To GTK rekey or not to GTK rekey? That is not the question. Can I prompt GTK rekey??

[Deleted member 27741]

Howdy all been a long time since I rapped at ya. I have WOWLAN enabled on a desktop of mine, and it works well other than the face that GTK rekeying wakes the computer.

Yes, it is not supposed to do that with "GTK rekeying for WoWlan" enabled in the wireless card settings (and offload enabled in the OS), but both Intel and Microsoft have more or less thrown their hands in the air any time someone asks about this kerfuffle, so I have no hope they will fix it before I'm dead.

This beings us to my solution and therefore question- I will set the GTK rekey interval on my router (N66U) to zero so it does not rekey. However, I would like to be able to rekey occasionally for security.

So I ask you- how can I prompt the router to "on demand" GTK rekey while still keeping the GTK rekey interval at zero? An SSH solution would be the absolute best. Anyone have other more ingenious solutions to this issue?

 

[sfx2000]

GTK rekey happens every time a STA leaves or joins the group - this is per WPA2

And this is a good thing...

 

[Deleted member 27741]

Excuse my ignorance. What is a STA in this instance? How often does leaving or joining this group trigger GTK rekeys?

Perhaps this STA leaves or joins a group GTK rekey would be useful for my purposes if I knew more about it.


Ah, I see STA refers to wireless client in this instance. So- you are telling me the GTK rekey will trigger every time a new wireless client connects to the router? What does "new" mean here?

 

[Deleted member 27741]

For the time being, I will reboot my router once a day to prompt a GTK rekey. Once Intel and Microsoft pull their heads out of their nether regions and get the "GTK keying for WoWLAN" option working I will change the GTK rekey interval back to an hour. Not holding my breath on this one.

 

[ColinTaylor]

I couldn't find a way of changing the rekey interval dynamically. You could change the NVRAM variables but that would require a restart of the wireless subsystem for it to take effect, which would defeat the purpose as all clients will be disconnected.

Instead of rebooting the entire router you could speed things up by just restarting the wireless from services-start:

#!/bin/sh

/usr/sbin/cru a RestartWireless "30 6 * * * /sbin/service restart_wireless"

 

[Deleted member 27741]

You, sir are a gentleman and a scholar. Good idea and the code is always appreciated. I did find the 6 or so nvram variables for the GTK rekey I think as well;

wl1.3_wpa_gtk_rekey=0
wl1_wpa_gtk_rekey=0
wl0.2_wpa_gtk_rekey=0
wl_wpa_gtk_rekey=0
wl1.1_wpa_gtk_rekey=0
wl0.3_wpa_gtk_rekey=0
wl1.2_wpa_gtk_rekey=0
wl0_wpa_gtk_rekey=0
wl0.1_wpa_gtk_rekey=0

Do you think it would work to run a script to change these variables to something like 1 second, wait (for how long I don't know) for the rekey, then change it back? More of an academic question at this point since I have multiple fine options to answer my question but I like to learn. I have no good concept of how long a GTK rekey really takes or if internet/network access is lost (for how long) during a rekey either. I suppose that like you said if a wireless subsystem restart is required changing nvram variables is not the way to go! I may screw around with the variables at some point just for funsies, but I am pretty confident I will only find your solution is probably best.

 

[ColinTaylor]

Yes, those were the variables I was looking at. But just changing the variables stored in NVRAM doesn't apply them to the running system. For that you'd have to restart the wireless service (as above) to pick up the changes. And as restarting the entire wireless system forces all the clients to disconnect & reconnect (thereby getting new keys) the NVRAM changes are moot.

 

[sfx2000]

Disabling GTK Rekey isn't really solving the issue - and this actually can cause security concerns - there's a reason why we rotate the GTK in the first place. As I mentioned earlier, the GTK spins each time a client STA associates (or deassociates) from the WLAN, so that's a good test to check - if the problem is GTK rekeying, then it should happen very often - take a mobile phone, associate with the WLAN, and then remove the profile from the handset, this will trigger a GTK rekey event.

That being said - here's a couple of articles to look at...

https://docs.microsoft.com/en-us/windows-hardware/drivers/network/wake-on-wireless-lan

https://docs.microsoft.com/en-us/windows-hardware/drivers/network/wake-up-events

With your Intel NIC (you did not mention which one) - the Intel ProSET WiFi kit is a bit of a mess - uninstall everything there with it, and I would actually suggest using the Windows Update provided drivers first - Intel and Microsoft are pretty good about keeping them up to date there.

 

[Deleted member 27741]

Something tells me, ColinTaylor, that if we (by that I mean you and sfx) put our heads together we could find out how to trigger a GTK event. But my nerd power wanes. These are difficult times, what with Windows 10 being a mish mash of menus and wrestling with the reality that "visual voicemail is currently unavailable" shall always inhabit my iphone screen- ye old router sees less and less nerding. Perhaps one fine day I will achieve the nerd power to tackle GTK, but alas not this day.

 

[ColinTaylor]

Sorry, that's way beyond my knowledge level.

 

[sfx2000]

These are difficult times, what with Windows 10 being a mish mash of menus and wrestling with the reality that "visual voicemail is currently unavailable" shall always inhabit my iphone screen

Can't fix Win10

With iPhone and Visual Voice Mail - that's usually fixed by operator's Customer Care team - VVM is a feature code on the subscriber profile on their side.