Setting up WDS

michaelm michael.melkonian
Wed Apr 8 00:18:55 PDT 2015 

Hello everyone

Second question ever on this forum... This one is really simple.

I am trying to set up a peered WDS by using a technique described on:
https://wireless.wiki.kernel.org/en/users/documentation/iw

E.g., I have two Access Points (running Open Source) and I do exactly 
the same setup for both.

1) add a WDS interface.
2) give it peer's MAC address (the other AP)
3) add the wds interface to the bridge (that already has the AP 
interface and wired LAN interface) and
4) bring up the wds0 interface

iw phy phy0 interface add wds0 type wds
iw dev wds0 set peer <MAC address>
brctl addif br0 wds0
ifconfig wds0 up

Bridge works perfectly, that is, I can connect 2 WiFi clients, one to 
each access point, they can ping each other and so on.
This looks like a true layer 2 bridge.

Once all of the above is done, I can even kill hostapd (which I needed 
to setup the channels and so on).

Looking at the mac80211.c code, it seems to do exactly what a bridge 
should do - sends any client packets to the peer using 4-address frame 
format, and on the rx side, accepts packets from the peer by checking 
its mac address.

However, with this arrangement frames between the two APs are sent with 
no encryption whatsoever, which is a major problem for me.

I have actually run traceroute on WDS interfaces and can see plain text 
(Clearly, the packets from clients to AP interfaces are encrypted)

Furthermore, it is unclear to me how anything other than simple scheme 
such as WEP could work in this layer 2 arrangement.

As an alternative, I have looked at using the 4addr mode but have not 
been able to get it working, possibly because of the comment stating 
that it is currently broken.

Anyway, my main question is - with layer 2 arrangement described, is 
there a way to implement some security?

Best regards

Michael Melkonian





______________________________________________________________________
This communication contains information which may be confidential or privileged. The information is intended solely for the use of the individual or entity named above.  If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited.  If you have received this communication in error, please notify me by telephone immediately.
______________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150408/1a5a1be6/attachment.htm>

More information about the Hostap mailing list