Ask the Expert

Implementing WPA over WDS links

I have been looking into open source solutions to implementing WPA over WDS links, and have found at this point it doesn't work because of dynamic key exchanges. Some vendors state that they have it working, but it will be more or less a proprietary solution and will likely have interoperability issues. Are you aware of any work on this issue?

    Requires Free Membership to View

Encryption can be used with 802.11 Wireless Distribution System (WDS) links between bridges or repeaters, but only with static keys configured into the APs at both ends of the WDS link. In practical terms, this means that WDS can only be used with Wired Equivalent Privacy (WEP), because WEP allows direct configuration of static keys. Wi-Fi Protected Access (WPA) did away with static encryption keys, using a 4-way key handshake to derive dynamic encryption keys based either on a Preshared Secret Key (WPA-PSK) or a master key delivered via 802.1X.

WPA was based on a draft version of the 802.11i standard. It defined the 4-way key handshake for Infrastructure mode (stations associated with APs) but not for Ad Hoc mode (station associated with peer station). WPA2, based on the final 802.11i standard, covers how key handshake works in Ad Hoc mode, letting peers derive dynamic encryption keys. I have not heard anything specific about WDS and WPA2, but it seems conceptually possible to apply the 802.11i four-way key handshake defined for Ad Hoc mode to APs connected by WDS.

IEEE 802.11 Task Group S is now drafting a new standard to define an 802.11 Extended Service Set (ESS) Mesh, interconnected by an 802.11 Wireless Distribution System. This standard will probably apply 802.11i security enhancements (WPA2) to mesh networks and may thus become the standard way of using WPA/WPA2 with WDS.

In the meantime, it seems that some vendors DO support WPA in their current WDS implementations. Here are a few products that claim to support WDS with WPA: Apple Airport 4.1, the latest Sveasoft Alchemy (custom firmware for Broadcom b/g-based APs), Belkin 802.11g Wireless Network Access Point 4.03.03, 3COM OfficeConnect Wireless 108 Mbps 11g PoE Access Point, and Corinex Wireless to Powerline Router G. As you point out, these vendor extensions are unlikely to permit WDS bridging between unlike products, although this should not inhibit station-AP multi-vendor interoperability.

This was first published in March 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: