Continue trickle on initial EAPOL-key TX failure

On medium and large networks, if initial EAPOL-key fails to TX failure,
supplicant now continues trickle sequence, and before next initial EAPOL-key
is sent, asks bootstrap the best parent from the same PAN ID to try the
authentication.

If bootstrap does not have the next best parent, supplicant continues with
the current target and attempts to send to it. If TX still fails, then a
next target selection is made, when trickle expires. Continuing the trickle
sequence on all cases, should balance the network load.

If initial EAPOL-key TX does not fail, then supplicant sticks to current
parent as previously. It retry is made shortly, parent might have e.g.
neighbor table entry already for the node.

Author: Mika Leppänen

source/6LoWPAN/ws/ws_bootstrap.c

@@ -97,13 +97,14 @@ static void ws_bootstrap_nw_frame_counter_set(protocol_interface_info_entry_t *c
 static void ws_bootstrap_nw_frame_counter_read(protocol_interface_info_entry_t *cur, uint32_t *counter, uint8_t slot);
 static void ws_bootstrap_nw_info_updated(protocol_interface_info_entry_t *interface_ptr, uint16_t pan_id, char *network_name);
 static void ws_bootstrap_authentication_completed(protocol_interface_info_entry_t *cur, auth_result_e result, uint8_t *target_eui_64);
+static const uint8_t *ws_bootstrap_authentication_next_target(protocol_interface_info_entry_t *cur, const uint8_t *previous_eui_64, uint16_t *pan_id);
 static void ws_bootstrap_pan_version_increment(protocol_interface_info_entry_t *cur);
 static ws_nud_table_entry_t *ws_nud_entry_discover(protocol_interface_info_entry_t *cur, void *neighbor);
 static void ws_nud_entry_remove(protocol_interface_info_entry_t *cur, mac_neighbor_table_entry_t *entry_ptr);
 static bool ws_neighbor_entry_nud_notify(mac_neighbor_table_entry_t *entry_ptr, void *user_data);
 
 static void ws_address_registration_update(protocol_interface_info_entry_t *interface, const uint8_t addr[16]);
-
+static int8_t ws_bootstrap_neighbor_set(protocol_interface_info_entry_t *cur, parent_info_t *parent_ptr);
 
 static void ws_bootstrap_candidate_table_reset(protocol_interface_info_entry_t *cur);
 static parent_info_t *ws_bootstrap_candidate_parent_get(struct protocol_interface_info_entry *cur, const uint8_t *addr, bool create);
@@ -1129,7 +1130,7 @@ static parent_info_t *ws_bootstrap_candidate_parent_allocate(protocol_interface_
     return entry;
 }
 
-static void ws_bootstrap_candidate_parent_free(protocol_interface_info_entry_t *cur, uint8_t *addr)
+static void ws_bootstrap_candidate_parent_free(protocol_interface_info_entry_t *cur, const uint8_t *addr)
 {
     ns_list_foreach_safe(parent_info_t, entry, &cur->ws_info->parent_list_reserved) {
         if (memcmp(entry->addr, addr, 8) == 0) {
@@ -1986,7 +1987,7 @@ int ws_bootstrap_init(int8_t interface_id, net_6lowpan_mode_e bootstrap_mode)
         ret_val =  -4;
         goto init_fail;
     }
-    if (ws_pae_controller_cb_register(cur, &ws_bootstrap_authentication_completed, &ws_bootstrap_nw_key_set, &ws_bootstrap_nw_key_clear, &ws_bootstrap_nw_key_index_set, &ws_bootstrap_nw_frame_counter_set, &ws_bootstrap_nw_frame_counter_read, &ws_bootstrap_pan_version_increment, &ws_bootstrap_nw_info_updated) < 0) {
+    if (ws_pae_controller_cb_register(cur, &ws_bootstrap_authentication_completed, &ws_bootstrap_authentication_next_target, &ws_bootstrap_nw_key_set, &ws_bootstrap_nw_key_clear, &ws_bootstrap_nw_key_index_set, &ws_bootstrap_nw_frame_counter_set, &ws_bootstrap_nw_frame_counter_read, &ws_bootstrap_pan_version_increment, &ws_bootstrap_nw_info_updated) < 0) {
         ret_val =  -4;
         goto init_fail;
     }
@@ -2759,6 +2760,24 @@ static void ws_bootstrap_authentication_completed(protocol_interface_info_entry_
     }
 }
 
+static const uint8_t *ws_bootstrap_authentication_next_target(protocol_interface_info_entry_t *cur, const uint8_t *previous_eui_64, uint16_t *pan_id)
+{
+    ws_bootstrap_candidate_parent_free(cur, previous_eui_64);
+
+    // Gets best target
+    parent_info_t *parent_info = ws_bootstrap_candidate_parent_get_best(cur);
+    if (parent_info) {
+        /* On failure still continues with the new parent, and on next call,
+           will try to set the neighbor again */
+        ws_bootstrap_neighbor_set(cur, parent_info);
+        *pan_id = parent_info->pan_id;
+        return parent_info->addr;
+    }
+
+    // If no targets found, retries the last one
+    return previous_eui_64;
+}
+
 // Start configuration learning
 static void ws_bootstrap_start_configuration_learn(protocol_interface_info_entry_t *cur)
 {
@@ -3148,6 +3167,34 @@ static void ws_bootstrap_event_handler(arm_event_s *event)
     }
 }
 
+static int8_t ws_bootstrap_neighbor_set(protocol_interface_info_entry_t *cur, parent_info_t *parent_ptr)
+{
+    uint16_t pan_id = cur->ws_info->network_pan_id;
+
+    // Add EAPOL neighbor
+    cur->ws_info->network_pan_id = parent_ptr->pan_id;
+    cur->ws_info->pan_information = parent_ptr->pan_information;
+    cur->ws_info->pan_information.pan_version = 0; // This is learned from actual configuration
+
+    // If PAN ID changes, clear learned neighbors and activate FHSS
+    if (pan_id != cur->ws_info->network_pan_id) {
+        ws_bootstrap_neighbor_list_clean(cur);
+        ws_bootstrap_fhss_activate(cur);
+    }
+
+    llc_neighbour_req_t neighbor_info;
+    if (!ws_bootstrap_neighbor_info_request(cur, parent_ptr->addr, &neighbor_info, true)) {
+        //Remove Neighbour and set Link setup back
+        ns_list_remove(&cur->ws_info->parent_list_reserved, parent_ptr);
+        ns_list_add_to_end(&cur->ws_info->parent_list_free, parent_ptr);
+        return -1;
+    }
+
+    ws_neighbor_class_neighbor_unicast_time_info_update(neighbor_info.ws_neighbor, &parent_ptr->ws_utt, parent_ptr->timestamp);
+    ws_neighbor_class_neighbor_unicast_schedule_set(neighbor_info.ws_neighbor, &parent_ptr->ws_us);
+    return 0;
+}
+
 /*
  * State machine
  *
@@ -3174,23 +3221,10 @@ void ws_bootstrap_network_scan_process(protocol_interface_info_entry_t *cur)
     }
     tr_info("selected parent:%s panid %u", trace_array(selected_parent_ptr->addr, 8), selected_parent_ptr->pan_id);
 
-    // Add EAPOL neighbour
-    cur->ws_info->network_pan_id = selected_parent_ptr->pan_id;
-    cur->ws_info->pan_information = selected_parent_ptr->pan_information;
-    cur->ws_info->pan_information.pan_version = 0; // This is learned from actual configuration
-
-    ws_bootstrap_fhss_activate(cur);
-    llc_neighbour_req_t neighbor_info;
-    if (!ws_bootstrap_neighbor_info_request(cur, selected_parent_ptr->addr, &neighbor_info, true)) {
-        //Remove Neighbour and set Link setup back
-        ns_list_remove(&cur->ws_info->parent_list_reserved, selected_parent_ptr);
-        ns_list_add_to_end(&cur->ws_info->parent_list_free, selected_parent_ptr);
+    if (ws_bootstrap_neighbor_set(cur, selected_parent_ptr) < 0) {
         goto select_best_candidate;
     }
 
-    ws_neighbor_class_neighbor_unicast_time_info_update(neighbor_info.ws_neighbor, &selected_parent_ptr->ws_utt, selected_parent_ptr->timestamp);
-    ws_neighbor_class_neighbor_unicast_schedule_set(neighbor_info.ws_neighbor, &selected_parent_ptr->ws_us);
-
     ws_pae_controller_set_target(cur, selected_parent_ptr->pan_id, selected_parent_ptr->addr); // temporary!!! store since auth
     ws_bootstrap_event_authentication_start(cur);
     return;

source/6LoWPAN/ws/ws_config.h

@@ -207,7 +207,7 @@ extern uint8_t DEVICE_MIN_SENS;
 // Maximum number of simultaneous security negotiations
 #define MAX_SIMULTANEOUS_SECURITY_NEGOTIATIONS_SMALL     3
 #define MAX_SIMULTANEOUS_SECURITY_NEGOTIATIONS_MEDIUM    20
-#define MAX_SIMULTANEOUS_SECURITY_NEGOTIATIONS_LARGE     100
+#define MAX_SIMULTANEOUS_SECURITY_NEGOTIATIONS_LARGE     50
 
 /*
  *  Security protocol timer configuration parameters

source/6LoWPAN/ws/ws_pae_controller.c

@@ -87,6 +87,7 @@ typedef struct {
     ws_pae_controller_nw_frame_counter_read *nw_frame_counter_read;  /**< Frame counter read callback */
     ws_pae_controller_pan_ver_increment *pan_ver_increment;          /**< PAN version increment callback */
     ws_pae_controller_nw_info_updated *nw_info_updated;              /**< Network information updated callback */
+    ws_pae_controller_auth_next_target *auth_next_target;            /**< Authentication next target callback */
     ws_pae_delete *pae_delete;                                       /**< PAE delete callback */
     ws_pae_timer *pae_fast_timer;                                    /**< PAE fast timer callback */
     ws_pae_timer *pae_slow_timer;                                    /**< PAE slow timer callback */
@@ -221,7 +222,7 @@ int8_t ws_pae_controller_authenticator_start(protocol_interface_info_entry_t *in
     return 0;
 }
 
-int8_t ws_pae_controller_cb_register(protocol_interface_info_entry_t *interface_ptr, ws_pae_controller_auth_completed *completed, ws_pae_controller_nw_key_set *nw_key_set, ws_pae_controller_nw_key_clear *nw_key_clear, ws_pae_controller_nw_send_key_index_set *nw_send_key_index_set, ws_pae_controller_nw_frame_counter_set *nw_frame_counter_set, ws_pae_controller_nw_frame_counter_read *nw_frame_counter_read, ws_pae_controller_pan_ver_increment *pan_ver_increment, ws_pae_controller_nw_info_updated *nw_info_updated)
+int8_t ws_pae_controller_cb_register(protocol_interface_info_entry_t *interface_ptr, ws_pae_controller_auth_completed *completed, ws_pae_controller_auth_next_target *auth_next_target, ws_pae_controller_nw_key_set *nw_key_set, ws_pae_controller_nw_key_clear *nw_key_clear, ws_pae_controller_nw_send_key_index_set *nw_send_key_index_set, ws_pae_controller_nw_frame_counter_set *nw_frame_counter_set, ws_pae_controller_nw_frame_counter_read *nw_frame_counter_read, ws_pae_controller_pan_ver_increment *pan_ver_increment, ws_pae_controller_nw_info_updated *nw_info_updated)
 {
     if (!interface_ptr) {
         return -1;
@@ -240,7 +241,7 @@ int8_t ws_pae_controller_cb_register(protocol_interface_info_entry_t *interface_
     controller->nw_frame_counter_read = nw_frame_counter_read;
     controller->pan_ver_increment = pan_ver_increment;
     controller->nw_info_updated = nw_info_updated;
-
+    controller->auth_next_target = auth_next_target;
     return 0;
 }
 
@@ -602,6 +603,9 @@ int8_t ws_pae_controller_init(protocol_interface_info_entry_t *interface_ptr)
     controller->nw_send_key_index_set = NULL;
     controller->nw_frame_counter_set = NULL;
     controller->pan_ver_increment = NULL;
+    controller->nw_info_updated = NULL;
+    controller->auth_next_target = NULL;
+
     memset(&controller->sec_timer_cfg, 0, sizeof(ws_sec_timer_cfg_t));
     memset(&controller->sec_prot_cfg, 0, sizeof(sec_prot_cfg_t));
 
@@ -801,7 +805,7 @@ int8_t ws_pae_controller_supp_init(protocol_interface_info_entry_t *interface_pt
     controller->pae_nw_key_index_update = ws_pae_supp_nw_key_index_update;
     controller->pae_nw_info_set = NULL;
 
-    ws_pae_supp_cb_register(controller->interface_ptr, controller->auth_completed, ws_pae_controller_nw_key_check_and_insert, ws_pae_controller_active_nw_key_set, ws_pae_controller_gtk_hash_ptr_get, ws_pae_controller_nw_info_updated_check);
+    ws_pae_supp_cb_register(controller->interface_ptr, controller->auth_completed, controller->auth_next_target, ws_pae_controller_nw_key_check_and_insert, ws_pae_controller_active_nw_key_set, ws_pae_controller_gtk_hash_ptr_get, ws_pae_controller_nw_info_updated_check);
 
     ws_pae_controller_frame_counter_read(controller);
     ws_pae_controller_nw_info_read(controller, controller->sec_keys_nw_info.gtks);

source/6LoWPAN/ws/ws_pae_controller.h

@@ -492,6 +492,18 @@ typedef void ws_pae_controller_nw_frame_counter_read(protocol_interface_info_ent
  */
 typedef void ws_pae_controller_auth_completed(protocol_interface_info_entry_t *interface_ptr, auth_result_e result, uint8_t *target_eui_64);
 
+/**
+ * ws_pae_controller_auth_next_target get next target to attempt authentication
+ *
+ * \param interface_ptr interface
+ * \param previous_eui_64 EUI-64 of previous target
+ * \param pan_id pan id
+ *
+ * \return EUI-64 of the next target or previous target if new one not available
+ *
+ */
+typedef const uint8_t *ws_pae_controller_auth_next_target(protocol_interface_info_entry_t *interface_ptr, const uint8_t *previous_eui_64, uint16_t *pan_id);
+
 /**
  * ws_pae_controller_pan_ver_increment PAN version increment callback
  *
@@ -515,6 +527,7 @@ typedef void ws_pae_controller_nw_info_updated(protocol_interface_info_entry_t *
  *
  * \param interface_ptr interface
  * \param completed authentication completed callback
+ * \param next_target authentication next target callback
  * \param nw_key_set network key set callback
  * \param nw_key_clear network key clear callback
  * \param nw_send_key_index_set network send key index set callback
@@ -527,7 +540,7 @@ typedef void ws_pae_controller_nw_info_updated(protocol_interface_info_entry_t *
  * \return >= 0 success
  *
  */
-int8_t ws_pae_controller_cb_register(protocol_interface_info_entry_t *interface_ptr, ws_pae_controller_auth_completed *completed, ws_pae_controller_nw_key_set *nw_key_set, ws_pae_controller_nw_key_clear *nw_key_clear, ws_pae_controller_nw_send_key_index_set *nw_send_key_index_set, ws_pae_controller_nw_frame_counter_set *nw_frame_counter_set, ws_pae_controller_nw_frame_counter_read *nw_frame_counter_read, ws_pae_controller_pan_ver_increment *pan_ver_increment, ws_pae_controller_nw_info_updated *nw_info_updated);
+int8_t ws_pae_controller_cb_register(protocol_interface_info_entry_t *interface_ptr, ws_pae_controller_auth_completed *completed, ws_pae_controller_auth_next_target *auth_next_target, ws_pae_controller_nw_key_set *nw_key_set, ws_pae_controller_nw_key_clear *nw_key_clear, ws_pae_controller_nw_send_key_index_set *nw_send_key_index_set, ws_pae_controller_nw_frame_counter_set *nw_frame_counter_set, ws_pae_controller_nw_frame_counter_read *nw_frame_counter_read, ws_pae_controller_pan_ver_increment *pan_ver_increment, ws_pae_controller_nw_info_updated *nw_info_updated);
 
 /**
  * ws_pae_controller_fast_timer PAE controller fast timer call

source/6LoWPAN/ws/ws_pae_supp.c

@@ -86,6 +86,7 @@ typedef struct {
     kmp_service_t *kmp_service;                            /**< KMP service */
     protocol_interface_info_entry_t *interface_ptr;        /**< Interface */
     ws_pae_supp_auth_completed *auth_completed;            /**< Authentication completed callback, continue bootstrap */
+    ws_pae_supp_auth_next_target *auth_next_target;        /**< Authentication next target callback */
     ws_pae_supp_nw_key_insert *nw_key_insert;              /**< Key insert callback */
     ws_pae_supp_nw_key_index_set *nw_key_index_set;        /**< Key index set callback */
     ws_pae_supp_gtk_hash_ptr_get *gtk_hash_ptr_get;        /**< Get pointer to GTK hash storage callback */
@@ -107,7 +108,8 @@ typedef struct {
     bool timer_running : 1;                                /**< Timer is running */
     bool new_br_eui_64_set : 1;                            /**< Border router address has been set */
     bool new_br_eui_64_fresh : 1;                          /**< Border router address is fresh (set during this authentication attempt) */
-    bool entry_address_active: 1;
+    bool entry_address_active: 1;                          /**< EAPOL target address is set */
+    bool tx_failure_on_initial_key: 1;                     /**< TX failure has happened on initial EAPOL-key sequence */
 } pae_supp_t;
 
 // How many times sending of initial EAPOL-key is initiated on key update
@@ -492,14 +494,15 @@ static int8_t ws_pae_supp_nw_keys_valid_check(pae_supp_t *pae_supp, uint16_t pan
     }
 }
 
-void ws_pae_supp_cb_register(protocol_interface_info_entry_t *interface_ptr, ws_pae_supp_auth_completed *completed, ws_pae_supp_nw_key_insert *nw_key_insert, ws_pae_supp_nw_key_index_set *nw_key_index_set, ws_pae_supp_gtk_hash_ptr_get *gtk_hash_ptr_get, ws_pae_supp_nw_info_updated *nw_info_updated)
+void ws_pae_supp_cb_register(protocol_interface_info_entry_t *interface_ptr, ws_pae_supp_auth_completed *completed, ws_pae_supp_auth_next_target *auth_next_target, ws_pae_supp_nw_key_insert *nw_key_insert, ws_pae_supp_nw_key_index_set *nw_key_index_set, ws_pae_supp_gtk_hash_ptr_get *gtk_hash_ptr_get, ws_pae_supp_nw_info_updated *nw_info_updated)
 {
     pae_supp_t *pae_supp = ws_pae_supp_get(interface_ptr);
     if (!pae_supp) {
         return;
     }
 
     pae_supp->auth_completed = completed;
+    pae_supp->auth_next_target = auth_next_target;
     pae_supp->nw_key_insert = nw_key_insert;
     pae_supp->nw_key_index_set = nw_key_index_set;
     pae_supp->gtk_hash_ptr_get = gtk_hash_ptr_get;
@@ -523,6 +526,7 @@ int8_t ws_pae_supp_init(protocol_interface_info_entry_t *interface_ptr, const se
 
     pae_supp->interface_ptr = interface_ptr;
     pae_supp->auth_completed = NULL;
+    pae_supp->auth_next_target = NULL;
     pae_supp->nw_key_insert = NULL;
     pae_supp->nw_key_index_set = NULL;
     pae_supp->gtk_hash_ptr_get = NULL;
@@ -763,6 +767,16 @@ void ws_pae_supp_slow_timer(uint16_t seconds)
                 // Checks if trickle timer expires
                 if (trickle_timer(&pae_supp->auth_trickle_timer, &pae_supp->auth_trickle_params, seconds)) {
                     if (pae_supp->initial_key_retry_cnt > 0) {
+                        // On initial EAPOL-key TX failure, check for other parents
+                        if (pae_supp->auth_requested && pae_supp->tx_failure_on_initial_key) {
+                            // Returns same target if no other valid targets found
+                            const uint8_t *next_target = pae_supp->auth_next_target(pae_supp->interface_ptr, kmp_address_eui_64_get(&pae_supp->target_addr), &pae_supp->sec_keys_nw_info->key_pan_id);
+                            kmp_address_init(KMP_ADDR_EUI_64, &pae_supp->target_addr, next_target);
+                            // Sets target address in use
+                            ws_pae_supp_address_set(pae_supp, &pae_supp->target_addr);
+                        }
+                        pae_supp->tx_failure_on_initial_key = false;
+                        // Sends initial EAPOL-key
                         if (ws_pae_supp_initial_key_send(pae_supp) < 0) {
                             tr_info("EAPOL-Key send failed");
                         }
@@ -777,7 +791,12 @@ void ws_pae_supp_slow_timer(uint16_t seconds)
                             tr_info("GTKs do not match to GTK hash");
                             retry = true;
                         }
-                        ws_pae_supp_authenticate_response(pae_supp, AUTH_RESULT_ERR_UNSPEC);
+                        auth_result_e result = AUTH_RESULT_ERR_UNSPEC;
+                        if (pae_supp->tx_failure_on_initial_key) {
+                            result = AUTH_RESULT_ERR_TX_NO_ACK;
+                            pae_supp->tx_failure_on_initial_key = false;
+                        }
+                        ws_pae_supp_authenticate_response(pae_supp, result);
                         if (retry) {
                             // Start trickle timer to try re-authentication
                             ws_pae_supp_initial_key_update_trickle_timer_start(pae_supp, KEY_UPDATE_RETRY_COUNT);
@@ -815,7 +834,7 @@ void ws_pae_supp_slow_timer(uint16_t seconds)
                 pae_supp->initial_key_timer -= seconds;
             } else {
                 pae_supp->initial_key_timer = 0;
-
+                pae_supp->tx_failure_on_initial_key = false;
                 // Sends initial EAPOL-Key message
                 if (ws_pae_supp_initial_key_send(pae_supp) < 0) {
                     tr_info("EAPOL-Key send failed");
@@ -1188,7 +1207,8 @@ static void ws_pae_supp_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e
         /* Fails authentication only if other authentication protocols are not yet
            started by authenticator */
         if (ws_pae_lib_kmp_list_count(&pae_supp->entry.kmp_list) <= 1) {
-            ws_pae_supp_authenticate_response(pae_supp, AUTH_RESULT_ERR_TX_NO_ACK);
+            // Continues with trickle but selects different parent
+            pae_supp->tx_failure_on_initial_key = true;
         }
     }
 }