Towards a Security Architecture for Hybrid WMNs.

Currently deployed Wireless Mesh Networks (WMNs) are mostly hybrid, i.e., some Mesh Points (MPs) also employ additional Access Point (AP) radios to connect non-mesh stations (STAs). Today's Wi-Fi security protocols are unsuited in the use case of WMNs, as they can neither derive key material without central authentication servers nor tolerate compromised MPs, as it is required in outdoor deployments. To establish high security standards while embracing the distributed nature of WMNs, we need a novel security architecture, that does not rely on central entities and protects traffic between MPs with End-to-End Encryption (E2EE). We propose and evaluate a distributed security architecture for WMNs with attached APs, which uses certificates early in the authentication process. The architecture provides E2EE between MPs and authentic MAC addresses of all STAs and MPs. STAs, e.g., resource constrained Internet of Things (IoT) devices, cannot participate in the end-to-end encryption, but need to be securely attached to the WMN with mobility and other requirements in mind. The evaluation in our Wi-Fi testbed shows the authentication protocol's suitability for fast (re-)authentication in mobile scenarios.