multicast
frames.

Instead, the AP side uses ieee80211_dwds_mcast() to send multicast frames
to each WDS VAP that was created as part of the "dynamic" part of DWDS.
This should be queuing them individually to each node instead of using
the normal multicast send path; and this is how they should get turned into
4-addr WDS frames.

HOWEVER, ieee80211_encap() was trying to use the default TX key to queue
them rather than the unicast key that's already setup.  Since this synthetic
node doesn't have the default TX key setup, transmission fails.  Things
would be fine in WEP and in open mode because in both cases you would
have static keys (or no keys) setup.  It just fails in WPA mode.

This resolves the issue.  AP DWDS multicast is now sent using the unicast
key just like in STA mode and I'm pretty sure the STA mode side will stil
work fine (as it's a STA VAP with a DWDS flag..)

Tested:

* TL-WDR3600/4300 APs
This commit is contained in:
Adrian Chadd 2020-05-08 17:01:33 +00:00
parent f721fcbccb
commit 2172664c4b
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=360819
1 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
sys/net80211/ieee80211_output.c
View File

@ -1471,10 +1471,27 @@ ieee80211_encap(struct ieee80211vap *vap, struct ieee80211_node *ni,
if (vap->iv_opmode == IEEE80211_M_STA ||
!IEEE80211_IS_MULTICAST(eh.ether_dhost) ||
(vap->iv_opmode == IEEE80211_M_WDS &&
(vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY)))
(vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY))) {
key = ieee80211_crypto_getucastkey(vap, ni);
else
} else if ((vap->iv_opmode == IEEE80211_M_WDS) &&
(! (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY))) {
/*
* Use ucastkey for DWDS transmit nodes, multicast
* or otherwise.
*
* This is required to ensure that multicast frames
* from a DWDS AP to a DWDS STA is encrypted with
* a key that can actually work.
*
* There's no default key for multicast traffic
* on a DWDS WDS VAP node (note NOT the DWDS enabled
* AP VAP, the dynamically created per-STA WDS node)
* so encap fails and transmit fails.
*/
key = ieee80211_crypto_getucastkey(vap, ni);
} else {
key = ieee80211_crypto_getmcastkey(vap, ni);
}
if (key == NULL && (m->m_flags & M_EAPOL) == 0) {
IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO,
eh.ether_dhost,