Wpa3 support in OpenWrt?

kotamo · June 13, 2020, 12:49pm

WPA3-SAE is supported by Openwrt software for Xiaomi Redmi Router AC2100, MIPS, MT7621A .
If MT7621A haven't WPA3 hardware support, can WPA3 usage on 2.4ghz and 5Ghz overload Redmi processor?

xerces8 · June 14, 2020, 9:01pm

Great thread, has more information than what google finds on WPA3...

Can some of this be written to the wiki?

This page: https://openwrt.org/docs/guide-user/network/wifi/basic
Or maybe a separate page for WPA3?

To answer common questions, like:

does OpenWRT support WPA3?
does it require special hardware?
any negative issues (like lower performance on older hardware)?
a word about compatibility with other devices (like the mentioned Apple issue)
is mixed WPA2/WPA3 really more secure than just WPA2? I read that exclusive WPA3 is better, but forgot the details.
is WPA/WPA2/WPA3 mixed mode possible? (I see no support for it currently, but what in theory?)

hnyman · June 15, 2020, 11:17am

Sure it can be written there?
By you, perhaps?

huaracheguarache · June 15, 2020, 9:54pm

For the clients that connect via WPA3 it's more secure. However, if the client allows connecting to the same network via WPA2 there's a possibility of a downgrade attack. It's up to the client implementation to prevent this. As an example, the Google Pixel 3 always connects via WPA3 after the first WPA3 authentication/association with a network.^[1]

^{[1] Interesting paper on security vulnerabilities in WPA3.}

xerces8 · June 15, 2020, 10:22pm

Sure, after I get the answers to those questions.

loyukfai · June 17, 2020, 2:04pm

Another solution for OpenWrt admins is to setup 2 virtual WLAN using different keys, one for WPA2 and another for WPA3.

Although, it may not be that much of an improvement in terms of security due to other practical reasons.

Cheers.

loyukfai · June 17, 2020, 2:11pm

does OpenWRT support WPA3? Yes, for official release, since 19.07 with wpad-openssl. wpad-wolfssl has been fixed in master/development
does it require special hardware? No AFAIK
any negative issues (like lower performance on older hardware)? In my test case no, the WLAN speed seems to be CPU-bound even without encryption, others with more experience may chime in?
a word about compatibility with other devices (like the mentioned Apple issue) You can go ahead and add later when people report other incompatibilities
is mixed WPA2/WPA3 really more secure than just WPA2? I read that exclusive WPA3 is better, but forgot the details. see reply of huaracheguarache
is WPA/WPA2/WPA3 mixed mode possible? (I see no support for it currently, but what in theory?)
no idea, but why would anyone still use WPA?

...................

lantis1008 · June 17, 2020, 10:13pm

Notes:

doesn't work on the WRT AC series of routers (mwlwifi). Probably important to note as they're very popular.
some older hardware needs hardware encryption disabled in the driver for it to work with wpa3
WPA3 not working on TL-wr1043NDv1

tmomas · June 17, 2020, 10:42pm

https://openwrt.org/docs/techref/driver.wlan/mwlwifi would be the place to document mwlwifi specific stuff, e.g. WPA3 issues / WPA3 incompatibilities / general development status.

slh · June 18, 2020, 12:40am

Fortunately this particular issue with ath9k and draft-n wireless chipsets <= AR9160 will be resolved with mac80211: ath9k: enable MFP capability unconditionally, which I've just successfully tested with on my tl-wr1043nd v1:

root@tl-wr1043ndx:~# grep -i -e sae -e 80211w /tmp/run/hostapd-phy0.conf 
sae_require_mfp=1
wpa_key_mgmt=SAE
ieee80211w=2

root@ath5k-client:~# wpa_cli -i wlp3s0 status | grep -i -e sae -e 80211w -e mfp -e pmf
key_mgmt=SAE
pmf=2
sae_group=19

Similar efforts have been happening (upstream) for b43 and rt2x00 as well (not yet in OpenWrt); ath5k worked fine with WPA3/ SAE from the beginning. Yes, enabling IEEE 802.11w (which is mandatory for WPA3) on devices that can't do it hardware accelerated does come with a steep performance penalty, but at least it (now-) works - without having to supply module parameters manually.

loyukfai · June 19, 2020, 3:50am

Hi there, are you working on it now?

Cheers.

xerces8 · June 19, 2020, 12:53pm

How much performance penalty?

Hmm, the https://en.wikipedia.org/wiki/IEEE_802.11w-2009 page says:

is required for 802.11 implementations that support TKIP or CCMP

So all WPA and WPA2 hardware should support it? Or am I misunderstanding something?

slh · June 19, 2020, 6:03pm

In theory, perhaps - in practice not at all. Even among the 802.ac chipsets functional 802.11w support is not a given, even less hardware accelerated pmf/ mfp.

xerces8 · June 19, 2020, 10:56pm

About Apple WPA3 support:

on my iPhone SE, the options for Security offered are:

None
WEP
WPA
WPA2
WPA Enterprise
WPA2 Enterprise
WPA3 Enterprise

on iPad 6th gen:

None
WEP
WPA
WPA2/WPA3
WPA3
WPA Enterprise
WPA2 Enterprise
WPA3 Enterprise

Both running iOS 13.5.1

So either the SE hardware does not support WPA3 Personal or it is some UI glitch.

darksky · June 20, 2020, 2:33pm

Where are you seeing these options listed? App on the phone itself? I have a iphone7 that connects to pure WPA-SAE just fine.

mj82 · June 20, 2020, 3:29pm

Same on MacBook Air 2012, it seem that wap3 is not fully supported on Apple older hardware.
Screen Shot 2020-06-20 at 10.49.32 AM

xerces8 · June 22, 2020, 9:40am

In Settings, when manually adding a network. Click/tap on "Other..." below the list of detected networks.

darksky · June 22, 2020, 11:11am

Nice, I did not know about this. From my iPhone7:

ah1102 · August 10, 2020, 5:39pm

It seems that apple cuts functionality on older devices. Deceives people. Here's what's on my iphone 6s, ios 14 beta:

bam80 · October 17, 2020, 12:31pm

Hello, didn't find any info about PC OSes support for this (Windows, OSX, Linux, etc.).
So far I only see it working on Android Q devices (via sharing QR code feature).
Any info about it?

PS: and also I'm interested if Luci interface for that feature exists?