• Wlan Protocol That Generates A New Dynamic Keys
• Wlan Protocol That Generates A New Dynamic Key Exchange

Oct 07, 2019  Cisco Wireless LAN Controller Software. Configuration Guides. Cisco Wireless Controller Configuration Guide, Release 8.2. You can delete the current certificate by clicking Delete Certificate and have the controller generate a new certificate by clicking Regenerate Certificate. You have the option to use server side SSL certificate that you. Read a description of WLAN Protocols. This is also known as Open Wireless Protocols, Wireless Local Area Network Protocols, Wireless Standards, Digital Wireless Protocols, Wireless Protocols, Wireless LAN Protocols. Free detailed reports on WLAN Protocols are also available.

IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.

Replacement of WEP[edit]

802.11i supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was shown to have security vulnerabilities. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. WPA implemented a subset of a draft of 802.11i. The Wi-Fi Alliance refers to their approved, interoperable implementation of the full 802.11i as WPA2, also called RSN (Robust Security). 802.11i makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and WPA use the RC4stream cipher.^[1]

Protocol operation[edit]

IEEE 802.11i enhances IEEE 802.11-1999 by providing a Robust Security Network (RSN) with two new protocols: the four-way handshake and the group key handshake. These utilize the authentication services and port access control described in IEEE 802.1X to establish and change the appropriate cryptographic keys.^[2][3] The RSN is a security network that only allows the creation of robust security network associations (RSNAs), which are a type of association used by a pair of stations (STAs) if the procedure to establish authentication or association between them includes the 4-Way Handshake.^[4]

The standard also provides two RSNA data confidentiality and integrity protocols, TKIP and CCMP, with implementation of CCMP being mandatory since the confidentiality and integrity mechanisms of TKIP are not as robust as those of CCMP.^[5] The main purpose to implement TKIP was that the algorithm should be implementable within the capabilities of most of the old devices supporting only WEP.

The initial authentication process is carried out either using a pre-shared key (PSK), or following an EAP exchange through 802.1X (known as EAPOL, which requires the presence of an authentication server). This process ensures that the client station (STA) is authenticated with the access point (AP). After the PSK or 802.1X authentication, a shared secret key is generated, called the Pairwise Master Key (PMK). In PSK authentication, the PMK is actually the PSK^[6], which is typically derived from WiFi password by putting it through a key derivation function that use SHA-1 as the cryptographic hash function.^[7] If an 802.1X EAP exchange was carried out, the PMK is derived from the EAP parameters provided by the authentication server.

Four-way handshake[edit]

The four-way handshake^[8] is designed so that the access point (or authenticator) and wireless client (or supplicant) can independently prove to each other that they know the PSK/PMK, without ever disclosing the key. Instead of disclosing the key, the access point (AP) and client encrypt messages to each other—that can only be decrypted by using the PMK that they already share—and if decryption of the messages was successful, this proves knowledge of the PMK. The four-way handshake is critical for protection of the PMK from malicious access points—for example, an attacker's SSID impersonating a real access point—so that the client never has to tell the access point its PMK.

The PMK is designed to last the entire session and should be exposed as little as possible; therefore, keys to encrypt the traffic need to be derived. A four-way handshake is used to establish another key called the Pairwise Transient Key (PTK). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through a pseudo-random function. The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic.

The actual messages exchanged during the handshake are depicted in the figure and explained below (all messages are sent as EAPOL-Key frames):

1. The AP sends a nonce-value (ANonce) to the STA together with a Key Replay Counter, which is a number that is used to match each pair of messages sent, and discard replayed messages. The STA now has all the attributes to construct the PTK.
2. The STA sends its own nonce-value (SNonce) to the AP together with a Message Integrity Code (MIC), including authentication, which is really a Message Authentication and Integrity Code (MAIC), and the Key Replay Counter which will be the same as Message 1, to allow AP to match the right Message 1.
3. The AP verifies Message 2, by checking MIC, RSN, ANonce and Key Replay Counter Field, and if valid constructs and sends the GTK with another MIC.
4. The STA verifies Message 3, by checking MIC and Key Replay Counter Field, and if valid sends a confirmation to the AP.

The Pairwise Transient Key (64 bytes) is divided into five separate keys:

1. 16 bytes of EAPOL-Key Confirmation Key (KCK) – Used to compute MIC on WPA EAPOL Key message
2. 16 bytes of EAPOL-Key Encryption Key (KEK) – AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example, the RSN IE or the GTK)
3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station

The Group Temporal Key (32 bytes) is divided into three separate keys:

1. 16 bytes of Group Temporal Encryption Key – used to encrypt/decrypt Multicast and Broadcast data packets
2. 8 bytes of Michael MIC Authenticator Tx Key – used to compute MIC on Multicast and Broadcast packets transmitted by AP
3. 8 bytes of Michael MIC Authenticator Rx Key – currently unused as stations do not send multicast traffic

The Michael MIC Authenticator Tx/Rx Keys in both the PTK and GTK are only used if the network is using TKIP to encrypt the data.

This four-way handshake has been shown to be vulnerable to KRACK.

Group key handshake[edit]

The Group Temporal Key (GTK) used in the network may need to be updated due to the expiration of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP.

To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way handshake:

1. The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA, and protects the data from tampering, by use of a MIC.
2. The STA acknowledges the new GTK and replies to the AP.

CCMP overview[edit]

CCMP is based on the Counter with CBC-MAC (CCM) mode of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header.

Key hierarchy[edit]

RSNA defines two key hierarchies:

1. Pairwise key hierarchy, to protect unicast traffic
2. GTK, a hierarchy consisting of a single key to protect multicast and broadcast traffic

The description of the key hierarchies uses the following two functions:

• L(Str, F, L) - From Str starting from the left, extract bits F through F+L–1.
• PRF-n - Pseudo-random function producing n bits of output, there are the 128, 192, 256, 384 and 512 versions, each of these output these number of bits.

The pairwise key hierarchy utilizes PRF-384 or PRF-512 to derive session-specific keys from a PMK, generating a PTK, which gets partitioned into a KCK and a KEK plus all the temporal keys used by the MAC to protect unicast communication.

The GTK shall be a random number which also gets generated by using PRF-n, usually PRF-128 or PRF-256, in this model, the group key hierarchy takes a GMK (Group Master Key) and generates a GTK.

MAC frame formats[edit]

Frame Control field[edit]

Protected Frame field[edit]

'The Protected Frame field is 1 bit in length. The Protected Frame field is set to 1 if the Frame Body field contains information that has been processed by a cryptographic encapsulation algorithm. The Protected Frame field is set to 1 only within data frames of type Data and within management frames of type Management, subtype Authentication. The Protected Frame field is set to 0 in all other frames. When the bit Protected Frame field is set to 1 in a data frame, the Frame Body field is protected utilizing the cryptographic encapsulation algorithm and expanded as defined in Clause 8. Only WEP is allowed as the cryptographic encapsulation algorithm for management frames of subtype Authentication.'^[8]

See also[edit]

• WLAN Authentication and Privacy Infrastructure (WAPI), China's centralized wireless security method
• IEEE 802.1AE MACsec

References[edit]

1. ^'IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements'(PDF). IEEE Standards. 2004-07-23. Retrieved 2007-12-21.
2. ^IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements(PDF), IEEE Standards, 2004-07-23, p. 14, retrieved 2010-04-09
3. ^IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements(PDF), IEEE Standards, 2004-07-23, p. 14, retrieved 2010-04-09, RSNA relies on IEEE 802.1X to provide authentication services and uses the IEEE 802.11 key management scheme
4. ^IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements(PDF), IEEE Standards, 2004-07-23, p. 5, retrieved 2010-04-09
5. ^IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements(PDF), IEEE Standards, 2004-07-23, p. 43, retrieved 2010-04-09
6. ^'IEEE 802.11i-2004 Standard Amendment 6: Medium Access Control (MAC) Security Enhancements'(PDF). p. 33.
7. ^'IEEE 802.11i-2004 Standard Amendment 6: Medium Access Control (MAC) Security Enhancements'(PDF). p. 165.
8. ^ ^ab'IEEE 802.11i-2004 Standard Amendment 6: Medium Access Control (MAC) Security Enhancements'(PDF).
9. ^'Section of MAC frame formats'. Archived from the original on 2018-04-27. Retrieved 2018-04-27.

General

• 'IEEE 802.11-2007: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications'. IEEE. 2007-03-08.
• 'The Evolution of 802.11 Wireless Security'(PDF). ITFFROC. 2010-04-18.

External links[edit]

• Vulnerability in the WPA2 protocol, hole196 [1], [2]

• 1Advanced MikroTik Wireless networks
  • 1.4Wireless Bridge

In this section, we offer more advanced information that related to wireless networks. Here we will discuss how to implement security into the wireless networks (how set up authentication type, encryption protocols, pre-shared key (password) etc.), and how to restrict access others devices.

Section includes also information about wireless bridge and mesh networks as well as provides simple configuration examples.

Wireless data protection (Security Profile)

There are more steps how to implement secure wireless network:

• Set up password for wireless administration interfaceAdministrator password is available almost on any wireless router and is used to log into the device for monitoring and changing configuration. Most producers by default set up a weak password like “pass” “password” or “admin” on MikroTik routers there is no any password by default. Therefore is recommended to change administration password to something else if you do not use this password very often, then to write it down and keep in a safe place. If you lost your password on MikroTik devices there is no way how you can recover it, as only reset router configuration to factory default settings.
• Use encryption to protect data sent between access point and client stationThe Wired Equivalent Privacy (WEP) encrypts data only between 802.11 devices, using static keys. WEP includes static key in data encryption algorithm. This is not considered a very secure wireless data encryption mechanism, though it is better than no encryption at all. If some of your wireless devices only support WEP encryption, remember that WEP is better than nothing, only choose static encryption key that’s not easy to guess and is not very short (recommended more than 8 symbols) and change it time by time if it is possible.WPA (Wi-Fi Protected Access) provides much better protection to your Wireless network. WPA is combination of 802.1X, EAP, MIC, TKIP and AES protocols. Where:

  802.1X is used as authentication framework – users can be authenticate individually using Radius server

  EAP is a protocol for wireless networks that expands on authentication methods. EAP can support multiple authentication mechanisms, such as one-time passwords, certificates, smart cards and public key encryption authentication.

  MIC (message integrity code) or cryptographic checksum, verifies that messages have not been altered in transit (check whether received message is the same as sent message).

  And TKIP and AES are data encryption algorithms. TKIP generates keys dynamically different for each client and alters keys for each successive packet.

  WPA support is built into Windows XP and latest versions and all others modern operating systems. Now is available improved WPA version (WPA2) that provides stronger encryption, authentication and several others new features.
• Use MAC address filtering for access controlAs we know MAC addresses unique to specify each network devices, so MAC address filtering allows you to limit network access only from specific MAC addresses or restrict access form specific MAC addresses. If you implement full MAC address filtering on your network you need to know entire list of your client MAC addresses, so it can be very complicated when you have hundreds of clients or if clients often change devices or MAC addresses. Remember that MAC addresses can be “spoofed” (imitated) by knowledgeable persons, so this mechanism is not guarantee perfect security, it only makes difficult access from undesirable persons and improve network security. How to configure access filtering is discussed below in the next paragraph 14.2.

Security profile configuration example on MikroTik

Security profiles are used to create security policies for wireless interfaces and allows to define such security parameters as authentication type, encryption algorithm, pre-shared keys and more others specific parameters. Full commands reference can be found here.

Security profiles are configured under the /interface wireless security-profiles menu when we use command line interface or Wireless > Security Profiles tab from WinBox configuration tool. Ssl generate key from csr. Security profiles are referenced by the wireless interface (/interface wireless [name of wlan interface]) as security-profile parameter it means we can create different security profiles for different wireless interfaces (each wireless card is separate interface) as well as security-profile can be specified as parameter of connect list (/interface wireless connect-list).

Basic parameters required to specify to any security profile are:

name – profile name

mode – security profile mode. There are available four modes:

• none - encryption is not used. Encrypted frames are not accepted.
• static-keys-required - WEP mode. Do not accept and do not send unencrypted frames. Station in static-keys-required mode will not connect to an access point in static-keys-optional mode.
• static-keys-optional - WEP mode. Support encryption and decryption, allows also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as none.
  Station in static-keys-optional mode will not connect to an access point in static-keys-required mode.
• dynamic-keys - WPA mode.

Configuring WEP with (40bit) static key

Create new WEP security profile named “wep_profile”:

Statically configured WEP keys:

Different algorithms require different length of keys:

• 40bit-wep (static-key-1) - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.
• 104bit-wep (static-key-2) - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.
• tkip(static-key-3)- At least 64 hexadecimal digits (256 bits).
• aes-ccm(static-key-3)- At least 32 hexadecimal digits (128 bits).

Key must contain even number of hexadecimal digits.

static-transmit-key – define which key is used. We can specify different key static-key-1 static-key-2 static-key-3 and static-key-4, this option allows to specify which of we want to use.

Assign profile to wireless interface:

Configuring WPA protection(authentication type – WPA-PSK, encryption protocol – AES)

Create WPA security profile named “wpa_profile”:

Specify encryption algorithm:

unicast-ciphers(multiple choice of tkip, aes-ccm; default value is empty) : Access point advertises that it supports specified ciphers. Client attempts connection only to access points that supports at least one of the specified ciphers. Encrypt unicast frames that are sent between access point and station.

group-ciphers (multiple choice of tkip, aes-ccm; default value is empty) : Access point advertises one of these ciphers, and uses it to encrypt all broadcast and multicast frames.

wpa-pre-shared-key, wpa2-pre-shared-key: WPA and WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. These properties have effect only when authentication-types contains either wpa-psk or wpa2-psk

Wireless Access List

Access list is used by Access Point (AP) todeny or allow access for specific clients as well as control connection parameters.

Authentication can be rejected or allowed by MAC address, Signal strength, Time (which days and how long per day you can be connected by AP).

Available access-list matching properties:

mac-address – rule matches client with the specified MAC address. Default value 00:00:00:00:00:00 matches always.

interface (by default value: all) – rules with interface=all are used for all wireless interfaces. To make rule that applies only to one wireless interface, specify that interface as a value of this property.

Match properties that also set connection parameters.

signal-range (default range: -120.120) – rule matches if signal strength of the station is within the range. If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.

time – rule will match only during specified time. Time is indicated in format [start TIME – end TIME,days. For example, set time on Monday from 8:00 a.m. to 5:00 p.m. [time=28800-62100, mon]; (default value is not set) Station will be disconnected after specified time ends. Both start and end time is expressed as time since midnight, 00:00. Rule will match only during specified days of the week.

Connection properties:

authentication (can assume values: yes or no)

• no - Client connection always will be rejected.
• yes - Use authentication procedure that is specified in the security-profile of the interface.

forwarding (yes or no) – control frames forwarding between clients that are connected to the same access point.

• no - Client cannot send frames to other station that are connected to same access point.
• yes - Client can send frames to other stations on the same access point.

ap-tx-limit (default value: 0bits/s (unlimited)) : Rate limit of data transmission to this client. (download traffic limitation for client)

client-tx-limit (default value: 0bits/s (unlimited)) : Ask client to limit rate of data transmission.

This is a proprietary extension that is supported by RouterOS clients, for example, between two MikroTik routers.

The association procedure is as follows: when a new client wants to connect to the AP that is configured on interface wlanN, an entry with client's MAC address and interface wlanN is looked up in the access-list. If such entry is found, action specified in the access list is performed, else there is no impact, default-authentication and default-forwarding arguments of interface wlanN are taken.

How set up wireless access list:

To reject client with MAC address 00:11:22:33:44:55:01 to authenticate on the access point.

To allow client with MAC address: 00:11:22:33:44:55:02 to authenticate to the access point on the wlan1 interface on working days from 8:00 a.m. to 5:00 p.m.

Wireless connect list

The Connect-list is can be configured on wireless interface which works in station mode (mode=station) and determine to which AP the station should connect to. The Connect List is organized as a list of rules that can assign priority and security settings to connections with remote access points or restrict connection to specific access point.

At first, the station is searching for APs all frequencies in the respective band and makes a list of Access Points. If the SSID is set under /interface wireless, the router removes all Access Points from its AP list which do not have such SSID (SSID under /interface wireless menu must be the same on Station and Access point). After that occur rule matching that is defined under connect-list, rule list is checked sequentially until the first matching rule is found. Rule can includes two actions, connection on AP is allowed or not:

connect=yes - connect to access point that matches this rule.

connect=no - do not connect to any access point that matches this rule, we jump to the next rule.

If we have gone through all rules and haven't connected to any AP, yet. The router chooses an AP with the best signal and SSID that is set under /interface wireless.

In case when the station has not connected to any AP, this process repeats from beginning.

There are several values that can be matched into connect-list:

interface – name of wireless interface (required). Each rule in connect list applies only to one wireless interface that is specified by this setting.

area-prefix – rule matches if ‘area’ value under AP configuration begins with such value of ‘area-prefix’.

mac-address – rule matches only AP with the specified MAC address. (default value: 00:00:00:00:00:00 – MAC address of APs is not important)

SSID – rule matches access points that have this SSID. Empty value matches any SSID. This property has effect only when station mode interface SSID is empty, or when access point mode interface has ‘wds-ignore-ssid=yes’.

signal-range – matches if signal strength of the access point is within the range. (is indicated in the following format NUM.NUM - both NUM are numbers in the range -120.120). If signal strength is in this range connection will be accept, it will disconnect from that access point when signal strength goes out of the specified range.

security-profile – name of security profile that is used when connecting to matching access points, If value of this property is none, then security profile specified in the interface configuration will be used.In station mode, rule will match only access points that can support specified security profile.

Configuring examples:

Allow station connect only to specific access points:

Set value of default-authentication interface property to no under /interface wireless menu.

The default-authentication interface property determines whether station will attempt to connect to any access point if there is not matched any rules. In this case interface wlan1 works in station mode.

Create rules that matches allowed access points. These rules must have connect=yes and interface equal to the name of station wireless interface. As you can see then connecting to second AP signal strength is checked too.

Each rule in connect-list is attached to specific wireless interface, specified in the interface'''property of that rule (this is unlike access-list, where rules can be applied to all interfaces).

Note: Remember that connect-list rules are always checked sequentially, starting from the first, so put rules in the order of preference. Access is not rejected if connect-list does not have any rule that matches remote access then the default values from the wireless interface configuration are used to make connection to access point.

Wireless Bridge

To Bridge two networks using WDS

Remote network that is connected using wireless network can be easily bridged using WDS feature of MikroTik RouterOS. WDS works only on Prism and Atheros based cards. This example is given for the case when the networks are connected through Atheros wireless interface.

The same example can be found:

To better understand the main purpose of this example you have to be sure that you know what is the “Bridge” and what is the major benefit of it. So, I remind simple definition of Bridge.

• Ethernet bridges represent the software analog to a physical Ethernet switch. The Ethernet bridge can be thought of as a kind of software switch which can be used to connect multiple Ethernet interfaces (physical or virtual) on a single router and share a single IP subnet.

The major benefit of bridge (also wireless bridge) is found in a phrase “to share a single IP subnet”. It means that local and remote networks can use IP address from the same subnet as well as obtain full connectivity between local and remote LAN. Look at figure bellow.

Simple configuring example

In this example I assume that wireless communication is implemented between both sites.

In this case IP address is already assigned, on Access Point (AP) wireless interface 10.10.0.1 and on wireless station 10.10.0.2.

Configuration on AP router:

Create the bridge interface on AP and add ether1 to the bridge:

Configure wlan1 interface (mode=bridge or mode=ap-bridge)

Create WDS interface on AP (with setup wds-mode=dynamic, wds-default-bridge=wds-bridge):

Add IP address on the bridge interface (in this case the name of bridge interface is wireless_bridge):

Configuration on wireless station:

Create bridge and add ether1 and wlan1 interface to the bridge

Configure wlan1 interface (mode=station-wds):

Add IP address on the bridge interface (in this case the name of bridge interface is wireless_bridge):

Add DHCP server on the bridge interface (optional configuration '– this is not mandatory):

The first we need to define IP pool:

Create DHCP server:

Check and test your configuration:

Check wds interface on AP router:

Test the bridge by pinging from 10.0.0.128 to 10.0.0.129.

As well as you can ping workstations (PCs) from one LAN to remote.

To Bridge two wireless networks using EoIP

The similar configuration can be implemented using EoIP feature. EoIP functionality is discussed in section 9.2.

Set up IP address on ether1 and wlan1 (on both site)

Setup wlan1 interface configuration (on both site)

(mode=ap-bridge for access point, client side – set mode=station)

Create EoIP interface on both endpoints (tunnel IP is the same on both ends, as remote address point out wlan1 address of remote router. (on both site)

Create Bridge interface and to bridge EoIP and ether1 interface (on both site)

This setup is based on the same principles as given section 9.2. “EoIP” there you find another example.

Wireless Mesh

What is Wireless Mesh network?

Wireless Mesh network is based on mesh clients (basically wireless routers (AP) and gateways to wired network) that is organized in a mesh topology and can act as communication network.

What is mesh topology?

Decentralized network structure that can be created by independent wireless access points that installed at each network user and each of these access points can forward traffic to other wireless access point. Full wireless mesh network is network where each wireless device can communicates with each other.

If some of mesh device goes down, network topology is changed immediately and alternative routes can be found. To provide such dynamic mesh network operation is necessary protocol that provides network topology re-calculation and loops free network.

What is loop-free network?

Wlan Protocol That Generates A New Dynamic Keys

Network, where data packets cannot get loop when are transmitted among two or more switches or routers.

Here can be layer 2 and layer 3 network loops, redundant links can be cause of the layer 2 loops, layer 3 network loop can occur by incorrect routing table. Assume that we have two different paths (redundant links) to particular destination. In such case packet (frame) from the same host can be sent through all redundant links simultaneously and destination device can receive multiple frame copies. Such process can totally confuse MAC (ARP) table of mesh node that contain information about other devices location. MAC table is constantly updated with information about what MAC addresses are reachable behind each port so if failed information can cause the layer 2 network loops.

Which protocol re-calculate mesh topology if something change happen as well as provides loop-free network?

Protocols as STP, RSTP, HWMP+ and others provide a mechanism for disabling redundant links. Disabling process is made dynamically in logical level, it means that if there are two links on the same destination one of links becomes inactive, but if primary links goes down then the second (redundant) link become active (goes up). Each node maintains topology database which is updated according to the selected protocol algorithm. Redundancy is good practice in your network to reduce congestion to provide availability and prevent complete network failure if one of links go down, but that is recommended to be configured together with some of these protocols.

HWMP+ is a MikroTik specific layer-2 routing protocol for wireless mesh networks. But instead of to ensure only loop-free network HWMP+ also provides optimal routing mechanism.

• It is based on Hybrid Wireless Mesh Protocol (HWMP) from IEEE 802.11s draft standard.
• It can be used instead of (Rapid) Spanning Tree protocols (RSTP) in mesh setups to ensure loop-free network and optimal routing.
• HWMP+ works not only with WDS (Wireless Distributed Interface) interface but among wired Ethernet interfaces as well.
• Main configuration occurs under /interface mesh menu.

The HWMP+ protocol however is not compatible with HWMP from IEEE 802.11s draft standard.

Here are two operation modes of HWMP+:

• Reactive mode – path to destination node are discovered on demand by flooding special message in the network. This mode is recommended for mobile networks (rapidly changing networks) when communication happens between mesh node.
• Proactive mode – in case when network includes one or more general entry/exit point (portal nodes) to mesh network, these portal nodes are chosen as roots for logical network topology creation (loop-free network).

Proactive mode is recommended when most of traffic goes between internal mesh nodes and few portal nodes.

More information about reactive and proactive modes can be found:

How the HWMP+ makes route selection?

The route with best metric is always selected after the discovery process. There is also a configuration option to periodically re-optimize already known routes.

Route metric is calculated as sum of individual link metrics.

Link metric is calculated in the same way as for (R)STP protocols:

• For Ethernet links the metric is configured statically (like for OSPF, for example).
• For WDS links the metric is updated dynamically depending on actual link bandwidth, which in turn is influenced by wireless signal strength, and the selected data transfer rate.

Currently the protocol does not take in account the amount of bandwidth being used on a link, but that might be also used in future.

Wireless mesh configuration example:

Mesh configuration in RouterOS allows to setup WDS interface dynamically (automatically) when we using wds-mode=dynamic-mesh under /interface wireless menu, or add WDS interface manually when wds-mode=static-mesh is used. WDS is necessary to bridge wireless interface together to mesh network can shares the same subnet.

Two different frequencies are used: one for AP interconnections, and one for client connections to APs, so the AP must have at least two wireless interfaces.

In this example show mesh configuring between RouterA and RouterB because configuration on other mesh nodes are very similar main difference is IP address.

Configuration on RouterA:

The first we are going to create mesh interface with name “mesh1” and add interfaces to mesh interface, this configuration is very similar to bridge configuring in the RouterOS.

Configuring dynamic mesh interface for AP interconnection on RouterA:

wds-mode'=dynamic-mesh – means that all WDS interfaces will be created automatically.

Set up IP address on mesh interface:

Configuring interface for client connection on Router A:

Configuration on RouterB:

Configuring dynamic mesh interface for AP interconnection on RouterB:

Set up IP address on mesh interface:

Check dynamically created WDS interface on RouterA:

As you can see WDS interface is running and wds-address=00:0C:42:1F:9F:FD – is MAC address of remote node.

Show mesh interface ports on RouterA:

Test using ping:

If you want more security in your network you have to configure wireless security profile under /interface wireless security-profile menu.

Wlan Protocol That Generates A New Dynamic Key Exchange