Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Design

Implementation Overview

With WPA3 support, we had to introduce a new way to set the security types. Therefore, new fields were implemented in the Wifi_VIF_Config/State tables. Backward compatibility is kept, by only supporting the legacy security types.

WPA3 types:

  • SAE: At the moment, OpenSync supports single-password configurations without a user-defined Password Identifier. However, design is prepared for extension in future.

  • OWE: Not supported, but design is ready for future extension.

OVSDB Changes

Deprecated fields:

  • "security"  field remain present, but won't be used (should remain unset).

  • "ft_psk" field will be ignored, Fast transition will be configurable with "ft-*" entries in "wpa_key_mgmt" field.

New fields:

Field name

Type

Mandatory

Presence in Wifi_VIF_* tables

Comment

Config

State

wpa

bool

yes

yes

yes

TRUE - use any if WPA* modes; FALSE - use OPEN mode

wpa_key_mgmt

enum list

yes

yes

yes

Any valid combination of: "wpa2-psk", "sae", "wpa2-eap", "dpp", "ft-wpa2-psk", "ft-*" (other Fast Transition modes in future) etc. In future this list may be extended with e.g. "owe"

wpa_psks

map <key_id : psk>

no, depends on "wpa_key_mgmt"

yes

yes

List of passwords used by WPA1/2 and SAE (see example below for more details).

wpa_oftags

map <key_id : oftag>

no, depends on "wpa_key_mgmt"

yes

no

WPA1/2 passwords' oftags

radius_srv_addr

string

no, depends on "wpa_key_mgmt"

yes

yes

Remote RADIUS server address (IP or domain name)

radius_srv_port

int

no, depends on "wpa_key_mgmt"

yes

yes

Remote RADIUS server port number

radius_srv_secret

string

no, depends on "wpa_key_mgmt"

yes

yes

Remote RADIUS server secret

default_oftag

string

no

yes

no

Default oftag used when wpa/sae/*_oftag is not available (e.g. it will be used for WPA-Enterprise, OPEN and possibly OWE)

Usage Policy

The controller selects between two implementations: legacy and new.

The legacy method of configuring the security type (OVSDB security field) is unable to set WPA3. Therefore, the new method must be used. Method selection is defined by the SDN controller.

Configuration examples (Wifi_VIF_Config)

Legacy Implementation

Reference WPA2

group_rekey

86400

if_name

wl2.2

mac_list

["set",[]]

mac_list_type

["set",[]]

mcast2ucast

TRUE

min_hw_mode

["set",[]]

mode

ap

multi_ap

["set",[]]

parent

["set",[]]

rrm

1

security

["map",[["encryption","WPA-PSK"],["key","OpenSync111"],["key-1","OpenSync122"],["key-2","OpenSync123"],["mode","2"],["oftag","home--1"],["oftag-key-1","home-1"],["oftag-key-2","home-2"]]]

ssid

opensync

ssid_broadcast

enabled

uapsd_enable

TRUE

vif_dbg_lvl

["set",[]]

vif_radio_idx

2

vlan_id

["set",[]]

wds

["set",[]]

wps

["set",[]]

wps_pbc

["set",[]]

wps_pbc_key_id

["set",[]]

New Implementation

Supported Security Modes
  • Open

  • WPA2 Enterprise with remote RADIUS

  • WPA2-only

  • WPA3-only

  • Mixed WPA1/WPA2

  • Mixed WPA2/WPA3

  • FT-WPA2-only

  • Mixed FT-WPA2/FT-WPA3

  • FT-WPA3

WPA2

security

/ UNSET /

wpa

TRUE

wpa_key_mgmt

["wpa2-psk"]

wpa_psks

["map",[["key","opensync111"],["key-1","opensync122"],["key-2","opensync123"]]]

wpa_oftags

["map",[["key","home--1"],["key-1","home-1"],["key-2","home-2"]]]

WPA2 Enterprise

security

/ UNSET /

wpa

TRUE

wpa_key_mgmt

["wpa2-eap"]

radius_srv_addr

1.2.3.4

radius_srv_port

883

radius_srv_secret

top_secret_psk

default_oftag

home-1

Open

security

/ UNSET /

wpa

FALSE

default_oftag

home-1

SAE

Currently, SAE configuration uses a single password without user-defined password identifiers. SAE AP is configured using "key" from "wpa_psks". In future, OpenSync may introduce "sae_psks" and "sae_oftags" to support SAE with multiple passwords and user-defined identifiers.

security

/ UNSET /

wpa

TRUE

wpa_key_mgmt

["sae"]

wpa_psks

["map",[["key","opensync111"]]]

wpa_oftags

["map",[["key","home--1"]]]

sae_psks

["map",[["key-1","opensync122"]]]

sae_oftags

["map",[["key-1","home--2"]]]

OWE

OWE is currently a proposal.

bridge

/ UNSET /

br-home

if_name

wl2.2

wl2.3

security

/ UNSET /

/ UNSET /

ssid

opensync

opensync_owe

ssid_broadcast

enabled

disabled

wpa

FALSE

TRUE

wpa_key_mgmt

["owe"]

default_oftag

home-1

owe_transition_ifname

wl2.3

Mixed SAE / WPA2

security

/ UNSET /

wpa

TRUE

wpa_key_mgmt

["sae","wpa2-psk"]

wpa_psks

["map",[["key","opensync111"],["key-1","opensync122"],["key-2","opensync123*"]]]

wpa_oftags

["map",[["key","home--1"],["key-1","home-1"],["key-2","home-2"]]]

"oftags" Configuration

Within WPA3 support, a new "default_oftag" field was introduced. The field serves as a fallback for oftag lookup and is used whenever a better oftag cannot be find. At the moment, only WPA2 Personal can use multiple oftags associated to different PSks, in all other cases generic "default_oftag" should be set.

Security mode

wpa_oftags

default_oftag

OPEN

N/A

used

WPA1 Personal

N/A

used

WPA1/WPA2 Personal

potentially used

potentially used

WPA2 Enterprise

N/A

used

WPA2 Personal (HomePass)

used

potentially used

WPA3 Personal

N/A

used

WPA2/WPA3 Personal

N/A

used

OWE

N/A

used

Authentication Failures Reporting

The new reporting functionality is implemented in SM. SM already comes with the necessary infrastructure (reporting management: activation, intervals, radio bands, etc.) and is prepared to compute the statistics. OpenSync introduces new Wifi_Stats_Config::stats_type called "client_auth_fails" and introduces a new MQTT message field. SM periodically sends reports. After each sent report, counters are reset.

At the moment, reporting is limited to WPA2 Personal and SAE, but design is ready for future extensions (e.g., reporting the WPA2/3-EAP failures).

Field

Value

Comment

channel_list

["set",[]]

Not used

radio_type

2.4G

report_type

["set",[]]

Not used

reporting_count

["set",[]]

Not used

reporting_interval

240

Default: 15 minutes

sampling_interval

["set",[]]

Not used

stats_type

client_auth_fails

survey_interval_ms

["set",[]]

Not used

survey_type

["set",[]]

Not used

threshold

["map",[]]

Not used

New MQTT report message:

message ClientAuthFailsReport {
    message VAP {
        message Client {
            required string mac_address  = 1;
            required uint32 auth_fails   = 2;
            required uint32 invalid_psk  = 3;
        }

        required string ifname      = 1;
        repeated Client client_list = 2;
    }

    required RadioBandType band     = 1;
    repeated VAP           vap_list = 2;
}

Requirements

  • Client ability to support WPA3 Personal to connect to the system using all compatible standards from WiFi Alliance required for certification.

  • Support of the following modes:

    • WPA3 Personal native

    • WPA2/3 Personal mixed mode

    • WPA3 off (e.g., same as WPA2 Personal mode)

  • No labels