Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-802-11-TGBN] Roaming TTT: Review of 11-26/0426 (Per-AP MLD PTK and related topics)

Hi Jay

Thanks for the comments. Please see inline:

On Mar 8, 2026 at 17:59:29, yang.zhijie@xxxxxxxxxx wrote:

Hi Thomos ,


Thanks for your efforts on this PDT.


I have some hard time to decode the following proposed equation.

1) "XXKey   is the SMD _KDK if the non-AP MLD is associated to an SMD -ME in Per-AP MLD PTK mode and the PTK is not being derived at the time of (re)association to the SMD -ME", at this moment, there shall be no SMK_KDK derived on the left of the equation. 

Correct. I highlighted the word "not" in the sentence above for clarity. This refers to roams or PTK-rekeying cases, so the existing SMD_KDK is used on right side of the equation (as an input) only, and no new SMD_KDK is derived (i.e. it's not on the left side)

2)  how to understand "if the non-AP MLD is associated to an SMD -ME"?  EPPKE is an authentication phase, result in the derived PTKSA used to protect the subsequent association phase. Or your want to say the non-AP MLD intends to associate with SMD -ME after EPPKE ?

In EPPKE case, the important phrase is "the PTK is not being derived at the time of (re)association". EPPKE exchange will, I believe, always be used at the time of (re)association.
So if an EPPKE exchange is performed, then XXKey is the PMK and a new SMD_KDK is derived (on the left side).


3)  In some place, it's said "In the case of a PTKSA between a non-AP MLD and SMD -ME, there shall only be one PTKSA (in Per-SMD PTK mode case, per key ID) with the same Supplicant MAC address and SMD identifier.". If that's true, SMD _KDK will be part of PTKSA , why split the SMD _KDK from PTK in the following equation?

The PTKSA structure should clarify this - the one PTKSA contains one SMD_KDK and (in general) multiple PTKs.
The SMD_KDK is part of the PTKSA, but that doesn't mean it's part of the PTK.
As you know, the scope and lifetime of SMD_KDK and the PTK derived with the initial PTK are different, so we refer to them separately. 

I do feel it's quite hard to understand the following equation if you combine the per-AP MLD PTK and per-SMD PTK mode into one equation.  How about splitting it into two different equations?

From implementation perspective, where it's likely the same functions will be used in all cases with just some conditional modifications, I think it's easier to see the differences if they are all shown in one definition.
But I'm definitely open to, for example, adding an example in a note if you think it would help...






PTK [|| SMD _KDK] = KDF -HASH-NNN (XXKey , “EPPKE PTK Derivation”, SPA || BSSID || DHss [|| SMD _ID])

where

XXKey                         is the SMD _KDK if the non-AP MLD is associated to an SMD -ME in Per-AP MLD PTK mode and the PTK is not being derived at the time of (re)association to the SMD -ME. Otherwise, XXKey is the pairwise master key for the base AKMP .

SPA                              is the MAC address of the non-AP STA, or for MLO the non-AP MLD MAC address

AA                                is the BSSID , or for MLO the AP MLD MAC address

DHss                             is the shared secret derived from the PASN ephemeral key exchange or from the SMD BSS transition preparation procedure (37.15.5 (SMD BSS transition preparation procedure)), encoded as an octet string (12.4.7.2.2 (Integer to octet string conversion)).

KDF -HASH-NNN       is the key derivation function defined in 12.7.1.6.2 (Key derivation function (KDF )) using the hash algorithm defined for the base AKMP ; see Table 9-208 (AKM suite selectors). When the base AKMP is EPPKE AKMP , the hash algorithm is selected based on the pairwise Cipher Suite provided in the RSNE provided by the AP in the second EPPKE frame. SHA-256 is used as the hash algorithm, except for the ciphers 00-0F-AC:9 and 00-0F-AC:10 for which SHA-384 is used.

 

NNN          is equal to KCK_bits + KEK_bits + TK_bits + KDK_bits + SMD _KDK_bits. SMD _KDK_bits is is equal to PMK_bits when the PTK is derived at the time of (re)association to an SMD using Per-AP MLD PTK mode, and is zero otherwise

SMD _ID          is the SMD identifier; it is included if the non-AP MLD is (re)associating to, or already associated with, an SMD -ME (in which case SMD _ID is the SMD identifier of that SMD -ME), and is not included otherwise.






Thanks


Best Regards


Jay Yang (杨志杰)



Original
Date: 2026年03月08日 11:16
Subject: Re: [STDS-802-11-TGBN] Roaming TTT : Review of 11-26/0426 (Per-AP MLD PTK and related topics)
Hi all

Thanks for the feedback when I presented 26/0426r1 during the MAC adhoc .
I have now uploaded R2, in which I have tried to address almost all the comments I received offline since:

There is one item that is highlighted in the Word comments, and relates to how UL replay counters are set on the target AP MLD . After discussing with several folks during the adhoc , there is a draft update to address this and I intend to incorporate it within the next R3 revision to be posted tomorrow.

Thanks
Thomas
 
On Mar 3, 2026 at 11:28:15, Thomas Derham <thomas.derham@xxxxxxxxxxxx> wrote:
Hi all

I have uploaded 26/0426r0 containing draft resolutions for the CIDs I was assigned on Per-AP MLD PTK and some roaming security topics. (Also attached for reference).
https://mentor.ieee.org/802.11/dcn/26/11-26-0426-00-00bn-lb291-mac-crs-for-st-per-ap-mld-ptk.docx
I would appreciate review and feedback, either on this thread or directly to me.

This covers around 50 CIDs :  4164, 4171, 4403, 4478, 4479, 4806, 4807, 5007, 5445, 5599, 5638, 5752, 6147, 6267, 6268, 6269, 6272, 6274, 6275, 6366, 6367, 6370, 6371, 6552, 6852, 6853, 6907, 7008, 7490, 9593, 9597, 10409, 10414 ,11139, 11351, 11352, 11356, 11360, 12030, 12163, 12349, 12375, 12382, 12404, 12407, 12408, 12417, 12427

Thanks
Thomas

To unsubscribe from the STDS-802-11-TGBN list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBN&A=1


To unsubscribe from the STDS-802-11-TGBN list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBN&A=1

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature