TKIP Countermeasures

Important  The Native 802.11 Wireless LAN interface is deprecated in Windows 10 and later. Please use the WLAN Device Driver Interface (WDI) instead. For more information about WDI, see WLAN Universal Windows driver model.

 

TKIP countermeasures are defined in the Wi-Fi Protected Access (WPA) specification and Clause 8.3.2.4 of the IEEE 802.11i-2004 standard. TKIP countermeasures are invoked following message integrity code (MIC) verification failures on received packets.

When the MIC verification fails, the miniport driver and the 802.11 station must follow these guidelines:

• The miniport driver must make a Native 802.11 media-specific NDIS_STATUS_DOT11_TKIPMIC_FAILURE indication.

• If port-based authentication is managed by the operating system, the 802.11 station must not perform the TKIP countermeasures. Instead, the operating system will perform the countermeasures after the miniport driver makes two NDIS_STATUS_DOT11_TKIPMIC_FAILURE indications within a 60-second period.

  When performing the countermeasures, the operating system issues a set request of OID_DOT11_EXCLUDED_MAC_ADDRESS_LIST to the miniport driver. The excluded media access control (MAC) address list will contain the MAC address of the access point (AP) with which the 802.11 station is currently associated.

  After OID_DOT11_EXCLUDED_MAC_ADDRESS_LIST is set, the 802.11 station disassociates from the AP and does not reassociate until the operating system issues another set request of this OID to remove the AP's MAC address from the excluded MAC address list. The operating system does not remove the AP's MAC address from the excluded list for at least 60 seconds.

  Note  If port-based authentication is managed by the operating system, TKIP is only supported for infrastructure basic service set (BSS) networks.

   

• If port-based authentication is managed by a service developed by the independent hardware vendor (IHV), either the IHV service or 802.11 station must perform the TKIP countermeasures. The method used for performing the countermeasures is specific to the IHV implementation.

  Note  If port-based authentication is managed by an IHV service, TKIP can be supported for infrastructure and independent BSS networks.