From dfc38d03261322dc9781cad5b4b66affb7682cb4 Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Fri, 17 Apr 2020 22:52:55 +0200 Subject: wireless: T2306: Add new cipher suites to the WiFi configuration Yet, VyOS knows these two encryption schemes for WiFi: 1. CCMP = AES in Counter mode with CBC-MAC (CCMP-128) 2. TKIP = Temporal Key Integrity Protocol These encryption schemes are new and especially the Galois counter mode cipher suites are very desirable! 1. CCMP-256 = AES in Counter mode with CBC-MAC with 256-bit key 2. GCMP = Galois/counter mode protocol (GCMP-128) 3. GCMP-256 = Galois/counter mode protocol with 256-bit key CCMP is supported by all WPA2 compatible NICs, so this remains the default cipher for bidirectional and group packets while using WPA2. Use 'iw list' to figure out which cipher suites your cards support prior to configuring other cipher suites than CCMP. AP NICs and STA NICs must both support at least one common cipher in a given list in order to associate successfully. --- interface-definitions/interfaces-wireless.xml.in | 54 +++++++++++++++++++++--- 1 file changed, 49 insertions(+), 5 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index a5c6315fa..e5393e99e 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -605,22 +605,66 @@ - Cipher suite for WPA + Cipher suite for WPA unicast packets - TKIP CCMP + GCMP-256 GCMP CCMP-256 CCMP TKIP + + GCMP-256 + AES in Galois/counter mode with 256-bit key + + + GCMP + AES in Galois/counter mode with 128-bit key + + + CCMP-256 + AES in Counter mode with CBC-MAC with 256-bit key + CCMP - AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] + AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] (supported on all WPA2 APs) TKIP Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] - (CCMP|TKIP) + (GCMP-256|GCMP|CCMP-256|CCMP|TKIP) - Invalid WEP key + Invalid cipher selection + + + + + Cipher suite for WPA multicast and broadcast packets + + GCMP-256 GCMP CCMP-256 CCMP TKIP + + + GCMP-256 + AES in Galois/counter mode with 256-bit key + + + GCMP + AES in Galois/counter mode with 128-bit key + + + CCMP-256 + AES in Counter mode with CBC-MAC with 256-bit key + + + CCMP + AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] (supported on all WPA2 APs) + + + TKIP + Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] + + + (GCMP-256|GCMP|CCMP-256|CCMP|TKIP) + + Invalid group cipher selection -- cgit v1.2.3 From 26010aee52bc95ca0b09a149c2b4add404dd1bef Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Fri, 17 Apr 2020 23:05:49 +0200 Subject: wireless: T2306: bugfix: insert missing --- interface-definitions/interfaces-wireless.xml.in | 1 + 1 file changed, 1 insertion(+) (limited to 'interface-definitions') diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index e5393e99e..3edcbb8ff 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -635,6 +635,7 @@ Invalid cipher selection + Cipher suite for WPA multicast and broadcast packets -- cgit v1.2.3