NV2 Security concerns in PTMP Networks

I’m currently researching ways to proper secure PTMP Networks and i’m curious how you guys deal with security in PTMP Networks. I’m also looking for a response from the Mikrotik guys whether my concerns are already addressed.

Here my concerns

In a NV2 PTMP Network the CPE (e.g. SXT) contains the NV2 PSK. I have to presume that a malicious user is able to extract this PSK from the CPE even if i’m not giving direct access ( open ssh/web/winbox towards client ) and providing the device admin-password.

How does NV2 authenticate and build session keys?

You can decrypt traffic from/for other stations in WPA2 networks if you know the PSK and have captured the 802.11i 4-way handshake the other station had with the AP. As long as Mikrotik has not added some DH magic to the 4-way handshake i assume that this is also true for NV2 networks.


I don’t see a way to use a private-psk per NV2 station, right?

Has someone a good way to deal with a PTMP network which has a risk that customers sniff each others traffic? I fear a additional encryption layer is needed to archive real security. :-/

Can no one from Mikrotik comment on this?

You can switch off default forwarding on Ap. Or you can create virtual Ap for every customer and join it to its own vlan if bridged to main router. Block the communication between them by firewall on it.

NV2 does not support virtual APs. I’m not concerned that they can communicate with each other, i know how to avoid that. My concerns are that they have the encryption keys and can sniff and decrypt traffic from others. As NV2 is a proprietary implementation it’s nothing you can do as a script-kiddie with default tools but there is a possibility to do so if you put some effort into it.