# Workaround for PTK rekey issues
#
-# Rekeying the PTK without using "Extended Key ID for Individually Addressed
-# Frames" (two different Key ID values for pairwise keys) can, depending on the
-# used cards/drivers, impact the security and stability of connections. Both
-# ends can accidentally trick one end to drop all packets send by it until the
-# connection is torn down or rekeyed again. Additionally, some drivers may
-# skip/break the encryption for the time window the key is updated (normally a
-# few milliseconds).
-#
-# To avoid such issues, hostapd can now replace all PTK rekeys using only keyid
-# 0 (PTK0 rekeys) with disconnection that forces the remote stations to
-# reconnect instead.
-#
-# EAP reauthentication depends on replacing the PTK and is therefore just
-# another way to rekey the PTK and is affected by this parameter, too.
-#
-# "Extended Key ID for Individually Addressed Frames" is avoiding the issues
-# using two separate keys and this parameter will be ignored when using it
-# (i.e., PTK rekeying is allowed regardless of this parameter value).
+# PTK0 rekeys (rekeying the PTK without "Extended Key ID for Individually
+# Addressed Frames") can degrade the security and stability with some cards.
+# To avoid such issues hostapd can replace those PTK rekeys (including EAP
+# reauthentications) with disconnects.
#
# Available options:
# 0 = always rekey when configured/instructed (default)
# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
#
-# wpa_deny_ptk0_rekey: Control PTK0 rekeying
-#
-# Rekeying the PTK without using "Extended Key ID for Individually Addressed
-# Frames" (two different Key ID values for pairwise keys) can, depending on the
-# used cards/drivers, impact the security and stability of connections. Both
-# ends can accidentally trick one end to drop all packets send by it until the
-# connection is torn down or rekeyed again. Additionally, some drivers may
-# skip/break the encryption for the time window the key is updated (normally a
-# few milliseconds).
-#
-# To avoid such issues, wpa_supplicant can now replace all PTK rekeys using only
-# keyid 0 (PTK0 rekeys) with fast reconnects.
-#
-# EAP reauthentication depends on replacing the PTK and is therefore just
-# another way to rekey the PTK and is affected by the parameter, too.
-#
-# "Extended Key ID for Individually Addressed Frames" is avoiding the issues
-# using two separate keys and this parameter will be ignored when using it
-# (i.e., PTK rekeying is allowed regardless of this parameter value).
+# wpa_deny_ptk0_rekey: Workaround for PTK rekey issues
+# PTK0 rekeys (using only one Key ID value for pairwise keys) can degrade the
+# security and stability with some cards.
+# To avoid the issues wpa_supplicant can replace those PTK rekeys (including
+# EAP reauthentications) with fast reconnects.
#
# Available options:
# 0 = always rekey when configured/instructed (default)