Community discussions

 
starikot
just joined
Topic Author
Posts: 2
Joined: Fri Jan 12, 2018 12:34 am

WPA3 on existing Mikrotik routers/APs

Fri Jan 12, 2018 12:41 am

So, a few days ago, Wi-Fi Alliance announced WPA3 and I recently bought my first Mikrotik router, so I am wondering if we'll get a firmware update which will provide WPA3 functionality.

Best of regards,
starikot
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24272
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: WPA3 on existing Mikrotik routers/APs  [SOLVED]

Fri Jan 12, 2018 9:03 am

Widely adopted features eventually do get integrated, if market demands it. We will see how it goes. Your new device has free upgrades for life.
No answer to your question? How to write posts
 
starikot
just joined
Topic Author
Posts: 2
Joined: Fri Jan 12, 2018 12:34 am

Re: WPA3 on existing Mikrotik routers/APs

Fri Jan 12, 2018 10:46 am

Widely adopted features eventually do get integrated, if market demands it. We will see how it goes. Your new device has free upgrades for life.
Thanks a lot, I hope it gets integrated as I want to play around with this protocol. :mrgreen:
 
User avatar
Joni
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: WPA3 on existing Mikrotik routers/APs

Tue Jun 26, 2018 12:15 pm

 
lesnikov
just joined
Posts: 17
Joined: Tue Jul 15, 2014 9:33 pm
Location: Slovenia

Re: WPA3 on existing Mikrotik routers/APs

Wed Jun 27, 2018 2:17 am

from article
optional Wi-Fi feature called Easy Connect

another WPS fiasco? :D
 
squeeze
Member Candidate
Member Candidate
Posts: 146
Joined: Thu Mar 22, 2018 7:53 pm

Re: WPA3 on existing Mikrotik routers/APs

Wed Jun 27, 2018 3:03 am

https://www.mathyvanhoef.com/2018/06/wp ... unity.html

Well, that's disappointing. WPA3 Certification consists of a grand total of one change to existing handshake called Simultaneous Authentication of Equals (SAE) instead of what most people anticipated as a wholesale dramatic improvement in WiFi security.

How hard would it be to add the SAE handshake to existing RouterOS WiFi devices?

I'm guessing that the "Wi-Fi CERTIFIED Enhanced Open" program (Opportunistic Wireless Encryption - OWE) for hotspots will also be in massive demand.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 905
Joined: Sun Oct 01, 2006 11:44 pm

Re: WPA3 on existing Mikrotik routers/APs

Wed Jun 27, 2018 2:46 pm

The SAE handshake doesn't look like a huge innovation, was hoping for something more in line with modern TLS, but I guess that's what happens when you have for-profit industry alliances vs open standards bodies.

The big question is how long will it take Mikrotik to implement WPA3? We have no 802.11ac spectral scan, no 5 GHz TX power, no Wave2 support, no 802.11w support.. there are lots of other wireless protocol improvements that have been missing for a long time.
 
squeeze
Member Candidate
Member Candidate
Posts: 146
Joined: Thu Mar 22, 2018 7:53 pm

Re: WPA3 on existing Mikrotik routers/APs

Wed Jun 27, 2018 3:42 pm

The big question is how long will it take Mikrotik to implement WPA3? We have no 802.11ac spectral scan, no 5 GHz TX power, no Wave2 support, no 802.11w support.. there are lots of other wireless protocol improvements that have been missing for a long time.

I must be missing something: there's dual band spectral scan with The Dude, I can change 5GHz "Tx Power" with "manual tx-power", and there is support for Management Protection though it is proprietary.

Wave2 is more of a feature than a requirement.

You make a good point about 802.11w support though. Isn't that required even to be certified for WPA2 now or do they just require any PMF implementation? Are clients required to use it too or just APs?
 
R1CH
Forum Veteran
Forum Veteran
Posts: 905
Joined: Sun Oct 01, 2006 11:44 pm

Re: WPA3 on existing Mikrotik routers/APs

Wed Jun 27, 2018 7:50 pm

Hmm I just looked it up, 802.11w is actually required for 802.11ac certification, so Mikrotik is technically shipping uncertified implementations :D. Hopefully they don't ignore it for WPA3 too.

Regarding my other points - with spectral scan I meant an actual RF scan of the frequency, not a simple probe request to see neighboring APs. This is possible on 2.4 GHz but not 5 GHz and is an often requested feature (see viewtopic.php?t=89696). 5 GHz TX power can be configured, but the current power used is not shown anywhere - these numbers are adjusted by the radio depending on country, antenna gain etc, but it simply appears empty for 5 GHz radios (https://i.imgur.com/Jt3wu00.png).
 
squeeze
Member Candidate
Member Candidate
Posts: 146
Joined: Thu Mar 22, 2018 7:53 pm

Re: WPA3 on existing Mikrotik routers/APs

Wed Jun 27, 2018 11:34 pm

Looks like very good news from upstream and others regarding WPA3, from customer perspective: https://www.snbforums.com/threads/bette ... ort.47434/

Quoting:
The WPA3 Certification announced yesterday revealed that only one of the four mechanisms described when WPA3 was first announced earlier this year is included in the Certification.

The mandatory Simultaneous Authentication of Equals (SAE) method replaces WPA2's four-way session key generating "handshake" that was vulnerable to the KRACK attack and offers protection against dictionary attacks in general. Since it occurs only during the AP-STA authentication process, SAE doesn't significantly increase processor load.

The upshot is that this watered-down definition of WPA3 should be able to be added to devices that currently support WPA2. So rip-and-replacing all your current Wi-Fi gear to get improved security should not be necessary.

The "will they/won't they" (upgrade existing stuff) question now boils down to how vendors view the priority of supporting existing products vs. pumping out new stuff. So I asked Qualcomm, Linksys and NETGEAR for their official word on plans to support WPA3 on existing Wi-Fi products. The question posed to each was "Could you please comment on your plans to support WPA3 in existing products?".

Since Qualcomm is at the top (or bottom) of the Wi-Fi food chain, let's start with them.
...
Qualcomm said:
"Qualcomm expects to incorporate WPA3 security features into chipsets in summer 2018 for mobile devices beginning with the Qualcomm® Snapdragon™ 845 Mobile Platform and on all Wi-Fi networking infrastructure products. We are supporting WPA3 on new SW releases (per timeline indicated above). Any vendor who ports the latest SW release for any AP product we supply, will support WPA3. This would include IPQ40xx family."

This felt a little wiggly, so I asked for confirmation whether WPA3 will eventually be supported "in all Wi-Fi devices in Qualcomm's current catalog and going forward, both AP and STA (client) devices". The response:

Qualcomm said:
"Any network infrastructure product (based on AR,QCA,IPQ chip/set) that ships, starting this summer, will support WPA3. Any mobile device SD845 or higher, supports WPA3."
...
Linksys said:
”Linksys plans to support next generation WPA3 security. This functionality is highly dependent on the Wi-Fi chipset provider, thus support will be on a case-by-case basis. If legacy products are supported, Linksys will deploy automatic firmware updates to all enabled products. In many cases, WPA3 support will be offered in newer chipset and products. More details will be released at time of availability.”
....
NETEAR said:
"We (NETGEAR) are working with our partners integrating latest security protocol WPA3 in our home networking products. We will inform media and customers when this update is available. Based on our investigations, we deem that it’s highly likely that the majority of products should be able to make use of the feature by updating firmware on existing product.

WPA3 has two components – Personal and Enterprise. Our statements are only in context of Personal WPA3. Enterprise version is supposed to add 192-bit encryption and may impact hardware."

I belatedly reached out to ASUS and will update this post with their response when I receive it.
 
anav
Forum Guru
Forum Guru
Posts: 3129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: WPA3 on existing Mikrotik routers/APs

Wed Sep 12, 2018 1:08 am

Widely adopted features eventually do get integrated, if market demands it. We will see how it goes. Your new device has free upgrades for life.
I would think that Security demands it, to a certain degree.
If SAE removes vulnerabilities in WPA2, then it should be a no-brainer.
I would be rather sad if the new Cap ACs recently purchased were not capable of hosting the new standard.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 146
Joined: Fri Jun 29, 2018 2:34 pm

Re: WPA3 and EAP-PWD on existing Mikrotik routers/APs

Fri Apr 12, 2019 12:53 pm

+1 for WPA3
and EAP-PWD (RFC5931) for WPA2 would be very useful also.

Of course both with the latest patches against dragonblood attack.

OpenWRT has both, implemented in software!
 
User avatar
Kamaz
newbie
Posts: 28
Joined: Sun Apr 30, 2017 9:35 am

Re: WPA3 on existing Mikrotik routers/APs

Thu Oct 31, 2019 9:45 am

+1 for WPA3

Who is online

Users browsing this forum: No registered users and 44 guests