RE: Can't get secure mesh points to talk to each other

[Jason Farah]

Hi,

That makes sense. 

I tried Yeoh's suggestion and set the parameter nohwcrypt=1.  I verified 
through /sys that it did take.  However, I'm still running into the same 
problem, which is the timeout for peer, state 4.  It says it's established, but 
still can't ping each other.

I tried lengthening the various timeouts in the mesh parameters and also the 
max retries, but that did not have any effect.

What chipsets have you used to get a secure mesh?  Do some chipsets perform 
better than others for this task?  This is an embedded board and I am limited 
to using USB only.


Thanks,
Jason Farah


-----Original Message-----
From: devel-boun...@lists.open80211s.org 
[mailto:devel-boun...@lists.open80211s.org] On Behalf Of Javier Cardona
Sent: Friday, April 13, 2012 12:42 PM
To: devel@lists.open80211s.org
Subject: Re: Can't get secure mesh points to talk to each other

Hi Jason,

Just to provide a bit more detail to Yeoh's response:

To support mesh security in hardware, your wireless card needs to support 
multiple encryption keys and management frame encryption.  The driver 
advertises this capability to the 802.11 stack via the flags:
IEEE80211_HW_MFP_CAPABLE and  IEEE80211_HW_SUPPORTS_PER_STA_GTK.  The
rt2800 driver does not seem to support these:

in rt28000lib.c:rt2800_probe_hw_mode()
        rt2x00dev->hw->flags =
            IEEE80211_HW_SIGNAL_DBM |
            IEEE80211_HW_SUPPORTS_PS |
            IEEE80211_HW_PS_NULLFUNC_STACK |
            IEEE80211_HW_AMPDU_AGGREGATION |
            IEEE80211_HW_REPORTS_TX_ACK_STATUS;

So your only option with that hardware would be to use software encryption, and 
this is what the nohwcrypt module parameter will do.
If you look in the list archives I believe Yeoh had posted some results on the 
performance implications of software encryption.

Cheers,

Javier

On Fri, Apr 13, 2012 at 9:01 AM, Yeoh Chun-Yeow <yeohchuny...@gmail.com> wrote:
> How about loading your kernel module rt2800usb with nohwcrypt=1.
>
> Chun-Yeow
>
> On Fri, Apr 13, 2012 at 11:00 PM, Jason Farah <jfa...@thinkipa.com> wrote:
>> Hello all,
>>
>>
>>
>> I'm having a problem trying to get my secure mesh points talking to 
>> each other.  I've compiled authsae, I'm using linux kernel version 
>> 3.2.13 with the necessary configs, and the adapters I'm working with 
>> use the rt2800usb modules.
>>
>>
>>
>> In open mesh mode, everything works fine.  But, I can't seem to 
>> figure out the secure mesh.
>>
>>
>>
>> First, I start up meshd-nl80211 as per the webpage.  Everything seems 
>> ok here except the last few lines:
>>
>>
>>
>> electrum100:~/authsae/linux# ./meshd-nl80211 -c 
>> ../config/authsae.sample.cfg -s byteme -i mesh0 &
>>
>>
>>
>> ....
>>
>>
>>
>> estab with 00:14:d1:7c:33:8f
>>
>> set auth flag (seq num=1334243328)
>>
>> set plink state (seq num=1334243333)
>>
>> mesh plink with 00:14:d1:7c:33:8f established
>>
>> nlerror, cmd 11, seq 1334243330: Invalid argument
>>
>> nlerror, cmd 11, seq 1334243331: Invalid argument
>>
>> Mesh plink timer for 00:14:d1:7c:33:8f fired on state ESTAB
>>
>> Timeout for peer 00:14:d1:7c:33:8f in state 4
>>
>>
>>
>>
>>
>> It looks like an error, but appears to establish anyway?  I do have 
>> the full message if anyone is interested.  Next, I do a station dump:
>>
>>
>>
>> electrum100:~/authsae/linux# iw dev mesh0 station dump
>>
>> Station cc:5d:4e:2b:76:d8 (on mesh0)
>>
>>         inactive time:  542 ms
>>
>>         rx bytes:       2148
>>
>>         rx packets:     40
>>
>>         tx bytes:       484
>>
>>         tx packets:     3
>>
>>         tx retries:     0
>>
>>         tx failed:      0
>>
>>         signal:         -37 dBm
>>
>>         signal avg:     -36 dBm
>>
>>         tx bitrate:     1.0 MBit/s
>>
>>         mesh llid:      0
>>
>>         mesh plid:      0
>>
>>         mesh plink:     ESTAB
>>
>>         authorized:     yes
>>
>>         authenticated:  yes
>>
>>         preamble:       long
>>
>>         WMM/WME:        yes
>>
>>         MFP:            yes
>>
>>
>>
>>
>>
>> The other device gives similar output.  And this output looks similar 
>> to the one on the o11s.org webpage.  It says it's established, but 
>> they still cannot ping each other.  When I go back to open mesh, 
>> everything works fine.  Am I missing something on the secure setup?  
>> I'm using the default config file, which at first glance looks ok for 
>> me.  Any pointers would be greatly appreciated.
>>
>>
>>
>>
>>
>> Best regards,
>>
>> Jason Farah
>>
>>
>>
>>
>> _______________________________________________
>> Devel mailing list
>> Devel@lists.open80211s.org
>> http://lists.open80211s.org/cgi-bin/mailman/listinfo/devel
>>
> _______________________________________________
> Devel mailing list
> Devel@lists.open80211s.org
> http://lists.open80211s.org/cgi-bin/mailman/listinfo/devel



--
Javier Cardona
cozybit Inc.
http://www.cozybit.com
_______________________________________________
Devel mailing list
Devel@lists.open80211s.org
http://lists.open80211s.org/cgi-bin/mailman/listinfo/devel
_______________________________________________
Devel mailing list
Devel@lists.open80211s.org
http://lists.open80211s.org/cgi-bin/mailman/listinfo/devel