| Message ID | cover.1566876816.git.Thomas.Winter@alliedtelesis.co.nz |
|---|---|
| Headers | show |
| Series | mka: Correct the interpretation of CP and PN exhaustion | expand |
On Tue, Aug 27, 2019 at 03:55:33PM +1200, Thomas Winter wrote: > Hostap's implemented an interpretation of the CP state > machine and PN exhaustion in IEEE 802.1X-2010 that is incorrect. > A proposed amendment describes this interpretation > and why it is wrong: > http://grouper.ieee.org/groups/802/1/files/public/docs2017/xck-seaman-mka-pn-exhaustion-0917-v1.pdf > This amendment was included into IEEE 802.1Xck-2018 > > To abide by this, the RECEIVE and RETIRE states are > changed to match Figure 12-2. Then the correct PN needs > to be inspected to determine exhaustion. This could be > the "latest" or "old" key depending on where we are in > the CP state machine. As stated in the amendment, the > method implemented should maintain backwards compatibility. > > This also includes a couple of other fixes: > * The ABANDON->RECEIVE state change was impossible. > * Key values are cleared out on CHANGE. > > Thomas Winter (5): > mka: Change RECEIVE and RETIRE states to standard > mka: Don't set newSAK to FALSE on ABANDON > mka: Clear out old/latest key values on CHANGE > mka: Check OLPN for exhaustion on SAKuse encode > mka: Check OLPN for exhaustion on SAKuse decode Thanks, applied with some cleanup.
> On Tue, Aug 27, 2019 at 03:55:33PM +1200, Thomas Winter wrote: > > Hostap's implemented an interpretation of the CP state > > machine and PN exhaustion in IEEE 802.1X-2010 that is incorrect. > > A proposed amendment describes this interpretation > > and why it is wrong: > > http://grouper.ieee.org/groups/802/1/files/public/docs2017/xck-seaman-mka-pn-exhaustion-0917-v1.pdf > > This amendment was included into IEEE 802.1Xck-2018 > > > > To abide by this, the RECEIVE and RETIRE states are > > changed to match Figure 12-2. Then the correct PN needs > > to be inspected to determine exhaustion. This could be > > the "latest" or "old" key depending on where we are in > > the CP state machine. As stated in the amendment, the > > method implemented should maintain backwards compatibility. > > > > This also includes a couple of other fixes: > > * The ABANDON->RECEIVE state change was impossible. > > * Key values are cleared out on CHANGE. > > > > Thomas Winter (5): > > mka: Change RECEIVE and RETIRE states to standard > > mka: Don't set newSAK to FALSE on ABANDON > > mka: Clear out old/latest key values on CHANGE > > mka: Check OLPN for exhaustion on SAKuse encode > > mka: Check OLPN for exhaustion on SAKuse decode > > Thanks, applied with some cleanup. > > -- > Jouni Malinen PGP id EFC895FA Hello Jouni, Can the following commits please be reverted? 0fedfba2e20 ("mka: Change RECEIVE and RETIRE states to match the standard") 84851007d9 ("mka: Check OLPN for exhaustion on SAKuse encode") These ended up breaking compatibility with CISCO. Regards, Thomas
Hello Jouni, I requested 2 patches to be reverted but it didn't get done. Adhering to the MKA standard more closely resulted in breaking compatibility with a Cisco switch we tried to interop with. That Cisco switch had numerous deviations from the MKA standard and/or bugs which was part of the problem. Regards, Thomas