headers
pigiron | 5 May 19:01
Picon
Favicon

The case of the bogus SSID


The kind folks at linux-wireless IRC suggested that I should probably bring this ugly topic over here.

I've been digging into this problem for the last few days, and am now in need of some guidance from you
wireless guru's. I hope the you folks can follow my twisted path. Here's the scenario:

SYMPTOMS:
=========

Linux clients (and apparently *only* Linux clients) cannot associate with an AP running a brand new
"flavor" of DD-WRT firmware. Myself and others have reported the same problem. The response from the
chief DD-WRT person was basically, "tested and works on Windows and OSX, so it must be a Linux problem".

The Wicd network manager displays strange UTF-8 type characters for the SSID. This causes it to create an
incorrect WPA PSK.

Also, two ESSIDs are returned for that MAC when running the "iwlist wlan0 scan" command using many
different wireless devices. So far, I've found that ipw2200 and rta2870sta seem to be the only devices
that don't report an "extra" ESSID with iwlist.

Not surprisingly, I can connect to the router by manually running wpa_supplicant.

The problem still exists when running compat-wireless-2010-04-26.

Here's an example of the "iwlist wlan0 scan" output with the router in it's "default" configuration:

Cell 02 - Address: 00:25:9C:XX:XX:XX
          Channel:6
          Frequency:2.437 GHz (Channel 6)
          Quality=70/70  Signal level=-33 dBm
          Encryption key:off
     ---> ESSID:"dd-wrt"
          Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                    9 Mb/s; 12 Mb/s; 18 Mb/s
          Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
     ---> ESSID:""
          Mode:Unknown/bug
          Extra:tsf=00000064b6ade4fb
          Extra: Last beacon: 4120ms ago
          IE: Unknown: 000664642D777274
          IE: Unknown: 010882848B960C121824
          IE: Unknown: 030106
          IE: Unknown: 2A0100
          IE: Unknown: 32043048606C
          IE: Unknown: DD180050F2020101020003A4000027A4000042435E00623

          IE: Unknown: 331A4C101BFFFF000000000000000000000000000000000

          IE: Unknown: 2D1A4C101BFFFF000000000000000000000000000000000

     >>>> IE: Unknown: 34160600190000000000000000000000000000000000000

          IE: Unknown: 3D160600190000000000000000000000000000000000000

          IE: Unknown: 4A0E14000A002C01C800140005001900
          IE: Unknown: 7F0101
          IE: Unknown: DD0900037F01010000FF7F
          IE: Unknown: DD0A00037F04010000000000

PROBLEM:
========

I tried to narrow the problem by firing up the debugger against iwlist. After iwlist performs a SIOGIWSCAN,
it then retreives the AP response, and this contains a second, bogus SSID (specifically a SIOCGIWESSID),
with data matching one of the Information Elements above... actually two. But here's the data that I think
causes the problem:

          IE: Unknown: 34160600190000000000000000000000000000000000000

Both the Wireshark scan capture and my digging into the 802.11k-2008 specification show that line as being
a "Neighbor Report" Information Element (0x34 = 52 decimal = Neighbor Report).

I noticed that decimal 52 is assigned to WLAN_EID_MESH_ID in the ieee80211.h file, and recently the same 52
was also assigned to WLAN_EID_NEIGHBOR_REPORT in the same enumerated ieee80211_eid{} structure.

BUT... before I go kernel diving, I have a question. I guess I'm trying to first determine if the problem may
be in the router. From my reading of the 802.11k-2008 specification, I'm thinking that a Neighbor Report
should not even be inside a scan response from the AP. Every reference to "Neighbor Report" that I can find
in the specification *seems* to state that a Neighbor Report response should only arrive at the STA after
the AP receives a "Neighbor Report Request" frame. And it should then be contained inside a  "Neighbor
Report Response" frame. Is my thinking correct???  Or am I off base (yet again ;)???

FYI: The router is configured as a simple AP acting as a gateway to a cable modem. No vlans, no hotspot, etc... 
i.e. nothing "exotic". In fact, no one has yet found a configuration setting that will make this problem disappear.

OBTW: All beacon frames coming from the router also contain this Neighbor Report.

Also, here is a snippet from a scan report using iw (notice that it's not confused by the Neighbor Report):

--------------------------   BEGIN NETLINK MESSAGE ---------------------------
  [HEADER] 16 octets
    .nlmsg_len = 312
    .nlmsg_type = 24 <0x18>
    .nlmsg_flags = 2 <MULTI>
    .nlmsg_seq = 1273073208
    .nlmsg_pid = 6127
  [PAYLOAD] 296 octets
    22 01 00 00 08 00 2e 00 c5 00 00 00 08 00 03 00 03 00 ".................
    00 00 14 01 2f 00 0a 00 01 00 00 25 9c XX XX XX 00 00 ..../......%......
    ce 00 06 00 00 06 64 64 2d 77 72 74 01 08 82 84 8b 96 ......dd-wrt......
    0c 12 18 24 03 01 06 2a 01 00 32 04 30 48 60 6c dd 18 ...$...*..2.0H`l..
    00 50 f2 02 01 01 02 00 03 a4 00 00 27 a4 00 00 42 43 .P..........'...BC
    5e 00 62 32 2f 00 33 1a 4c 10 1b ff ff 00 00 00 00 00 ^.b2/.3.L.........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2d 1a ................-.
    4c 10 1b ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 L.................
    00 00 00 00 00 00 00 00 34 16 06 00 19 00 00 00 00 00 ........4.........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 3d 16 06 00 ..............=...
    19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..................
    00 00 4a 0e 14 00 0a 00 2c 01 c8 00 14 00 05 00 19 00 ..J.....,.........
    7f 01 01 dd 09 00 03 7f 01 01 00 00 ff 7f dd 0a 00 03 ..................
    7f 04 01 00 00 00 00 00 00 00 0c 00 03 00 10 69 af ac ...............i..
    77 00 00 00 06 00 04 00 64 00 00 00 06 00 05 00 21 04 w.......d.......!.
    00 00 08 00 02 00 85 09 00 00 08 00 0a 00 e7 11 00 00 ..................
    08 00 07 00 54 f2 ff ff                               ....T...
---------------------------  END NETLINK MESSAGE   ---------------------------
BSS 00:25:9c:XX:XX:XX (on wlan0)
        TSF: 513998285072 usec (5d, 22:46:38)
        freq: 2437
        beacon interval: 100
        capability: ESS ShortPreamble ShortSlotTime (0x0421)
        signal: -35.00 dBm
        last seen: 4583 ms ago
        SSID: dd-wrt
        Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
        DS Parameter set: channel 6
        ERP: <no flags>
        Extended supported rates: 24.0 36.0 48.0 54.0
        WMM:     * Parameter version 1
                 * BE: CW 15-1023, AIFSN 3
                 * BK: CW 15-1023, AIFSN 7
                 * VI: CW 7-15, AIFSN 2, TXOP 3008 usec
                 * VO: acm CW 3-7, AIFSN 2, TXOP 1504 usec
        Unknown IE (51): 4c 10 1b ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        HT capabilities:
                Capabilities: 0x104c
                        HT20
                        SM Power Save disabled
                        RX HT40 SGI
                        No RX STBC
                        Max AMSDU length: 7935 bytes
                        DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: 1/2 usec (0x02)
                HT RX MCS rate indexes supported: 0-15
                HT TX MCS rate indexes are undefined
        Unknown IE (52): 06 00 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Unknown IE (61): 06 00 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Unknown IE (74): 14 00 0a 00 2c 01 c8 00 14 00 05 00 19 00
        Extended capabilities: HT Information Exchange Supported
        Vendor specific: OUI 00:03:7f, data: 01 01 00 00 ff 7f
        Vendor specific: OUI 00:03:7f, data: 04 01 00 00 00 00 00
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@...
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply |

Gmane