 My name is Marcel Altmann. I work for the Intel Open Source Technology Center and I will give you an update on what we have been doing to actually improve the Wi-Fi experience on Linux. Before I get started, usual disclaimer, Linux is a trademark, Wi-Fi is a trademark, a bunch of logos are trademarks, etc. So I don't have to annotate every single slide. I'm just getting that out of the way. I found this XKCD a comic a while ago and while I think it goes way too far maybe But it has the right idea Most of the Wi-Fi configuration is getting really complicated and we are asking way too many stuff to a user That just wants to connect to a network. Be this a personal network at home Be this an enterprise network at your corporation or something else. You really want to make this as easy as possible What has happened in the last probably 15 to 20 years is that we always started building things from the bottom up Oh, we have this technology. We expose this technology one layer higher and another layer and another layer and all the technical details are sifting through to the user and in a couple of operating systems You see this also that the UI has to fix up literary everything And they have to understand the beacons that are sending the they have to pass the beacons They have to figure out what encryption is used and so on and so forth and really can't be because the user only one needs to be asked what they actually Can answer So We I started at Intel around 11 years ago with conment to actually get this working We haven't really focused on the Wi-Fi part yet But all these dialogues that you're gonna see here are something that I just collected from the internet and that kind of crappy I think if you look at the top left and like a wireless encryption key, which key size aware to put it Which index that most of the time I don't even know Luckily in the last 15 years the WAP has really not been used anymore and we can ignore this But then oh we want to connect to hidden network Then you get all these weird options is an enterprise network enterprise one enterprise two Does it really make a difference cannot the system figure this out for you what it is? And it goes further and further when you actually starts at Hawk mode Then you need to know about the MAC addresses of the device you connect to I mean like who's gonna ask these questions to user Why does the user want to configure this one? When you actually come to the corporate networks it gets even worse So there's nothing on Linux where actually oh, this is what you're gonna get from your company Here's the file you install it or here's the bundle you install it. It has all the information in there. It's signed It's all done properly and you connect to it. No Mostly you get instructions where you have to open this dialogue put this information there Though that certificate there put that private key in there click that box and the bottom right is really echo They had this all marked up then on the screenshots Just to get a student on a corporate on a Wi-Fi network for a Europe And it's getting way more complicated and they're putting way more options in there I think at the end of the day these dialogues can't really work and we can't just have always tons of documentation That's like Windows 95 style of thing the reason behind this is pretty much since W. Suplicant the main thing that drives the Wi-Fi setup these days is this it's a Swiss Army knife of literally everything They're doing a lot of awesome work. They're putting a lot of new features in it's in highly development But it has fundamentally two problems. They don't make any decent releases and they X and When they don't make any releases that doesn't get them this was so new features and bug fixes bug fixes don't get there Nobody picks them up and you stuck with something else Also, they don't really want to expose any usable API's They're pretty much give you the same technical details as you've gotten from the Linux kernel as you've gotten from the hardware And you have to figure out everything by yourself But not always they give you all the does sometimes they swallow the details and you actually don't know what's happening So in some cases their state change in your Wi-Fi network It doesn't tell you it swallows this one and you have to second guess if you want to start using it When you start second guessing what's your current status if you're roaming or if you're not roaming if you're connected to this access point What's going to be having normally things go wrong and a lot of cases you're pretty much like lost like a brush walking around and she Can't really figure anything out. You have the great tool, but you actually really have no idea how to use it So about Until about four years ago We thought we actually might can improve on this one and get W supercan to move more in the direction like being a Real Wi-Fi management demon that actually manages your Wi-Fi network remembers things does things set up actually solves all the hard problems for you Sadly the story is pretty much they don't really want this it wants to stay these Toolbox of things to test to start new specifications test new specifications get things working on new specifications put in new code Do some vendor testing and so on and so forth. Okay, awesome. That's great But pretty much everything running links relies on w supplicant and everybody has to put their own Magic on top of this one. They have to hack around their own features. They have to actually patch these things over and over again And the result is that pretty much every company provides with their hardware own version w supplicant Every operating system provides their own version The only thing if you'll use the linux desktop, they're stuck with what kind of upstream is doing It's an older version because no distro is really doing all the effort and she getting this working So think about wp3 support. Oh, we want actually more secure. Why have you seen any distro supporting this one yet? W supplicant has support for it, but nobody's actually putting the work and actually put this in into the distros And that's really the fundamental problem that we actually trying to get after so At some point around four years ago realized we actually have to start from scratch We have to use what the linux kernel is offering maybe fix some of this one. I will get to this in a second but Then start on what the kernels giving us and actually throw w supplicant out and redo this how we would have done this with Bluetooth how we've done this with NFC have done with the telephony and everything else so I wd I net wireless demon It will manage all your wife and networks It will do everything for you It will only ask you for things that it can't answer like what's your passphrase or what why for do you want to Connect to so you can scan with it You can connect and you actually gets asked for the passwords so it does everything it remembers everything So this is the most important part you don't have to reprogram it every time you start it if you connected to network It's you started next time around it will have remembered it and before you actually have anything done It will probably already have connected to it because it has scan for it It found it and you're done So you don't have to do anything else if you already remember it and have all your credentials stored You don't have to ask the UI anymore. So pretty much when GNOME has started everything is already set up One interesting thing is it actually is the only entity that starts scanning on Your Wi-Fi card W super can has the fun fact that it scans it has to scan because that's our wife at work You have to find your beacons. You have to find your access points But if you want to do anything else the higher layers hold also had to scan So your demon network manager of corn minister to scans and then you ended up that the UI sometimes had to scan as well Because I need to figure something else so three entities in your system starting to scan and utilizing actually your bandwidth of your radio That means you will have outages You will have actually overlapping and you don't really utilize the card as good as you can So you want to put the scanning all at the level that where someone can make an intelligent decision When to scan and especially on which channels to scan So if you actually for example want to roam to another network and you know where this network is You can do a quick scan on that band and just find it if you have to switch between 2.4 gigahertz 5 gigahertz If you have to scan a whole 5 gigahertz network to find your access point again, that takes time That's time you can't be on the actual channel transmitting data You see in terms and sometimes access points just disconnect you. So that's something you really have to do centralized Fast roaming was once really important because you get more access you get Wi-Fi mesh networks You get everything else you have more access points at home The areas are getting larger you want to be able to walk around and roam really quickly and reliable and You can actually do this in a lot of cases by just asking the access point. What are my neighbors? You don't have to anything else just tell me if I have a neighbor and tell me if my signal is getting too weak Then I tell me where to roam on and you just follow this one as a client. You can be really sitting there and relaxing if you're good access point We don't care about anything else than Linux. I mean focusing on how did the run this on the Apple device on Windows on On freebies you know thing is it's nice. It's great. It's awesome But fundamentally we have to solve our own problems. So let's solve our problems first We wanted to make the code readable so you can audit it and figure this out W. So again, it's not a readable code before you find the entities actually do something you have jumped through the six layers of indirection before you find something It's historical. I understand why it's there But at some point you have to say okay either clean this up or live with this mess forever And you only have like two people in the world that probably know that code Everybody else is spending an hour to figure out what this thing is doing Interesting when you do actually readable code is that you actually start Processing the separate one you can provide a unit test for this one and you actually ensure really easily that this will keep doing the right thing You can also nicely if you do everything in a one box You can really add nice enter and testing so you can just put this in a simulator test this and you ensure that your Authentication with your network still work When it comes to actually the security we wanted to separate this into pieces and not mix this together in one big thing So we can see you have the e-app separate out the e-app overland separated out and also the four-way handshake separate out So we actually can reuse this and utilize this properly and you will see this later on why this was needed to be done Um as mentioned in the first slide The focus on the D bus API that we're exposing to use this. It's really user centric It's from the UI is what UI needs or what the user needs to do and not what we actually want to do if you want to do This you can have some diagnostic API, but fundamentally focus on that the user gets Access to the Wi-Fi networks. So with this one We have pretty much everything put into an agent you only get asked when you actually need the information You don't have to provide them up front a lot of cases you needed to provide the information up front So you need to know what kind of network is this? You don't know up front Sometimes some of the information will know why you connected to it and figure out something else So ask at the right point, but give the user the ability to actually then enter the information For example the difference between WP one and WP two the most users don't really care Picks the most strong encryption and start using it don't ask the user which encryption they want to use Same as and when you actually a connected enterprise network If you're missing something like the private key then ask them for the private key when you actually need it Don't ask this information all up front and decrypt all the certificates Same as some identity information or domain names or something else ask them when you need them With all this crypto we actually didn't say we want to use open SSL and glue TLS Personally these libos are huge. We want to run this on small embedded systems They also blocking in a lot of cases that means I have to either use threading or hacked around this really heavily So we actually said okay, don't use this We're gonna use the kernel crypto the kernel exposes the crypto interfaces really nicely and you can use them So you have as available ecdh and so on and so forth For an enterprise site you've seen the dialogues. We don't really want you to enter these dialogues It's like we get to get a config file that has this all set up at this all to generate have it signed So it's actually secure. You know you actually got this from the source You have it put it in your file system and everything will just gonna work and I will show you an example on this one made on Wi-Fi simple configuration so pretty much press a button on your access point and The Wi-Fi will connect to it and figure out all the everything so the zero configuration set up If you want to do this really working with W. Suplican you kind of can and we got like 90% of this one done in Conman, but it never really worked on a percent. It's complicated. It's convoluted And it's just fundamentally broken because you don't get all the right information at the right time with IW that actually works perfectly So you can press your button on the access point you press start WPS on your UI you're connected works really nicely Access point mode support had to come as well because that's what people a lot of people use for tethering etc. So that we have as well. So this is something that's four years later. We have all of this one available We started four years ago ago, but only beginning of this year We started actually making releases if you don't make any releases your product of your product doesn't really exist It's it's not there. It's a make releases so this was can start integrating this so Winning of the year with the confidence so we can actually start driving the stores So February 10th was the first release. You could connect an open network You can take two personal networks and you could WPS. So that was already pretty much Really good for us to actually get going and we got this into Arch Linux and some other distros and they happily tried this out In maybe finally got fixed one of the fundamental problems that were always bugging us so the whole the Four way exchange the key exchange happens over an ethernet port The problem is that everything else happens over netlink The kernel schedules your ethernet port packet delivery and your netlink packet delivery at random So while they on the wire they arrive in In sequence when you actually get to the the process that processes them they might have actually re-ordered them so generally this is not a problem, but some of these information with newer technologies about How to set up WP 3 s and so on and so forth They need information from the management frames that only arrive over netlink 802 11 and I need information from the ERP That only arrives over ethernet port so we finally got the feature into the Linux kernel We actually can say look don't send the ethernet pack the ether the air packets over the ethernet port Send them over encapsulate over netlink So we actually have them in sequence as they arrive on the air and that's really important to fix a lot of race conditions that a lot of Stacks have hacked around so they kept the packet waiting They hope that the other one arrives and maybe it arrives when it doesn't arrive. Maybe it doesn't write in the right order Then you can't Assign it properly anymore. So this is all fixed now So if you have properly supported hardware that actually does this they arrive in sequence And you don't have any race conditions anymore. So you don't have any Spontaneous disconnects or you can't connect errors and so on and so forth Tiny feature completely invisible to everybody, but really important to actually improve this In June we actually got hidden networks working so hidden networks is isn't the concept of Wi-Fi That's an invention from Cisco And it's so painful that you pretty much tell everybody not to use a hidden network because it actually consumes more power I think we worked it out as good as we can when we have a hidden network So we only scan for the hidden network so we only reveal the SSIDs of the hidden network because the promise of the hidden network and You will actually reveal your hidden network SSID more than you actually protect it from your clients So stores like when you walk into a Macy's or something else They can actually track you on on your home networks and they can find you next time around So you rather not connect to hit networks issue value your privacy One month later. We got ad hoc networks working initially said we never going to do ad hoc ad hoc networks because it's kind of old technology No one needs it It came out of the restructuring of some of the security code and some of the handling of the handshake that we actually pretty much Got the ad hoc support for free with full PSK encryption and we put access point mode in there on August We finally got the WP3 support working underneath so you actually don't see a difference connecting to WP2 WPA1 WP2 or WP3 network. We handle all the difference for you. We handle all the past key transitions and so on and so forth And we started keeping and growing the list of enterprise ear methods. So we actually can talk to the enterprise networks In September a month ago That was the big change because we were already starting to ready get to drive towards 1.0. We split the API into different mode So we broke a little bit of the API when we had to a station mode ad hoc mode access point mode So they were really nicely separated so we can actually really switch the mode of your card and say look you're bringing access point more You're bringing station mode nor you're reading or how more so it's really clean It doesn't try to interleave or mix this that also means can result a set or a filter the property in what mode you end More yep methods for enterprise and we also got the fast transitioning for roaming with WP3 finally working beginning of this month and About a couple of days ago. I did another release So we don't go from 0.9 to 1.0. We go to 0.10 until we have everything ready We have an Ethernet authentication demon now as well You can do the same on Ethernet. I will get to this one and finally this of course version that builds with an external ELL ELL is an embedded Linux library. It's a replacement for glib, but really smaller and more dedicated for actually if you Want to implement a demon We had this available for like six years now We have building releases with this one But until now it was always baked into the source code of IWD so it actually can easily deploy this now We have the choice use the built-in internal one or using a compiled in external one some distos one actually really after We don't know if library built into the source code of a demon We won't actually ship the library separately so you can use security up at separately Well understood concept, but finally we actually made this work as well So we are really driving towards to getting this to 1.0 I'm With that all set the architecture looks Probably more of people have seen this picture before but w w supplicant on the left side is is the beast It supports everything in the kitchen sink. It has tons and tons of options We picked one when we actually did con men We used the version 2 of the D bus API probably needs a version 3 and a version 4 before this is any usable for anybody We picked a lip and L and netling 80 to 11 Configured 11 and then either full Mac or soft Mac, but they'd all had support for all the stuff on the right side as well For macOS and everything else The really bad part is that we actually write this whole g supplicant to actually make the D bus API digestible and usable and fix all the issues around it So you have this whole layer that actually has to do another thing that you would think why would I have to do this? It's way too much work With IWD we actually slimmed this down. It's like we only focus on netling 80 to 11 Full Mac or soft Mac cards We use the AFR interface for these ciphers and we use the key control for asymmetric Cryptography in the corner So the only thing we really need on a user space side is TLS records So you need to tell a TLS framing and you need the PEM format to unpack your certificates Everything else is handled by the corner then you let ELL handle things like main those D bus netlink It's all baked natively into EL nicely asynchronously in a single Process and then you have IWD and then you just have your D bus interface and you can put command network manager Put whatever you want on top of it The nice thing that we actually separated this all out and did this cleaning from a UI point of view is that Previously the only way to actually use W super can we actually put a wrap around it You have to wrap this whole completely because you can't have two applications using it You can't have two applications accessing it Everything goes wrong states are not properly shared you mess around the other one If you just want to have like an asses I reading of your network You pretty much scan again when you trigger another scan and so on and so forth So you actually had this whole wrapping around it and that means everybody had to go through Convent to actually get something simple done like oh, I want to display there a connected Wi-Fi network and the asses I level or the signal strength level Huge effort that you had to do While with IWD you don't We have separate things that are separate are really separated out So if you want to have answer passphrase Request you register an agent and that then you get oh, I need the identity. I need the passphrase I need that key. I need that extra information that you remain or just want to display your network name and the asses I can in your Status bar you register an agent for this one that actually just get you this information only get him when they change And we are connected to it or you actually want to scan for something then you use a tool like con man network manager IW control to actually look I want to scan I want to find a net one do this Can we all separate it out? So you don't actually have to put everything into the whole UI you can separate this out really nicely and they can run Run all at the same time and they don't mess with each other The integration with con man was really early But it kind of stalled since we actually focused on getting most of the stuff IWD done So that needs a little bit of love especially for the scanning features But fundamentally you can actually use con man with IWD as well We shifted the focus to actually see if we can get this in more distributions And the reality of the fact is that most Linux distribution ship with network manager by default. So we put a lot of work in actually Fixing changing network manage to actually adapt to the new principle that you don't have to handle all of the Wi-Fi details We handle them all for you that code is all obsolete yet. You have there Let us handle things. So we have this fully working for personal networks now The nice thing is once you put the level down and actually so all the details are solved by demon below Wp3 support is there. So if you leave network manner with IWD you get the support for free and you have all the setup that you need We have also working enterprise network setup as network manager 1.14. That's in there as well And we keep improving this one So you see patches coming in fixes coming in and we keep actually working on this one that the next Version of network manager will actually fully support IWD and hopefully by that point IWD is 1.0 And you get it in the distos. I think Fedora has it in there arch has it in there. Debian has it in there Bunch of others. I don't even know a lot of distos have toyed with this one and packaged it So I think you can get a recent version of network manager and I do a deep just by Installing it from your disto. We have a prototype for Chrome OS That will work as well That one is really rough and we haven't published this way it Because Chrome OS has the really nasty thing that a lot of details of the Wi-Fi stuff leaks into your Chrome browser So they're fixing a lot of things up on the really high level So we need a lot of redesigning and restructuring there to actually push things back down where they're supposed to be So that's the work ongoing. We have a version where in Intel's clear Linux we have network manager and IWD in there works really well and the internal internal command line kind IWD control is also really nice to just use for your connections On the way we actually fixed a lot of things The kernel wasn't perfect That's the problem with the kernel interface where you only have a single user that single user uses the current interface in a Certain way and they never figure out that certain things are actually gonna missing hotplug For example was never really fully supported because WSW doesn't do any hotplug Someone else has to figure out the hotplug and then tell it where the cards are. We didn't want this We we want to told us where the cards are Certain features didn't work as documented. So but since WSW can use them differently. Nobody noticed You had missing cleanups. So the attribute socket owner for example when you start a scan and then WSW can dice The card still keeps scanning or you could in the process of connecting network The card keeps on connecting the next time you round what you're gonna do How are you gonna reset the whole thing you power everything down or what you're gonna do so Generally WSW can shouldn't die then IWD shouldn't die, but things happen You really want that the kernel cleans after you they have access to the radio sources that now when you're gone Just stop the transaction you're doing if you do like a scan on 5 gigahertz a text Well, just stop it. You don't need to do it anymore So we fixed us with a lot of things where you can actually finally save the process that actually triggered it dies The transaction gets dropped I mentioned over a netling h11 really important We put the asses eye triggers into a current interface because a lot of hardware supports them actually So you really only wake up when the asses changes to a certain threshold and then you can update your UI and say look I think the signal strength changed There are a bunch of bugs with the clear text leaks of PTK re keying because we king never really worked everybody ignored this I think so we have finally fixed this to a level where The hard the hardware is to be clear if they support this properly or not and we can work around this if needed for the simulator hw sim we actually put a lot of extra work in Making that more usable so you have a more end-to-end testing I think besides one or two minor patches that are still on the pipeline all of this one has been our upstreamed So if you have a recent kernel you actually have all these fixes One thing that we had to do and nobody did before it's kind of funny We actually wanted to see what's going on between the demon and the colonel and for that one we build IW mon It's a tracing utility that actually takes the input from the netlink and a f packet and the dick just decodes it So you don't have to put your debugging into IWD or tracing You just take it from the colonel say look what packets are you actually exchanging and the fun thing then you figure out Some things were actually went wrong so W. So we can send some message The concept is not supported or a key is not available and keep sending it keys not available Look, I told you the keys not available You keep sending this to me and these kind of things and you then easily see where things go wrong and where Things are missing So what we have right now is station mode access point mode and that hot mode But we also actually put all the SSID grouping one level down So network when I have to do it anymore. We actually do this all for it. We handle the hidden IDs We handle the full four-way handshake properly. We do pre-authentication if available. We do fast transitioning So really we ask the access point. Do you want us to go to a different access point? Do you have a neighbor access point and we just switch to it? It tells us where it is. It's so fast It's unbelievable. It's really nice. We manage the radio sources properly and we also authenticate with access points Like look, did you really want to disconnect us? So can you confirm that you wanted to disconnect us? So you can't actually have anything Sneaking in and trying to force really disconnect you The enterprise support is growing. So we have this really nicely working. The e-app methods are There we have most e-app methods. There are few ones missing a few proprietary ones But pretty much everybody uses e-app tls or e-app p-app So all of this one is star all of this one is tested. They all have an end to end test They all have a unit test. So this is pretty much Working nicely. The only minor caveat is that the asymptomatic key patches that we need to do this are not yet upstream James Morris took them into the security tree. So hopefully they make it into 4.25.0 once James is back from the conference and sensible request to Linus The interesting part with these ones is since in the kernel they integrate with the TPM. So you can actually have your setup In a way that your key that the company provisions for you is actually in your TPM So it's a security that you really want because if someone The keys and everything else is really not on your system No, they're in your heart when you can really utilize them. I'm trying to get this working with open SSL New TLS and all these engine support and trousers and God knows what they actually have to do there It's really messy. We have this in it's in there for TPM one and I think hopefully we get this in There's also a TPM too. So we actually have this nicely working with a key control API and you can actually access the TPM properly and Then WP IWD can just make use of it if it's available If you as I said, we don't actually have APIs for the enterprise We do enterprise provisioning and based on a file Doing this with this whole UI setup It will probably stay around for a long time and we a network manager plug-in for IWD will work around this but our vision is that we actually get a simple file from the Administrator or something you can download easily that is also signed We actually have all your Certificates in there and listed and then you actually just put it in IWD recognizes it and then your network is available immediately doing this all with the UI setup It's really complicated and the idea of that you oh, I want to change this one certificate to another one But I want to keep every other option the same. That's not really how this works I mean if your certificate is expired most cases you have to also change the CA for this one or the interim CA that They have for this one or maybe the identity change of something else. This is something You make mistakes fine. You want to correct them in the UI, but in the reality the admin or the Company setup system have to actually give this information So it's pretty much as simple as this you get a small any file And you put this in and then you can actually have extra options If you leave something out or the company decides to leave something out We will ask the user for it for example the the passphrase for the private key I will just ask from the user if you put it in there it will be used and so on and so forth for example if the identity is missing or anything else they follow pretty much what the Standard does that's all documented and we have tons of examples on this one, but I think that's how this has to happen For the user-facing API. So what the UI can actually use it actually is also pretty simple. This is the Command list for the IW control utility. It's pretty much one-to-one mapping to the Divas APIs So you get your list of adapters. That's your physical cards that in the system you can list them It's not really much useful except you can get the name because we use the the udiff database To actually match the UIDs to the name so you get some friendly name on this one You can either start and knock out hot network or see if you it's already started and working If you want to use that hot network as that there's more like was an exercise in getting the cryptography Done properly access points more interesting. You want to start your card as access point you start or stop it That's all you want to do. We don't support unencrypted open-net access points because I don't think it's pretty much useful When it comes to actually station mode this becomes more interesting So you have the devices API that is really your interface So you can list them and you can change properties on them one property would be the mode change the hot mode access point mode or Station mode by default they come out and station mode like it is with Linux With your station command you can just list your stations and then you see what station is gonna have And then you can just connect to a network or you can connect to hidden one So we explicitly separated connect to a network from a connect to a network because they couldn't connect to a network needs Special operations and so this is clearly separated, but the only thing you really have to give it is The network name it will figure out everything else by itself. So Someone says you're my SSID XYZ then you do my six was the and if it's encrypted then we'll ask you, okay I found your network now here. It's WP encrypted. I need a passphrase. So the user gets asked passphrase You can disconnect it then it gets off the auto connect list Or you can actually just scan for it and then you get the list of the networks And we'll just give you the information That's all you're gonna have from an API when you actually for example network I use to a connector networks The other one is the known networks the networks that we actually remember you can list them and you can forget them If you accidentally connected to one what you're gonna forget you get automatic disconnected So it's not like you have to disconnect first and forget we do this for you And then you have your automatic Wi-Fi configuration. It's pretty much It's available fine, and then you can figure out if you want to do push button Which is the most where most people do or if the x's point provides a pin Then you actually start or use the pin or a generated pin and if you feel like I don't reason to go anywhere You should just cancel it also Okay, um, I think I'm gonna move the demo to the end since it's more interesting what's coming next So we have a list of technical things that are missing. None of these ones will probably stop us from doing a 1.0 At least by the end of the year But there are a few things that needs to be done there There's fun to store group ciphers and pair-wise ciphers. So we actually gonna fix that we want to do a lot of the key caching That has to happen the tdls support and dls support I don't know if you get to p2p setup. We actually probably gonna do this More interesting is the optimistic wireless encryption That's pretty much if you have an open network and the access point support it You don't get any authentication, but you can encrypt it So you can connect an open network and the link is encrypted so nobody can sniff it But you actually don't have any man in the middle protection So I think that's a big advantage The wi-fi, the zero concept up for simple configuration has a new version now. It's called device provisioning protocol dpp Um, I don't think we get this done for 1.0 But I think this follow really quickly afterwards. We actually also have support for this one and then a p2p is It's interesting. We have I think 60 of the setup done But there's a couple of things still missing we need to do So I think this will have to wait until we are we are done with 1.0 and there's a couple of e-app methods I don't think we actually gonna do them, but maybe someone else wants to put them in we have to see that But as I said nothing of this one is really stopping us from doing a 1.0 We have two big two items to actually get sorted out and one is the actually embedded linux api review So we are happy with that api so we can do a el l 1.0 release at the same time We do an IWD 1.0 release and then we want to have another review of the IWD bus apis because once we declare them stable Network manager is really relying on this one or you make everybody else rely on this one So we can't really easily break them anymore. So that's the next two big things that has to happen before we call this 1.0 There's one other thing that we have been working on I think I mentioned this earlier We also want to do this for the ethernet So while I would ideally is primarily focused on wi-fi in a corporate setup I think more and more corporations locking down the ethernet ports And where you end up I borrowed this from sysco What's the only nice diagram that I could find about this that is not too technical Is that you actually have to authenticate first? Why are the e-app ether or e-app poll ethernet port and then everything else is opened up? It's a really simple system It can do a lot more But that's the pretty much what most companies are doing. Okay, the ethernet port is blocked. You have to authenticate yourself And go on the interesting thing is it's pretty much just e-app But if you actually use w supplicant to do this It turns your ethernet card into a fake Access point and then runs run station mode. So you get all of these log message and all these weird stuff and nothing really You can decipher anything goes wrong In addition, you have to always start it manually So there's no automatic thing that actually text is this an e-app enabled or a to 2 1x enabled ethernet port so We had ead for it ethernet authentication demon. You realize I like three letter acronyms. They're kind of nice as a process name It's a single demon that integrates all your ethernet cards and does Auto detection of 1x on that one. So it figures out. Okay. Do I need to run 1x? Yes or no? And then we'll enable it use the same e-app structure from idly so that code is shared Again with that one it will integrate with tpm as well if you have that set up It's super tiny and lightweight What's currently working process getting the agent interface ready? So if you're missing credential parts like identity, etc The user just gets asked for it on we need an additional one as well because most Networks don't identify themselves. So you have multiple credentials So you have credentials for google you have credentials for intel you actually decide, okay, which ones are these Funny enough most of the ports don't actually identify themselves So you actually have to guess and obviously you don't want to apply all credentials So we we don't want to reveal that actually support one or the other And it gets really deep as simple debuts api so that you actually can see oh I'm on an ethernet card that is authenticated now. So I don't know anything else The initial version is already part of here of iwd for simplicity for now. We stuck it into the iwd source code It has configure options. You can just only Build iwd with only shipping ead. It's all documented for the autoconf stuff And with this one you can then easily Start testing this on your corporate network and you actually had some problems And actually I really like to get feedback on this one where this works on a corporate network or not because we had a lot of fun with Our own corporate network where certain things Are working a little bit differently that you would expect to manipulate the standard But we actually have this nicely working and we can use this to authenticate our ethernet ports Um, since I'm probably only five minutes. I've left Free note isc for iwd free note isc for el that's where most communication happens The mailing list is uh, I should have put the mailing list as well. The mailing lists are there as well Um, iwd has a kernel wiki. Uh, happy to if anybody wants to actually document this Or I put any information in there. There's a bunch of wikis for the different distos I think the arch wiki for iwd is pretty good if you want to get started um and The git trees have the most information and documentation in them as well. So it's easy to browse Um, I was going to do the demo, but I'm probably opening this first for questions If any questions All right, yes, please So the question is if we have plans to extend to authentic error. Yes Not any immediate time We have a bunch of things to do first, but yes, we also want to do the other side So we can also do an access point. I think Yeah, there was one So the question is if this would become the central point for the, uh, um configuration of the ethernet so, um iwd will only manage wi-fi cards ead will only manage ethernet cards um They will manage these cards separately But then what you're going to do with them, uh, is up to one layout So if you want to do any routing on that one, etc um I have to say our plan is actually to put dhcp into these demons So do all the ip configuration inside the demons as an optional part That is actually needed in a certain situations because for wi-fi this is needed for example the tokyo subway situation The train comes into the subway You have like around the second or two to actually get your network up get your data You can't wait until some other system actually configures you select wi-fi as the default and so on and so forth You actually need to get this all done and you get the ip addresses over management frames from your wi-fi access point Uh, so you need to actually do the whole setup all by yourself Um, that's something we're still working on to actually separate this nicely But then uh, do you want to route over wi-fi or do you run out over ethernet? That's for someone else to figure out We just want to make the port available and trigger the authentication or re-authentication Hope that answers your question Or were they I think No, so the question is if can iwd be used without debas the answer is no Okay, at some point you have to realistic how the world looks like right now A debas is not that bad. We're shipping our own debas library. We don't use the default implementation Some guys from retina were working on debas broker that is a lot slimmer and tinier. I mean build your own ipc or use debas Yes, you could and you can probably change iwd to actually extract this out because there's not really that complicated There's not that much api, but We have to make a choice at some point. We have to say, okay, we have to use debas for this one I would rather look in optimizing debas than actually trying to figure out to get debas out of iwd Yes, please Okay, so the question is this is a full access point mode at this point in time. No We will get there because we um, the reality is we see that we also need to do something for the Routers and real access points of homes here for some replacement because many of the Router manufacturers are actually using w-supplicant have tons and tons of problems We are not there yet The team is like five people so we have to have set the priorities But the plan is to actually get this whole thing Set up properly because if you're on the access point and you actually really good access point You can do a lot of things by steering your clients into the right direction and optimizing your bandwidth on your network Um, we need to do this It will happen, but not this year There's another one over there It can't be used as replacement for host apd right now It will eventually it's a personal access point like tethering for example You switch for example, you have an ethernet connection and you want your phone to share it with Um, I don't know this for sure, but I heard someone actually build it on it so I hope so Another question Okay, I think you were first Have we looked at supporting the mesh the wi-fi mesh? Um Oh one s 11 s mesh. Um We don't have this on the roadmap for this year, but I had a discussion with someone about uh month ago I think we need to do this as well contributions are more than welcome Um, we can't do this right now Uh, it's completely possible To do this really quickly because I think all the crypto because we did wp3 the sae parts or all the crypto support should be already in there finding this So I think you just need to actually manage the mesh nodes So contributions are welcome not this year. Sorry There was another one over there So the the question is what what interface we're going to use to access the crypto. So it's af arc So you can access to the cyphers and hashes, etc. Pretty simple. Um, so if they're hardware optimized, they will use the hardware We don't do that much that really makes a performance difference For the astro metric crypto we use key control The key console you actually uh the key control uh kernel subsystem actually allows you to build Complete key rings and it allows to use asymmetric Uh certificates So you can actually build your whole ca inside the kernel And then there are provisions that key rings actually only allow extension of the key rings if you are very belly data against an existing one So this is whole build and then you have operations for assign verify encrypt and decrypt And then the kernel will decide if this is a certificate that is in a tpm or not in a tpm Or if you have to load it before etc. So it's pretty much a ca inside the kernel Any other questions, please Yes, we have. Um, so system network deintegration, um First of all, we're just gonna work because it will eventually signal the interfaces up And if you've configured it, it will just start the hp and it will just run Um, there's a little bit of caveat on this one when you actually want to have your favorite network name and the kernel decided That's wlan zero, but you like the really weird naming of someone else Um, we are faster than udf can rename it and then you get blocked So, uh, when iw starts working the interface is up and interface up that is up cannot renamed anymore. So that kind of thing is Bunkers, um, I don't know how to fix it. We looked at it to fix it. I have no idea So you don't get your fancy shiny network names if the system network wants to rename your link But otherwise it just works It could do more if we would finally agree on some extensions where we actually for example can annotate The system network to conflict files with the ssid so you say, oh, okay We want to run this dhcp ipv6 only on this ssid on the other one Currently, uh, system, you know, please unaware of what network you're connected to For that one, they have to learn the annotated. I had a couple proposals to lennard and the others, but uh A kind of calm down on this one. They didn't want to do this. We need to annotate you We have to tell you what currently network you connected on because the interface is not going to change There's still what to do what we're going to take dhcp away from them So Oh good Any other questions because i'm running signal that are off time. Sorry that i can't do the demo I think i talked too much if you have any other questions. I want to see a short demo then just catch me afterwards. Thank you very much