Adjusted EAPOL limits and timers

Set maximum ongoing security negotiation to 100 for large networks.
Now both supplicant limit and TLS limit uses same value. Changed
wait for supplicant to answer timeout on authenticator to 2 minutes,
and wait timer after authentication has completed to 15 seconds.
These will allow border router to cycle to next authentication
faster. Made supplicant initial-Key timer configurable, but now yet
enabled changes the configutations (very slow network set to 5000
devices to not to enable yet).

Author: Mika Leppänen

source/6LoWPAN/ws/ws_cfg_settings.c

@@ -374,7 +374,13 @@ static void ws_cfg_network_size_config_set_small(ws_cfg_nw_size_t *cfg)
     cfg->sec_prot.sec_prot_trickle_imax = SEC_PROT_SMALL_IMAX;
     cfg->sec_prot.sec_prot_trickle_timer_exp = SEC_PROT_TIMER_EXPIRATIONS;
     cfg->sec_prot.sec_prot_retry_timeout = SEC_PROT_RETRY_TIMEOUT_SMALL;
-    cfg->sec_prot.sec_max_ongoing_authentication = MAX_SIMULTANEOUS_EAP_TLS_NEGOTIATIONS_SMALL;
+
+    cfg->sec_prot.sec_max_ongoing_authentication = MAX_SIMULTANEOUS_SECURITY_NEGOTIATIONS_SMALL;
+
+    cfg->sec_prot.initial_key_retry_delay = DEFAULT_INITIAL_KEY_RETRY_TIMER;
+    cfg->sec_prot.initial_key_imin = DEFAULT_INITIAL_KEY_TRICKLE_IMIN_SECS;
+    cfg->sec_prot.initial_key_imax = DEFAULT_INITIAL_KEY_TRICKLE_IMAX_SECS;
+    cfg->sec_prot.initial_key_retry_cnt = DEFAULT_INITIAL_KEY_RETRY_COUNT;
 }
 
 static void ws_cfg_network_size_config_set_medium(ws_cfg_nw_size_t *cfg)
@@ -404,7 +410,13 @@ static void ws_cfg_network_size_config_set_medium(ws_cfg_nw_size_t *cfg)
     cfg->sec_prot.sec_prot_trickle_imax = SEC_PROT_SMALL_IMAX;
     cfg->sec_prot.sec_prot_trickle_timer_exp = SEC_PROT_TIMER_EXPIRATIONS;
     cfg->sec_prot.sec_prot_retry_timeout = SEC_PROT_RETRY_TIMEOUT_SMALL;
-    cfg->sec_prot.sec_max_ongoing_authentication = MAX_SIMULTANEOUS_EAP_TLS_NEGOTIATIONS_MEDIUM;
+
+    cfg->sec_prot.sec_max_ongoing_authentication = MAX_SIMULTANEOUS_SECURITY_NEGOTIATIONS_MEDIUM;
+
+    cfg->sec_prot.initial_key_retry_delay = DEFAULT_INITIAL_KEY_RETRY_TIMER;
+    cfg->sec_prot.initial_key_imin = DEFAULT_INITIAL_KEY_TRICKLE_IMIN_SECS;
+    cfg->sec_prot.initial_key_imax = DEFAULT_INITIAL_KEY_TRICKLE_IMAX_SECS;
+    cfg->sec_prot.initial_key_retry_cnt = DEFAULT_INITIAL_KEY_RETRY_COUNT;
 }
 
 static void ws_cfg_network_size_config_set_large(ws_cfg_nw_size_t *cfg)
@@ -434,7 +446,21 @@ static void ws_cfg_network_size_config_set_large(ws_cfg_nw_size_t *cfg)
     cfg->sec_prot.sec_prot_trickle_imax = SEC_PROT_LARGE_IMAX;
     cfg->sec_prot.sec_prot_trickle_timer_exp = SEC_PROT_TIMER_EXPIRATIONS;
     cfg->sec_prot.sec_prot_retry_timeout = SEC_PROT_RETRY_TIMEOUT_LARGE;
-    cfg->sec_prot.sec_max_ongoing_authentication = MAX_SIMULTANEOUS_EAP_TLS_NEGOTIATIONS_LARGE;
+
+    cfg->sec_prot.sec_max_ongoing_authentication = MAX_SIMULTANEOUS_SECURITY_NEGOTIATIONS_LARGE;
+
+    if (cfg->gen.network_size > 50 && cfg->gen.network_size != NETWORK_SIZE_AUTOMATIC) {
+        // If more than 5000 devices uses very slow initial trickle timer
+        cfg->sec_prot.initial_key_retry_delay = NONE_INITIAL_KEY_RETRY_TIMER;
+        cfg->sec_prot.initial_key_imin = VERY_SLOW_NW_INITIAL_KEY_TRICKLE_IMIN_SECS;
+        cfg->sec_prot.initial_key_imax = VERY_SLOW_NW_INITIAL_KEY_TRICKLE_IMAX_SECS;
+        cfg->sec_prot.initial_key_retry_cnt = DEFAULT_INITIAL_KEY_RETRY_COUNT;
+    } else {
+        cfg->sec_prot.initial_key_retry_delay = DEFAULT_INITIAL_KEY_RETRY_TIMER;
+        cfg->sec_prot.initial_key_imin = DEFAULT_INITIAL_KEY_TRICKLE_IMIN_SECS;
+        cfg->sec_prot.initial_key_imax = DEFAULT_INITIAL_KEY_TRICKLE_IMAX_SECS;
+        cfg->sec_prot.initial_key_retry_cnt = DEFAULT_INITIAL_KEY_RETRY_COUNT;
+    }
 }
 
 static void ws_cfg_network_size_config_set_certificate(ws_cfg_nw_size_t *cfg)
@@ -464,7 +490,13 @@ static void ws_cfg_network_size_config_set_certificate(ws_cfg_nw_size_t *cfg)
     cfg->sec_prot.sec_prot_trickle_imax = SEC_PROT_SMALL_IMAX;
     cfg->sec_prot.sec_prot_trickle_timer_exp = SEC_PROT_TIMER_EXPIRATIONS;
     cfg->sec_prot.sec_prot_retry_timeout = SEC_PROT_RETRY_TIMEOUT_SMALL;
-    cfg->sec_prot.sec_max_ongoing_authentication = MAX_SIMULTANEOUS_EAP_TLS_NEGOTIATIONS_SMALL;
+
+    cfg->sec_prot.sec_max_ongoing_authentication = MAX_SIMULTANEOUS_SECURITY_NEGOTIATIONS_SMALL;
+
+    cfg->sec_prot.initial_key_retry_delay = DEFAULT_INITIAL_KEY_RETRY_TIMER;
+    cfg->sec_prot.initial_key_imin = DEFAULT_INITIAL_KEY_TRICKLE_IMIN_SECS;
+    cfg->sec_prot.initial_key_imax = DEFAULT_INITIAL_KEY_TRICKLE_IMAX_SECS;
+    cfg->sec_prot.initial_key_retry_cnt = DEFAULT_INITIAL_KEY_RETRY_COUNT;
 }
 
 static int8_t ws_cfg_gen_default_set(ws_gen_cfg_t *cfg)
@@ -1011,7 +1043,12 @@ static int8_t ws_cfg_sec_prot_default_set(ws_sec_prot_cfg_t *cfg)
     cfg->sec_prot_trickle_imax = SEC_PROT_SMALL_IMAX;
     cfg->sec_prot_trickle_timer_exp = 2;
     cfg->sec_prot_retry_timeout = SEC_PROT_RETRY_TIMEOUT_SMALL;
-    cfg->sec_max_ongoing_authentication = MAX_SIMULTANEOUS_EAP_TLS_NEGOTIATIONS_MEDIUM;
+    cfg->sec_max_ongoing_authentication = MAX_SIMULTANEOUS_SECURITY_NEGOTIATIONS_MEDIUM;
+    cfg->initial_key_retry_delay = DEFAULT_INITIAL_KEY_RETRY_TIMER;
+    cfg->initial_key_imin = DEFAULT_INITIAL_KEY_TRICKLE_IMIN_SECS;
+    cfg->initial_key_imax = DEFAULT_INITIAL_KEY_TRICKLE_IMAX_SECS;
+    cfg->initial_key_retry_cnt = DEFAULT_INITIAL_KEY_RETRY_COUNT;
+
     return CFG_SETTINGS_OK;
 }
 
@@ -1032,7 +1069,11 @@ int8_t ws_cfg_sec_prot_validate(ws_sec_prot_cfg_t *cfg, ws_sec_prot_cfg_t *new_c
             cfg->sec_prot_trickle_imax != new_cfg->sec_prot_trickle_imax ||
             cfg->sec_prot_trickle_timer_exp != new_cfg->sec_prot_trickle_timer_exp ||
             cfg->sec_prot_retry_timeout != new_cfg->sec_prot_retry_timeout ||
-            cfg->sec_max_ongoing_authentication != new_cfg->sec_max_ongoing_authentication) {
+            cfg->sec_max_ongoing_authentication != new_cfg->sec_max_ongoing_authentication ||
+            cfg->initial_key_retry_delay != new_cfg->initial_key_retry_delay ||
+            cfg->initial_key_imin != new_cfg->initial_key_retry_delay ||
+            cfg->initial_key_imax != new_cfg->initial_key_retry_delay ||
+            cfg->initial_key_retry_cnt != new_cfg->initial_key_retry_delay) {
 
         return CFG_SETTINGS_CHANGED;
     }

source/6LoWPAN/ws/ws_cfg_settings.h

@@ -108,11 +108,15 @@ typedef struct ws_sec_timer_cfg_s {
  * \brief Struct ws_sec_prot_cfg_t Security protocols configuration
  */
 typedef struct ws_sec_prot_cfg_s {
-    uint16_t sec_prot_retry_timeout;    /**< Security protocol retry timeout; seconds; default 330 */
-    uint16_t sec_prot_trickle_imin;     /**< Security protocol trickle parameters Imin; seconds; default 30 */
-    uint16_t sec_prot_trickle_imax;     /**< Security protocol trickle parameters Imax; seconds; default 90 */
-    uint8_t sec_prot_trickle_timer_exp; /**< Security protocol trickle timer expirations; default 2 */
-    uint16_t sec_max_ongoing_authentication; /**< Pae authenticator max Accept ongoing authentication count */
+    uint16_t sec_prot_retry_timeout;          /**< Security protocol retry timeout; seconds; default 330 */
+    uint16_t sec_prot_trickle_imin;           /**< Security protocol trickle parameters Imin; seconds; default 30 */
+    uint16_t sec_prot_trickle_imax;           /**< Security protocol trickle parameters Imax; seconds; default 90 */
+    uint8_t sec_prot_trickle_timer_exp;       /**< Security protocol trickle timer expirations; default 2 */
+    uint16_t sec_max_ongoing_authentication;  /**< Pae authenticator max Accept ongoing authentication count */
+    uint16_t initial_key_retry_delay;         /**< Delay before starting initial key trickle; seconds; default 120 */
+    uint16_t initial_key_imin;                /**< Initial key trickle Imin; seconds; default 360 */
+    uint16_t initial_key_imax;                /**< Initial key trickle Imax; seconds; default 720 */
+    uint8_t initial_key_retry_cnt;            /**< Number of initial key retries; default 2 */
 } ws_sec_prot_cfg_t;
 
 /**

source/6LoWPAN/ws/ws_config.h

@@ -203,10 +203,10 @@ extern uint8_t DEVICE_MIN_SENS;
 
 #define SEC_PROT_TIMER_EXPIRATIONS 2        // Number of retries
 
-// Maximum number of simultaneous EAP-TLS negotiations
-#define MAX_SIMULTANEOUS_EAP_TLS_NEGOTIATIONS_SMALL     3
-#define MAX_SIMULTANEOUS_EAP_TLS_NEGOTIATIONS_MEDIUM    20
-#define MAX_SIMULTANEOUS_EAP_TLS_NEGOTIATIONS_LARGE       50
+// Maximum number of simultaneous security negotiations
+#define MAX_SIMULTANEOUS_SECURITY_NEGOTIATIONS_SMALL     3
+#define MAX_SIMULTANEOUS_SECURITY_NEGOTIATIONS_MEDIUM    20
+#define MAX_SIMULTANEOUS_SECURITY_NEGOTIATIONS_LARGE     100
 
 /*
  *  Security protocol timer configuration parameters
@@ -222,4 +222,23 @@ extern uint8_t DEVICE_MIN_SENS;
 #define DEFAULT_GTK_MAX_MISMATCH                64                       // 64 minutes
 #define DEFAULT_GTK_NEW_INSTALL_REQUIRED        80                       // 80 percent of GTK lifetime --> 24 days
 
+/*
+ *  Security protocol initial EAPOL-key parameters
+ */
+
+// How long the wait is before the first initial EAPOL-key retry
+#define DEFAULT_INITIAL_KEY_RETRY_TIMER                120
+#define NONE_INITIAL_KEY_RETRY_TIMER                   0
+
+// Default trickle values for sending of initial EAPOL-key
+#define DEFAULT_INITIAL_KEY_TRICKLE_IMIN_SECS          360   /* 6 to 12 minutes */
+#define DEFAULT_INITIAL_KEY_TRICKLE_IMAX_SECS          720
+
+// Very slow network values for sending of initial EAPOL-key
+#define VERY_SLOW_NW_INITIAL_KEY_TRICKLE_IMIN_SECS     600   /* 10 to 60 minutes */
+#define VERY_SLOW_NW_INITIAL_KEY_TRICKLE_IMAX_SECS     3600
+
+// How many times sending of initial EAPOL-key is retried
+#define DEFAULT_INITIAL_KEY_RETRY_COUNT                2
+
 #endif /* WS_CONFIG_H_ */

source/6LoWPAN/ws/ws_pae_auth.c

@@ -59,19 +59,18 @@
 #define PAE_TASKLET_EVENT                      2
 #define PAE_TASKLET_TIMER                      3
 
-// Wait for for supplicant to indicate activity (e.g. to send a message)
-#define WAIT_FOR_AUTHENTICATION_TICKS          5 * 60 * 10  // 5 minutes
-
+/* Wait for supplicant to indicate activity (e.g. to send a message) when
+   authentication is ongoing */
+#define WAIT_FOR_AUTHENTICATION_TICKS          2 * 60 * 10  // 2 minutes
+// Wait after authentication has completed before supplicant entry goes inactive
+#define WAIT_AFTER_AUTHENTICATION_TICKS        15 * 10      // 15 seconds
 
 /* If EAP-TLS is delayed due to simultaneous negotiations limit, defines how
    long to wait for previous negotiation to complete */
 #define EAP_TLS_NEGOTIATION_TRIGGER_TIMEOUT    60 * 10 // 60 seconds
 
 // Default for maximum number of supplicants
-#define SUPPLICANT_MAX_NUMBER                  1000
-
-// Default for maximum number of active supplicants (making security negotiations)
-#define ACTIVE_SUPPLICANT_MAX_NUMBER           100
+#define SUPPLICANT_MAX_NUMBER                  5000
 
 /* Default for number of supplicants to purge per garbage collect call from
    nanostack monitor */
@@ -871,7 +870,7 @@ static kmp_api_t *ws_pae_auth_kmp_incoming_ind(kmp_service_t *service, kmp_type_
 
     if (!supp_entry) {
         // Checks if active supplicant list has space for new supplicants
-        if (ws_pae_lib_supp_list_active_limit_reached(&pae_auth->active_supp_list, ACTIVE_SUPPLICANT_MAX_NUMBER)) {
+        if (ws_pae_lib_supp_list_active_limit_reached(&pae_auth->active_supp_list, pae_auth->sec_prot_cfg->sec_max_ongoing_authentication)) {
             tr_debug("PAE: active limit reached, eui-64: %s", trace_array(kmp_address_eui_64_get(addr), 8));
             return NULL;
         }
@@ -986,6 +985,8 @@ static void ws_pae_auth_next_kmp_trigger(pae_auth_t *pae_auth, supp_entry_t *sup
     kmp_type_e next_type = ws_pae_auth_next_protocol_get(pae_auth, supp_entry);
 
     if (next_type == KMP_TYPE_NONE) {
+        // Supplicant goes inactive after 15 seconds
+        ws_pae_lib_supp_timer_ticks_set(supp_entry, WAIT_AFTER_AUTHENTICATION_TICKS);
         // All done
         return;
     } else {

source/6LoWPAN/ws/ws_pae_controller.c

@@ -624,7 +624,15 @@ int8_t ws_pae_controller_configure(protocol_interface_info_entry_t *interface_pt
         controller->sec_prot_cfg.sec_prot_trickle_params.k = 0;
         controller->sec_prot_cfg.sec_prot_trickle_params.TimerExpirations = sec_prot_cfg->sec_prot_trickle_timer_exp;
         controller->sec_prot_cfg.sec_prot_retry_timeout = sec_prot_cfg->sec_prot_retry_timeout * 10;
+
         controller->sec_prot_cfg.sec_max_ongoing_authentication = sec_prot_cfg->sec_max_ongoing_authentication;
+
+        controller->sec_prot_cfg.initial_key_retry_delay = sec_prot_cfg->initial_key_retry_delay;
+        controller->sec_prot_cfg.initial_key_trickle_params.Imin = sec_prot_cfg->initial_key_imin;
+        controller->sec_prot_cfg.initial_key_trickle_params.Imax = sec_prot_cfg->initial_key_imax;
+        controller->sec_prot_cfg.initial_key_trickle_params.k = 0;
+        controller->sec_prot_cfg.initial_key_trickle_params.TimerExpirations = 2;
+        controller->sec_prot_cfg.initial_key_retry_cnt = sec_prot_cfg->initial_key_retry_cnt;
     }
 
     if (sec_timer_cfg) {

source/6LoWPAN/ws/ws_pae_supp.c

@@ -110,36 +110,14 @@ typedef struct {
     bool entry_address_active: 1;
 } pae_supp_t;
 
-// How many times sending of initial EAPOL-key is retried
-#define INITIAL_KEY_RETRY_COUNT            2
-
 // How many times sending of initial EAPOL-key is initiated on key update
 #define KEY_UPDATE_RETRY_COUNT             3
 #define LIFETIME_MISMATCH_RETRY_COUNT      1   /* No retries */
 
-// How long the wait is before the first initial EAPOL-key retry
-#define DEFAULT_INITIAL_KEY_RETRY_TIMER    120
-#define NONE_INITIAL_KEY_RETRY_TIMER       0
-
-// Default trickle values for sending of initial EAPOL-key
-#define DEFAULT_TRICKLE_IMIN_SECS          360   /* 6 to 12 minutes */
-#define DEFAULT_TRICKLE_IMAX_SECS          720
-
-// Very slow network values for sending of initial EAPOL-key
-#define VERY_SLOW_NW_TRICKLE_IMIN_SECS     600   /* 10 to 60 minutes */
-#define VERY_SLOW_NW_TRICKLE_IMAX_SECS     3600
-
 // Trickle timer on how long to wait response after last retry before failing authentication
 #define LAST_INTERVAL_TRICKLE_IMIN_SECS    240   /* 4 minutes */
 #define LAST_INTERVAL_TRICKLE_IMAX_SECS    240
 
-static trickle_params_t initial_eapol_key_trickle_params = {
-    .Imin = DEFAULT_TRICKLE_IMIN_SECS,    /* 360 second; ticks are 1 second */
-    .Imax = DEFAULT_TRICKLE_IMAX_SECS,    /* 720 second */
-    .k = 0,                               /* infinity - no consistency checking */
-    .TimerExpirations = 2
-};
-
 static void ws_pae_supp_free(pae_supp_t *pae_supp);
 static void ws_pae_supp_authenticate_response(pae_supp_t *pae_supp, auth_result_e result);
 static int8_t ws_pae_supp_initial_key_send(pae_supp_t *pae_supp);
@@ -183,7 +161,6 @@ static const char *KEYS_FILE = KEYS_FILE_NAME;
 
 static int8_t tasklet_id = -1;
 static NS_LIST_DEFINE(pae_supp_list, pae_supp_t, link);
-static uint8_t timing_value = 0; // Timing value set based e.g. on network size
 
 static void ws_pae_supp_address_set(pae_supp_t *pae_supp, kmp_addr_t *address)
 {
@@ -552,7 +529,7 @@ int8_t ws_pae_supp_init(protocol_interface_info_entry_t *interface_ptr, const se
     pae_supp->initial_key_timer = 0;
     pae_supp->initial_key_retry_timer = 0;
     pae_supp->nw_keys_used_cnt = 0;
-    pae_supp->initial_key_retry_cnt = INITIAL_KEY_RETRY_COUNT;
+    pae_supp->initial_key_retry_cnt = DEFAULT_INITIAL_KEY_RETRY_COUNT;
     pae_supp->sec_keys_nw_info = sec_keys_nw_info;
     pae_supp->sec_timer_cfg = sec_timer_cfg;
     pae_supp->sec_prot_cfg = sec_prot_cfg;
@@ -852,46 +829,40 @@ void ws_pae_supp_slow_timer(uint16_t seconds)
 
 static void ws_pae_supp_initial_trickle_timer_start(pae_supp_t *pae_supp)
 {
-    pae_supp->auth_trickle_params = initial_eapol_key_trickle_params;
-
-    // Very fast, medium and slow network
-    if (timing_value < 25) {
-        /* Starts trickle for initial EAPOL-key. Sequence has fixed delay of 2 minutes,
-         * one re-transmit interval, last re-transmit interval transmit time and a wait time
-         * for the authenticator to answer the last re-transmit.
-         *
-         * Interval I [6,12] minutes. Sequence:
-         *
-         * fixed 2 minutes delay + I + last I transmit time t + wait for answer [2,4] minutes
-         *
-         * There are two retries. Minimum time that sequence takes before authentication failure
-         * is 16 minutes and maximum is 30 minutes.
-         */
-        pae_supp->initial_key_retry_timer = DEFAULT_INITIAL_KEY_RETRY_TIMER; // 2 minutes
-    } else {
-        /* Extremely slow network
-         *
-         * Starts trickle for initial EAPOL-key, Interval I [10,60] minutes. Sequence:
-         * I + last I transmit time t + wait for answer [2,4] minutes
-         * There are two retries. Minimum time that sequence takes before authentication failure
-         * is 22 minutes and maximum is 124 minutes.
-         */
-        pae_supp->auth_trickle_params.Imin = VERY_SLOW_NW_TRICKLE_IMIN_SECS;
-        pae_supp->auth_trickle_params.Imax = VERY_SLOW_NW_TRICKLE_IMAX_SECS;
-        pae_supp->initial_key_retry_timer = NONE_INITIAL_KEY_RETRY_TIMER; // 0 seconds
-    }
+    /* Starts trickle for initial EAPOL-key. Default sequence has fixed delay of 2 minutes,
+     * one re-transmit interval, last re-transmit interval transmit time and a wait time
+     * for the authenticator to answer the last re-transmit.
+     *
+     * Interval I [6,12] minutes. Sequence:
+     *
+     * fixed 2 minutes delay + I + last I transmit time t + wait for answer [2,4] minutes
+     *
+     * There are two retries. Minimum time that sequence takes before authentication failure
+     * is 16 minutes and maximum is 30 minutes.
+     *
+     *
+     * Extremely slow network
+     *
+     * Starts trickle for initial EAPOL-key, Interval I [10,60] minutes. Sequence:
+     * I + last I transmit time t + wait for answer [2,4] minutes
+     * There are two retries. Minimum time that sequence takes before authentication failure
+     * is 22 minutes and maximum is 124 minutes.
+     */
+    pae_supp->auth_trickle_params = pae_supp->sec_prot_cfg->initial_key_trickle_params;
+    pae_supp->initial_key_retry_timer = pae_supp->sec_prot_cfg->initial_key_retry_delay;
+
     trickle_start(&pae_supp->auth_trickle_timer, &pae_supp->auth_trickle_params);
     tr_info("Initial EAPOL-Key trickle I: [%i,%i] %i, t: %i", pae_supp->auth_trickle_params.Imin, pae_supp->auth_trickle_params.Imax, pae_supp->auth_trickle_timer.I, pae_supp->auth_trickle_timer.t);
     pae_supp->auth_trickle_running = true;
-    pae_supp->initial_key_retry_cnt = INITIAL_KEY_RETRY_COUNT;
+    pae_supp->initial_key_retry_cnt = pae_supp->sec_prot_cfg->initial_key_retry_cnt;
 }
 
 static void ws_pae_supp_initial_last_interval_trickle_timer_start(pae_supp_t *pae_supp)
 {
     // Starts trickle last to wait response after last retry before failing authentication
-    pae_supp->auth_trickle_params = initial_eapol_key_trickle_params;
     pae_supp->auth_trickle_params.Imin = LAST_INTERVAL_TRICKLE_IMIN_SECS;
     pae_supp->auth_trickle_params.Imax = LAST_INTERVAL_TRICKLE_IMAX_SECS;
+    pae_supp->auth_trickle_params.k = 0;
     pae_supp->auth_trickle_params.TimerExpirations = 1;
     // Set I to [iMin,iMax] (4 to 4 minutes) -> t is [I/2 - I] (2 minutes to 4 minutes)
     trickle_start(&pae_supp->auth_trickle_timer, &pae_supp->auth_trickle_params);

source/Security/protocols/sec_prot_cfg.h

@@ -24,6 +24,9 @@ typedef struct sec_prot_cfg_s {
     trickle_params_t sec_prot_trickle_params;
     uint16_t sec_prot_retry_timeout;
     uint16_t sec_max_ongoing_authentication;
+    uint16_t initial_key_retry_delay;
+    trickle_params_t initial_key_trickle_params;
+    uint8_t initial_key_retry_cnt;
 } sec_prot_cfg_t;
 
 #endif /* SEC_PROT_CONF_H_ */