aboutsummaryrefslogtreecommitdiffstats
path: root/src/pae/ieee802_1x_kay.h
diff options
context:
space:
mode:
authorMike Siedzik <msiedzik@extremenetworks.com>2018-02-20 19:28:38 (GMT)
committerJouni Malinen <j@w1.fi>2018-12-26 14:42:25 (GMT)
commitd9a0a72229cd71553be69dd76e7bf4560f2be05e (patch)
tree4ce03449c0838caf24bb53e5844c06272c5f82e5 /src/pae/ieee802_1x_kay.h
parent5864545492b7f35c0d74a19494e987538be92501 (diff)
downloadhostap-d9a0a72229cd71553be69dd76e7bf4560f2be05e.zip
hostap-d9a0a72229cd71553be69dd76e7bf4560f2be05e.tar.gz
hostap-d9a0a72229cd71553be69dd76e7bf4560f2be05e.tar.bz2
mka: Fix MKPDU SAK Use Body's Delay Protect bit setting
Delay Protect and Replay Protect are two separate and distinct features of MKA. Per IEEE Std 802.1X-2010, 9.10.1 "Delay Protect, TRUE if LPNs are being reported sufficiently frequently to allow the recipient to provide data delay protection. If FALSE, the LPN can be reported as zero", and per 9.10 "NOTE--Enforcement of bounded received delay necessitates transmission of MKPDUs at frequent (0.5 s) intervals, to meet a maximum data delay of 2 s while minimizing connectivity interruption due to the possibility of lost or delayed MKPDUs." This means struct ieee802_1x_mka_sak_use_body::delay_protect should only be set TRUE when MKPDUs are being transmitted every 0.5 s (or faster). By default the KaY sends MKPDUs every MKA_HELLO_TIME (2.0 s), so by default delay_protect should be FALSE. Add a new 'u32 mka_hello_time' parameter to struct ieee802_1x_kay. If delay protection is desired, the KaY initialization code should set kay->mka_hello_time to MKA_BOUNDED_HELLO_TIME (500 ms). Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
Diffstat (limited to 'src/pae/ieee802_1x_kay.h')
-rw-r--r--src/pae/ieee802_1x_kay.h2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 6b4572f..425732c 100644
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -21,6 +21,7 @@ struct macsec_init_params;
/* MKA timer, unit: millisecond */
#define MKA_HELLO_TIME 2000
+#define MKA_BOUNDED_HELLO_TIME 500
#define MKA_LIFE_TIME 6000
#define MKA_SAK_RETIRE_TIME 3000
@@ -187,6 +188,7 @@ struct ieee802_1x_kay {
u32 macsec_replay_window;
enum validate_frames macsec_validate;
enum confidentiality_offset macsec_confidentiality;
+ u32 mka_hello_time;
u32 ltx_kn;
u8 ltx_an;