mka: Fix MKPDU SAK Use Body's Delay Protect bit setting

Delay Protect and Replay Protect are two separate and distinct features
of MKA. Per IEEE Std 802.1X-2010, 9.10.1 "Delay Protect, TRUE if LPNs
are being reported sufficiently frequently to allow the recipient to
provide data delay protection. If FALSE, the LPN can be reported as
zero", and per 9.10 "NOTE--Enforcement of bounded received delay
necessitates transmission of MKPDUs at frequent (0.5 s) intervals, to
meet a maximum data delay of 2 s while minimizing connectivity
interruption due to the possibility of lost or delayed MKPDUs."

This means struct ieee802_1x_mka_sak_use_body::delay_protect should only
be set TRUE when MKPDUs are being transmitted every 0.5 s (or faster).
By default the KaY sends MKPDUs every MKA_HELLO_TIME (2.0 s), so by
default delay_protect should be FALSE.

Add a new 'u32 mka_hello_time' parameter to struct ieee802_1x_kay. If
delay protection is desired, the KaY initialization code should set
kay->mka_hello_time to MKA_BOUNDED_HELLO_TIME (500 ms).

Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index d756b75cb8aebae2ad7cc510d570ebf46b5d5af3..827e42d43f065bedf39cd6b4f17930b337ee7e08 100644 (file)
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1216,7 +1216,7 @@ ieee802_1x_mka_encode_sak_use_body(
        }
 
        /* data protect, lowest accept packet number */
-       body->delay_protect = kay->macsec_replay_protect;
+       body->delay_protect = kay->mka_hello_time <= MKA_BOUNDED_HELLO_TIME;
        pn = ieee802_1x_mka_get_lpn(participant, &participant->lki);
        if (pn > kay->pn_exhaustion) {
                wpa_printf(MSG_WARNING, "KaY: My LPN exhaustion");
@@ -2466,7 +2466,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
                participant->retry_count++;
        }
 
-       eloop_register_timeout(MKA_HELLO_TIME / 1000, 0,
+       eloop_register_timeout(kay->mka_hello_time / 1000, 0,
                               ieee802_1x_participant_timer,
                               participant, NULL);
 
@@ -3193,6 +3193,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
                kay->macsec_replay_protect = FALSE;
                kay->macsec_replay_window = 0;
                kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
+               kay->mka_hello_time = MKA_HELLO_TIME;
        } else {
                kay->macsec_desired = TRUE;
                kay->macsec_protect = TRUE;
@@ -3207,6 +3208,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
                kay->macsec_validate = Strict;
                kay->macsec_replay_protect = FALSE;
                kay->macsec_replay_window = 0;
+               kay->mka_hello_time = MKA_HELLO_TIME;
        }
 
        wpa_printf(MSG_DEBUG, "KaY: state machine created");
@@ -3412,7 +3414,7 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
        wpa_hexdump(MSG_DEBUG, "KaY: Participant created:",
                    ckn->name, ckn->len);
 
-       usecs = os_random() % (MKA_HELLO_TIME * 1000);
+       usecs = os_random() % (kay->mka_hello_time * 1000);
        eloop_register_timeout(0, usecs, ieee802_1x_participant_timer,
                               participant, NULL);
 
@@ -3614,7 +3616,8 @@ int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf,
                          "Key Server Priority=%u\n"
                          "Is Key Server=%s\n"
                          "Number of Keys Distributed=%u\n"
-                         "Number of Keys Received=%u\n",
+                         "Number of Keys Received=%u\n"
+                         "MKA Hello Time=%u\n",
                          kay->active ? "Active" : "Not-Active",
                          kay->authenticated ? "Yes" : "No",
                          kay->secured ? "Yes" : "No",
@@ -3623,7 +3626,8 @@ int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf,
                          kay->key_server_priority,
                          kay->is_key_server ? "Yes" : "No",
                          kay->dist_kn - 1,
-                         kay->rcvd_keys);
+                         kay->rcvd_keys,
+                         kay->mka_hello_time);
        if (os_snprintf_error(buflen, len))
                return 0;
 

diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
index 6b4572fe082e5f5b70c1c872163adf81fa2fa999..425732c25ec9ade77148317c44dec403877f8614 100644 (file)
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -21,6 +21,7 @@ struct macsec_init_params;
 
 /* MKA timer, unit: millisecond */
 #define MKA_HELLO_TIME         2000
+#define MKA_BOUNDED_HELLO_TIME  500
 #define MKA_LIFE_TIME          6000
 #define MKA_SAK_RETIRE_TIME    3000
 
@@ -187,6 +188,7 @@ struct ieee802_1x_kay {
        u32 macsec_replay_window;
        enum validate_frames macsec_validate;
        enum confidentiality_offset macsec_confidentiality;
+       u32 mka_hello_time;
 
        u32 ltx_kn;
        u8 ltx_an;