Hi, in a discussion on the hostap mailing list about the limitations of the new hostapd parameter wpa_disable_eapol_key_retries as an AP side workaround for the Key Reinstallation Attacks (KRACK), two corner cases were mentioned along with suggestions how to address them [1][2].
The changes are fairly simple and may help users to further narrow the attack surface from the AP side (in case there are clients that are still vulnerable). The first allows to prohibit the use of TDLS on the network via an already existing hostapd parameter that just needs to be made configurable via UCI. The second is an upstream patch to ensure WNM Sleep Mode requests are ignored unless WNM Sleep Mode is enabled (which it isn't by default). I'm planning to post patches backporting these changes to the v17.01 branch as well. Regards, Timo [1] http://lists.infradead.org/pipermail/hostap/2017-October/038005.html [2] http://lists.infradead.org/pipermail/hostap/2017-October/038007.html Timo Sigurdsson (3): hostapd: Expose the tdls_prohibit option to UCI hostapd: Backport Ignore WNM-Sleep Mode Request in wnm_sleep_mode=0 case hostapd: bump PKG_RELEASE package/network/services/hostapd/Makefile | 2 +- package/network/services/hostapd/files/hostapd.sh | 7 ++++- ...WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch | 35 ++++++++++++++++++++++ 3 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 package/network/services/hostapd/patches/013-WNM-Ignore-WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch -- 2.1.4 _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev