[Open Source Summit EU 2019]

iwd 1.0 has been released, but WiFi on Linux still sucks.

One problem is that there are too many independent components that need to work together. You need to build tons of stuff on top to make it all work. Also WFA keeps adding new features and standards.

Also, some pieces don’t want to store anything. So network-manager has to keep track of this, instead of focusing on UI. In the end there are 6-7 entities that have some kind of state.

Also you’d expect that only the low-level wifi daemon wpa_supplicant accesses the kernel APIs. But no, also network-manager and even dhcpd are accessing this.

The idea of iwd was to handle all this. iwd tracks the known networks because it needs to do fast transition. iwd is the only one doing scanning. network-manager only needs to talk to iwd.

iwd does a lot of things already. It keeps the network information. It does fast roaming. It optimizes scanning. It handles the complexities of WPA3. It handles enterprise network provisioning and EAP without complicated user configuration. It does address randomisation. It has an AP mode for personal hotspot.

Enterprise network provisioning is still not completely solved, even though it was a focus point from the beginning. Enterprise networks are good though, because you don’t have a shared key that is exposed to everyone. With iwd, there’s a configuration file that can be provided by the administrator. There are still a few problems though: certificates in separate files, and they have to be accessible by iwd so they conflict with the access protections. A step in the right direction is to have the tls certifications in the config file itself. There’s also a tool that converts from the iOS config file. So now the enterprise admin can generate a single file that you can install. The format is well documented in the man page. However, this needs to become a standard so the same file can be used anywhere.

Up to now, iwd was only doing 802.11, not IP. Turns out that this is not tenable. For example, there are standards that give the IP address directly in the association, to avoid the latency of DHCP. So iwd also controls the network config. There’s an integrated DHCPv4 client and network configuration. It talks to systemd-resolved and resolvconf for DNS.

The goal is to connect in 100ms. Currently, iwd spends 100ms on scanning, 100ms on connecting, and 50-100ms on DHCP. Address randomisation adds another 300ms, and Android reports that it’s sometimes 3 seconds. The problem is that you have to power down the PHY to be able to change the address. The solution is a live headers change feature so the packets can just be modified. But kernel changes take a very long time to get adopted.

nl80211 needs changes to make it faster. The problem is that it doesn’t want to store state.

Similar to iwd, they’re working on ead for wired network authentication. By integrating in a single daemon with DHCP, you can work a lot faster because discovering which enterprise network you’re on is a lot easier. apd is the access point daemon. It goes beyond hotspot support. It would include STA support as well, no two daemons running on the same radio. rsd is a resolver daemon, replacement for systemd-resolved.