WDS and tinyPEAP

Discussion in 'TinyPEAP Firmware' started by scaron, Apr 8, 2005.

  1. scaron

    scaron Network Guru Member

    I know you are using a stock firmware and you may simply not feel like hacking WDS out of it. On the other hand, you may have other plans ;-) So here goes:

    The use of WDS in an encrypted environment presumes that all the access points forming the distribution system must share the same keys. Since the PEAP server is accessed using TCP/IP, this implies that any AP not containing the PEAP server must access the "media" and must authenticate itself to the neibourghing AP using 802.1X (certificate and credentials). In a fully meshed system, this becomes rapidly ... interesting in 32Kb of memory.

    However, my understanding is that it is impossible to exchange between any two arbitrary units the data necessary to support a roaming session using dynamic WEP/TKIP/AES. In particular, each AP would have to synchronise enough crypto information to be able to "hand out" links to a unit using a different PRNG and this is simply not part of the WPA protocol.

    Am I in the field? And, if not, is there a significant gain in memory/storage for tinyPEAP by dropping WDS from the stock firmware?

  2. tinyPEAP

    tinyPEAP Network Guru Member


    I'm writing this without too much research, so please feel free to correct me if I don't sound very convincing.

    First of all, we have no intention of dropping WDS
    unless it sets some security concern on the operation of tinyPEAP.

    Second, I am not too sure if I'm understanding your 2nd paragraph.
    Would you mind describing the 32Kb memory problem in more detail?

    As far as the roaming of the session goes, it is not possible unless you resort yourself to 802.11i which is supposed to
    support PMK caching among APs.
    PMK is derived from each authentication session, is used to generate the key being used for encryption.
    This clearly is beyond the scope of tinyPEAP....

    hope this answers your question.
  3. scaron

    scaron Network Guru Member

    Fair enough ...

    The 32Kb issue: in a fully meshed system each AP must authenticate the AP it is talking to. You need machine certificates and storage to keep them. In the best case, NVRAM is 32KB with ~20KB used for a typical one AP setup. In my opinion, 32KB might become tight real fast.

    The PMK caching issue: as you say, this is beyond the scope of tinyPEAP.

    Dropping to WPA-PSK to use WDS (Airport Extreme like) implies that 802.1X (and tinyPEAP) is not used.

    Dropping again to RADIUS (dynamic WEP) means there is no way to share the keys amongst the APs.

    Dropping (once) again to static WEP (where WDS feels the most comfortable) means that 802.1X is not used.

    I do not see under which circumstances WDS can be used with tinyPEAP.

    As I said, I may be in the field but this is not obvious at all given this equipment.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice