search

o11s / open80211s

open80211s
Other
242 stars 55 forks source link

Having Pairwise password between Mesh stations in an MBSS #64

Open sritam2 opened 7 years ago

sritam2 commented 7 years ago

Dear All,

Is it possible to have pairwise password between mesh stations in an MBSS. Presently, I am using the same shared password among all nodes of the Mesh configured in wpa_supplicant.conf

Is it possible to define pairwise password for each secured link that a Mesh station forms. So, if a station has links to 3 different stations which are at one-hop distance away from this station, then is it possible that the Mesh station authenticates the 3 different stations (one-hop away) using 3 different password pairs (one for each station).

According to IEEE 802.11-2012, it should be possible. If yes, then how to implement it using wpa_supplicant ?? should there be multiple entries for "psk" field in wpa_supplicant.conf file ??

jcard0na commented 7 years ago

Hi Sritam,

I believe the standard mentions pairwise keys, not passwords. All nodes in a mesh share the same password, from which a separate key is derived for each peer link.

Cheers,

Javier

On Wed, Jul 5, 2017 at 5:11 PM, sritam2 notifications@github.com wrote:

Dear All,

Is it possible to have pairwise password between mesh stations in an MBSS. Presently, I am using the same shared password among all nodes of the Mesh configured in wpa_supplicant.conf

Is it possible to define pairwise password for each secured link that a Mesh station forms. So, if a station has links to 3 different stations which are at one-hop distance away from this station, then is it possible that the Mesh station authenticates the 3 different stations (one-hop away) using 3 different password pairs (one for each station).

According to IEEE 802.11-2012, it should be possible. If yes, then how to implement it using wpa_supplicant ?? should there be multiple entries for "psk" field in wpa_supplicant.conf file ??

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/o11s/open80211s/issues/64, or mute the thread https://github.com/notifications/unsubscribe-auth/AApRVWdr7UoqcZSJA7FhrxhQ4rXhQsFYks5sLCYkgaJpZM4OPAx2 .

-- http://okio.io

sritam2 commented 7 years ago

Hi Javier,

Thank you so much for your valuable feedback. I am attaching the document for reference. IEEE_802_11_2012_StandardSpecification.pdf

I again referred the IEEE 802.11-2012 specification. It has been specified that the password, required to authenticate in SAE, can be pairwise for each pair of Mesh stations in an MBSS.

It is mentioned in section 11.5.11 (RSNA authentication in an MBSS) of the document. I am attaching the document for your reference. I have marked the paragraph as red to high-lighten it.

Has this functionality(pairwise password) been implemented by wpa_supplicant. If Yes, then how should I change the wpa_supplicant.conf file to have pairwise-password for each mesh peer link in the MBSS.

Presently my wpa_supplicant file looks like this: ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=adm

mpm on userspace

user_mpm=1

open mesh network

network={ ssid="mymesh" / Replace $MESH_ID for your mesh ID, use same for all peers / mode=5 / Mode 5, is MESH (open80211s) for wpa_supplicant / frequency=2437 / Use the same frequency for all peers / key_mgmt=SAE psk="thisisreallysecret" }

Is there any way to implement 802.1X/EAP authentication for 802.11s Mesh networks. I have been asked to implement it. But I am facing difficulty. If you have any online resource material or document which will help me in implementing 802.1X/EAP authentication for 802.11s Mesh networks then please refer me to it. Please help me with your valuable advise.

Looking forward to your valuable advise.

Thanks and Regards, Sritam Paltasingh.

jcard0na commented 7 years ago

Hi Sritam,

Ah, nice, I just learned something. The section you refer to is very clear. I don't think the current implementation in wpa_supplicant supports that, but I have not looked at it in a while.

Cheers,

Javier

On Thu, Jul 6, 2017 at 7:41 AM, sritam2 notifications@github.com wrote:

Hi Javier,

Thank you so much for your valuable feedback. I am attaching the document for reference. IEEE_802_11_2012_StandardSpecification.pdf https://github.com/o11s/open80211s/files/1128154/IEEE_802_11_2012_StandardSpecification.pdf

I again referred the IEEE 802.11-2012 specification. It has been specified that the password, required to authenticate in SAE, can be pairwise for each pair of Mesh stations in an MBSS.

It is mentioned in section 11.5.11 (RSNA authentication in an MBSS) of the document. I am attaching the document for your reference. I have marked the paragraph as red to high-lighten it.

Has this functionality(pairwise password) been implemented by wpa_supplicant. If Yes, then how should I change the wpa_supplicant.conf file to have pairwise-password for each mesh peer link in the MBSS.

Presently my wpa_supplicant file looks like this: ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=adm mpm on userspace

user_mpm=1 open mesh network

network={ ssid="mymesh" / Replace $MESH_ID for your mesh ID, use same for all peers / mode=5 / Mode 5, is MESH (open80211s) for wpa_supplicant / frequency=2437 / Use the same frequency for all peers / key_mgmt=SAE psk="thisisreallysecret" }

Is there any way to implement 802.1X/EAP authentication for 802.11s Mesh networks. I have been asked to implement it. But I am facing difficulty. If you have any online resource material or document which will help me in implementing 802.1X/EAP authentication for 802.11s Mesh networks then please refer me to it. Please help me with your valuable advise.

Looking forward to your valuable advise.

Thanks and Regards, Sritam Paltasingh.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/o11s/open80211s/issues/64#issuecomment-313416696, or mute the thread https://github.com/notifications/unsubscribe-auth/AApRVa3ZdYCtbUuOeR1tkURXZC2BP06Jks5sLPIUgaJpZM4OPAx2 .

-- http://okio.io

sritam2 commented 7 years ago

Hi Javier,

Thank you for your valuable feedback.

Is there any way to implement 802.1X/EAP authentication for 802.11s Mesh networks. I have been asked to implement it. But I am facing difficulty. If you have any online resource material or document which will help me in implementing 802.1X/EAP authentication for 802.11s Mesh networks then please refer me to it.

Please help me with your valuable advise.

Looking forward to your valuable advise.

Thanks and Regards, Sritam Paltasingh.

jcard0na commented 7 years ago

Hi Sritam,

Implementing 802.1X for mesh can be a fun task. I don't think anyone has done this, so this is your chance to fame :)

Compared to SAE, probably the hardest part is dealing with the role asymmetry: one of the peers in the exchange must have access to a AAA server (let's call that peer peer_a, or authenticator). And this needs to be know before initiating the peering. The other peer would play the role of a supplicant, so I'll call it peer_s.

In essence, it involves the following steps:

  1. When a new peer candidate is detected, asking for a secure mesh link, but without PMK nor SAE capability, you would need to establish an initial peering via the Mesh Peering Management (MPM) protocol.

  2. At that point, only EAPOL frames should be allowed over that link, so that peer_s can request 802.1X authentication, through the mesh (peer_a), to the AAA server.

  3. Once 802.1X is completed and an Master Session Key is obtained, it is used as input to the Authenticated Mesh Peering Exchange (AMPE), instead of the MPMK used in SAE. But the AMPE itself is identical in both scenarios.

The diagram below (lifted from the standard) outlines this flow.

[image: Inline image 2]

In terms of implementation, you will probably have to modify the MPM implementation in the kernel, but most of the work should be in userspace. It might be easier to develop first in authsae https://github.com/cozybit/authsae as it is much smaller and easier to modify than wpa_supplicant.

Good luck!

Javier

On Thu, Jul 6, 2017 at 8:12 AM, sritam2 notifications@github.com wrote:

Hi Javier,

Thank you for your valuable feedback.

Is there any way to implement 802.1X/EAP authentication for 802.11s Mesh networks. I have been asked to implement it. But I am facing difficulty. If you have any online resource material or document which will help me in implementing 802.1X/EAP authentication for 802.11s Mesh networks then please refer me to it.

Please help me with your valuable advise.

Looking forward to your valuable advise.

Thanks and Regards, Sritam Paltasingh.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/o11s/open80211s/issues/64#issuecomment-313425969, or mute the thread https://github.com/notifications/unsubscribe-auth/AApRVXvbglpW1S19xRaTvUnB5NVqN0lcks5sLPlVgaJpZM4OPAx2 .