Wireless WDS link protocol

[The Jackal]

Does anyone know what form of encryption if any (!) goes to form a wireless WDS link (ie bridging wireless access points together).

I'm baffled at this one as I'm not sure as to how secure it is

[Wicked_and_Crazy]

A bridge isnt an access point, my understanding is that they just forward packets from one port on to another

[The Jackal]

Quote:

Originally Posted by Wicked_and_Crazy

A bridge isnt an access point, my understanding is that they just forward packets from one port on to another

Yes exactly ... but don't confuse this bridge with an ethernet bridge...

A WDS bridge is in itself a wireless connection separate to Access Point functions.

What I have done is bridged two access points together with WDS and turned off wireless access point capabilities on both APs so that all I have left is the wireless bridge.

SOOOOOOOO how is this wireless bridge encrypted if it is at all ?

[Wicked_and_Crazy]

My point is that once your on the network your on it and no further encryption is required. As your WDS is not providing any client association services then surely you dont need any further access protection then WEP or WPA

[The Jackal]

Quote:

Originally Posted by Wicked_and_Crazy

then surely you dont need any further access protection then WEP or WPA

Are you sure ?

LAN A ---- ACCESS POINT1/no wifi ----- WDS wireless link ---- ACCESS POINT2/no wifi ---- LAN B

So whats to stop someone hacking between Access point 1 and 2 ?

[Wicked_and_Crazy]

Im confused, you have two LANs, both with wifi? With WEP or WPA?

Two access points which are disable on the WDS. But a wireless link between the two disabled access points?

If thats the case whats the difference (in principle) between the wireless link between the two access points and a wireless link between a laptop and a router?

[The Jackal]

Quote:

Originally Posted by Wicked_and_Crazy

Im confused, you have two LANs, both with wifi? With WEP or WPA?

Not quite - I'm connected 2 wired networks via a single wireless link and want to try to do this as securely as possible.

Quote:

Originally Posted by Wicked_and_Crazy

If thats the case whats the difference (in principle) between the wireless link between the two access points and a wireless link between a laptop and a router?

A lot !

WDS is invisible it just connects the routers - no wireless device can connect to either of the access points nor know of their existence(maybe ? - I will have to test this out with stumbler).

With my l33t hax0r experience my query is that it must be possible to trick the identity of access point A or B and jump in - hence the reason as to my lack of understanding as to what protocol that WDS link uses.

[Wicked_and_Crazy]

I guess it depends how the access points are turned off. If they are not providing a client association service or the access points are just not active at all.

[The Jackal]

Quote:

Originally Posted by Wicked_and_Crazy

I guess it depends how the access points are turned off. If they are not providing a client association service or the access points are just not active at all.

Completely turned off via DD-WRT

---------- Post added at 23:29 ---------- Previous post was at 23:27 ----------

Here's the link : http://www.dd-wrt.com/wiki/index.php...Point_Function

---------- Post added at 23:44 ---------- Previous post was at 23:29 ----------

Come on mate don't bail on me now :/

Reps for your effort

---------- Post added at 23:58 ---------- Previous post was at 23:44 ----------

Looks like I'm fearing this :

--- snip
I was considering getting an AirPort Basestation Extreme and Express together to extend the wireless network. But then I came across this note in the review:

One note: when using the AirPort Express as a WDS, you are limited to either using 128-bit WEP or turning off security altogether. This was not mentioned on the AirPort Express pages on apple.com, although it is addressed in the manual. WPA is generally not supported over bridged connections on WiFi products due to the fact that WPA encrypts the MAC addresses which WDS relies on for communication. Keep this limitation in mind when using the Express as a bridge.

[GeoffW]

Quote:

Originally Posted by CrC-3rr0r

Does anyone know what form of encryption if any (!) goes to form a wireless WDS link (ie bridging wireless access points together).

I'm baffled at this one as I'm not sure as to how secure it is

From http://en.wikipedia.org/wiki/Wireles...ibution_System

Quote:

Dynamically assigned and rotated encryption keys are usually not supported in a WDS connection. This means that dynamic Wi-Fi Protected Access (WPA) and other dynamic key assignment technology in most cases can not be used, though WPA using pre-shared keys is possible. This is due to the lack of regulation in this field, which will hopefully be resolved with the upcoming 802.11s standard. As a result only static WEP or WPA keys may be used in a WDS connection, including any STAs that associate to a WDS repeating AP.

[The Jackal]

Quote:

Originally Posted by GeoffW

From http://en.wikipedia.org/wiki/Wireles...ibution_System

I've read that *several* times :/ and really the article is vague over the subject :

Points too

Quote:

Dynamically assigned and rotated encryption keys are usually not supported in a WDS connection.

and

Quote:

Most third party firmwares for the WRT54G(S)/GL support AES encryption using WPA2-PSK Mixed Mode security, and TKIP encryption using WPA-PSK, while operating in WDS mode. However, this mode may not be compatible with other units running stock or alternate firmwares.

[GeoffW]

The way I read it was that there was no standard way for them to talk using WDS to negotiate dynamic keys, that is until 802.11s arrives. I think the usually comment refers to variations in different manufacturers proprietary implementations.

So to answer your original question, it's as secure as the kit lets you make it but as a minimum you can use encryption with static keys if there is no custom extensions. I wasn't aware there was any 3rd party firmware for the WRT54G, but personally I'd rather stick with standard firmware and a static (but complex) key as WPA-PSK with TKIP is pretty secure. That Airport comment is a bit of a problem though.

[The Jackal]

Thanks Geoff that is exactly how I read it.

I think I am going to sack the idea of the WDS altogether and do a client bridge with WPA2 (might even do enterprise) and get a cron job running on one of the routers to update each others keys every 24 hours, does that sound secure or what ?

[GeoffW]

Quote:

Originally Posted by CrC-3rr0r

does that sound secure or what ?

That sounds like a man with way too much time on his hands

[The Jackal]

Quote:

Originally Posted by GeoffW

That sounds like a man with way too much time on his hands

Should be easy.

DD-WRT is essentially a linux distro for Linksys wireless routers.

So all I need to do is create a simple script to

* Create new key
* ssh-rsync the key to the routers
* rexec reboot

Job done - or simpler still

* Create new key and dump it to the network share that both routers read the key from.
* rexec reboot

- I'm not wasting any more time on this - spent 6 hours on Friday when I could have been doing something better.