tech-net: multicast WPA-encrypted frames being dropped?

Subject: multicast WPA-encrypted frames being dropped?
To: None <tech-net@NetBSD.org>
From: Jonathan A. Kollasch <jakllsch@kollasch.net>
List: tech-net
Date: 06/23/2006 02:34:32

--hSZb4FHl1C2xfsUy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

 So, I've been using WPA-Enterprise (complete with Kerberos
authentication, no thanks to the FreeRADIUS from pkgsrc, but
that's another issue) and am trying to get IPv6 connectivity,
which was working fine with WEP on 3.0.  Anyway AFAICT
frames to my 33:33:ff:... address are not being decrypted,
here's a snipit of `tcpdump -s0 -eni ath0 -y IEEE802_11`

01:54:25.094909 DA:33:33:ff:ed:8f:e6 BSSID:00:13:46:0a:39:82 SA:00:b0:d0:c8=
:58:9c Data IV:fbe8 Pad 20 KeyID 1
01:54:25.834352 DA:00:09:5b:ed:8f:e6 BSSID:00:13:46:0a:39:82 SA:00:50:da:79=
:8f:ae LLC, dsap SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, IP 172.27.72.11.2=
2 > 172.27.72.40.64735: P 320:480(160) ack 1 win 33580 <nop,nop,timestamp 5=
868 5516>

It appears to me that whatever is supposed to be decrypting
the packets addressed to 33:33:ff:ed:8f:e6 isn't.

The symptoms include being unable to receive a
router advertisement, and being unable to
ping this wireless client's link-local address
=66rom the wired side of the LAN.

Pinging ff02::1%ath0 from the client returns
only a subset of the link-local addresses on
the broadcast domain.  Directing a ping6 or two
at a specific LL address seems to add it to the
subset.

Also the "rx seq# violation (CCMP)" number in ifconfig -v
is increasing faster than I'd like (rate seems to depend
on this problematic traffic).

I'm not really sure where the problem lies, be it the
cheap "router" AP or NetBSD and/or wpa_supplicant.
I suppose at the very least I'd like to know if
this has happened to anyone else.

Anyway the Wireless Router doesn't let me set a
default route out the LAN side, so I can't put
the RADIUS server in a different broadcast domain.
This happens to prevent what I was wanting to do
(see my IPsec and altq post a few weeks ago).

	Jonathan Kollasch

--hSZb4FHl1C2xfsUy
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iD8DBQFEm5mIOjx1ye3hmokRAkTJAJ43/LccsSOCLquFUAaC+nSR8i2kGQCdFhWx
XLDd9aevukm4mRB0mk/pX44=
=LcEh
-----END PGP SIGNATURE-----

--hSZb4FHl1C2xfsUy--