Simplify wpa_deny_ptk0_rekey documentation

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 0f8461d492905a343079911c59e920bc74c7ddda..bc5d1a7f697d4dea5ea79c45ba01006b0cebbdf7 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1618,24 +1618,10 @@ own_ip_addr=127.0.0.1
 
 # Workaround for PTK rekey issues
 #
-# Rekeying the PTK without using "Extended Key ID for Individually Addressed
-# Frames" (two different Key ID values for pairwise keys) can, depending on the
-# used cards/drivers, impact the security and stability of connections. Both
-# ends can accidentally trick one end to drop all packets send by it until the
-# connection is torn down or rekeyed again. Additionally, some drivers may
-# skip/break the encryption for the time window the key is updated (normally a
-# few milliseconds).
-#
-# To avoid such issues, hostapd can now replace all PTK rekeys using only keyid
-# 0 (PTK0 rekeys) with disconnection that forces the remote stations to
-# reconnect instead.
-#
-# EAP reauthentication depends on replacing the PTK and is therefore just
-# another way to rekey the PTK and is affected by this parameter, too.
-#
-# "Extended Key ID for Individually Addressed Frames" is avoiding the issues
-# using two separate keys and this parameter will be ignored when using it
-# (i.e., PTK rekeying is allowed regardless of this parameter value).
+# PTK0 rekeys (rekeying the PTK without "Extended Key ID for Individually
+# Addressed Frames") can degrade the security and stability with some cards.
+# To avoid such issues hostapd can replace those PTK rekeys (including EAP
+# reauthentications) with disconnects.
 #
 # Available options:
 # 0 = always rekey when configured/instructed (default)

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 15121c3869dd2dab8e5ebeb6efc8f45bc0a55291..f3a750e3c1180bfe3a68daafe11db6214527c9a8 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1101,25 +1101,11 @@ fast_reauth=1
 # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
 # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
 #
-# wpa_deny_ptk0_rekey: Control PTK0 rekeying
-#
-# Rekeying the PTK without using "Extended Key ID for Individually Addressed
-# Frames" (two different Key ID values for pairwise keys) can, depending on the
-# used cards/drivers, impact the security and stability of connections. Both
-# ends can accidentally trick one end to drop all packets send by it until the
-# connection is torn down or rekeyed again. Additionally, some drivers may
-# skip/break the encryption for the time window the key is updated (normally a
-# few milliseconds).
-#
-# To avoid such issues, wpa_supplicant can now replace all PTK rekeys using only
-# keyid 0 (PTK0 rekeys) with fast reconnects.
-#
-# EAP reauthentication depends on replacing the PTK and is therefore just
-# another way to rekey the PTK and is affected by the parameter, too.
-#
-# "Extended Key ID for Individually Addressed Frames" is avoiding the issues
-# using two separate keys and this parameter will be ignored when using it
-# (i.e., PTK rekeying is allowed regardless of this parameter value).
+# wpa_deny_ptk0_rekey: Workaround for PTK rekey issues
+# PTK0 rekeys (using only one Key ID value for pairwise keys) can degrade the
+# security and stability with some cards.
+# To avoid the issues wpa_supplicant can replace those PTK rekeys (including
+# EAP reauthentications) with fast reconnects.
 #
 # Available options:
 # 0 = always rekey when configured/instructed (default)