This "Group Key Rotation" process sometimes has problems. When a client leaves the network, or every hour or so, just for good measure, the Group Key needs to be changed so that the client that left no longer has access to decrypt the multicasts.When WPA (TKIP) or WPA2 (AES-CCMP) encryption is in use, FromDS multicasts have to be encrypted with a separate encryption key that is known to all of the clients (this is called the Group Key). Some APs let the administrator set the multicast rate, and some administrators unwittingly set it too high for some of their clients to receive reliably, breaking multicast delivery to those clients. So instead, FromDS multicasts have to be sent at a low data rate using a simpler, slower, easy-to-decode-even-at-low-signal-to-noise-ratios modulation scheme, that can hopefully be received reliably by all the clients of the AP. Even though the radio medium is unreliable enough that 802.11 unicasts are required to have link-level acknowledgements (ACKs) and get retransmitted several times if there's no ACK, FromDS multicasts are never ACKed because they'd need to be ACKed by all the wireless clients of the AP, which could be quite an "ACK storm". On Wi-Fi, sending multicasts from the AP to the wireless clients (this is known in the standard as "From the Distribution System" or "FromDS") is tricky, so there are lots of ways it can fail, and it's easy to introduce bugs. It's usually due to bugs in the Wi-Fi home gateway routers (APs), or sometimes in the wireless client chipsets/drivers/software.
0 Comments
Leave a Reply. |