A big headache in a mesh network is that each poletop access point has
to talk to each other access point. Individual encryption keys
between poletops is an administrative nightmare. Therefore, the entire
system has to use one common encryption key or pass phase. Changeing
the key regularly is not impossible but rather tricky. In addition,
with a store-n-forward, single radio type poletop, the client radios
must also have the encryption key or pass phrase configured. So much
for system wide security. The ones that I've seen, that are actually
deployed, use a trivial WEP key to keep the casual tourists out, MAC
address filtering, IDS (intrustion detection system), and lots of
system monitoring. Only one I know about provides VPN termination
services at the ISP gateway. Since over half the client radios
currently in service do not have WPA capabilities, WEP is the common
There are some proprietary schemes being tested. Sorry, I can't talk
Archived from groups: alt.internet.wireless (More info?)
i'm having a little trouble understanding how a city providing universal
access to the net will implement mac address filters for every citizen. also
these networks are hyped as a means for commerce to develop that wouldn't
have otherwise. what happens when vendors from out of town come to visit and
expect to connect?
>i'm having a little trouble understanding how a city providing universal
>access to the net will implement mac address filters for every citizen. also
>these networks are hyped as a means for commerce to develop that wouldn't
>have otherwise. what happens when vendors from out of town come to visit and
>expect to connect?
>it just seems a little half baked...
The security issue with metro wireless is in 3 almost seperate areas.
1. Mesh network security. The idea is to keep the hackers (like me)
out of the mesh and backbone. Impersonating a poletop is a good
2. Client security to prevent sniffing of passwords.
3. Traffic security, to prevent gamers from using the poletops as
their private repeaters.
There are others, but these are the main issues. Unfortunately, the
encryption issues are different in all cases, with little overlap.
For example, the correct way to deal with email security is to have
the ISP's provide an IPSec VPN termination at their gateway. The
customer can then create their own individual secure tunnel. Locally,
I only know 1 ISP that's actually doing that and 2 more that are
considering it. Everyone else says to use webmail with SSL
encryption. Yech. It's not like such boxes are difficult to find or
From what I've seen, most metro wireless systems are not for the GUM
(great unwashed masses). They are primarily for municipal services
(police, fire, roads, utilities, etc) and whatever excuse was used to
fund it in the name of anti-terrorism. These can make effective use
of VPN's and MAC address security. The GUM is on their own.
Traffic security is interesting in that most WISP's don't appreciate
the problem until it hits them. Turning a public poletop into a
private network repeater is fairly simple. It comes under "theft of
bandwidth" or some such security buzzword. No need to connect to the
internet, just your friends and neighbors.
I'm not really sure how these metro wireless systems are going to be
managed, who's gonna get the support headache, and how they're going
to deal with enforcement. One funding proposal I've seen had zero
dollars for management. Just turn it on and walk away. It's no
different than an ISP or WISP, but on a much larger scale. I guess it
should be handled the same way with the added enjoyment of municipal
>from the news reports philly and houston are specifcally targetted at the
Hint: It's an election year, where the politicians have to make
grandiose promises to the GUM. After November, I would not be
surprised if the whole idea hits some "unexpected obstacle" such as
pressure from the cellular companies or some type of legal challenge
against municipalities competing against private enterprise. However,
it hope it happens as we do need at least one good solid disaster as
an incentive to clean up the technology.
Incidentally, Tropos Networks is "considering" the use of WPA and
802.1x authentication in their systems. Progress blunders onward.
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# 831.421.6491 digital_pager firstname.lastname@example.org AE6KS