Community discussions

MikroTik App
 
jonah1810
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 98
Joined: Tue Jul 30, 2019 10:19 pm

Questions about TKIP

Sat Jun 05, 2021 12:27 am

Hello, I'm trying to figure out the best option for wireless security in my customers routers. aes is obviously the better choice. but some older devices (printers 99% of the time) can only connect via tkip. so if i enable both the printer connects.

however when i enable both certain aes devices, mostly apple they connect and warn the customer of weak security indicating that they chose tkip over aes even though both are selected.

So with that being said:

1. I read online that wpa tkip has a max data rate of 54mbits. is this true for wpa2 tkip?

2. is there a way to default clients to aes instead of tkip if they support it? or is it just warning the aes clients because tkip is enabled, even though it didn't connect with that?

3. seems like the best solution would be to run a virtual access point running tkip just for those legacy devices. it's there any drawbacks to this? will running a virtual wlan slow the other wlan at all?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Questions about TKIP

Sat Jun 05, 2021 2:26 am

1) Disposal the printer following the rules.

2) Disposal the printer following the rules.

3) Disposal the printer following the rules.
 
jonah1810
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 98
Joined: Tue Jul 30, 2019 10:19 pm

Re: Questions about TKIP

Sat Jun 05, 2021 3:18 am

just to clarify, You're saying to throw the printer into the garbage?

if it were my printer I would agree. however telling my customers that they have to throw out their printer when i install them is not viable option. could you at least tell me what's wrong with going with the virtual interface approach.

you mention a rule, what rule?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Questions about TKIP

Sat Jun 05, 2021 3:51 am

Ok, is sarcastic, but about correct disposal of printer, there is not simply garbage...

if tkip are active on any true or virtual interface, wpa2 not work correctly and only b/g work
"n" per se want only wpa2 and aes
all appear like working, but the ap really work at "b" speed
 
jonah1810
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 98
Joined: Tue Jul 30, 2019 10:19 pm

Re: Questions about TKIP

Sat Jun 05, 2021 4:40 am

yes, sorry not garbage but recycling. I was just wanting to clarify as the grammar was not perfect!

okay yeah that is exactly how i feared. One last question, if the virtual interface is tkip and the physical interface is aes. can the physical interface still run on 802.11n while the virtual interface is running on 802.11b?

or would you need seperate physical interfaces to accomplish this?

I also just wanted to say i appreciate all the help you give on this forum, no matter what sub-forum I'm looking in you are always there helping people out! So thank you reextended!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Questions about TKIP

Sat Jun 05, 2021 10:35 am

1) yes, sorry not garbage but recycling. I was just wanting to clarify as the grammar was not perfect!

2) okay yeah that is exactly how i feared. One last question, if the virtual interface is tkip and the physical interface is aes. can the physical interface still run on 802.11n while the virtual interface is running on 802.11b?
or would you need seperate physical interfaces to accomplish this?

3) I also just wanted to say i appreciate all the help you give on this forum, no matter what sub-forum I'm looking in you are always there helping people out! So thank you rextended!
1) On english is not "disposal of the device" ? :(( sorry, I do not know so well the English
Probably better is "Dispose the printer according to the rules"
Disposal is for destroy/disassemble the device, if is not recyclable, but some part can be recovered,
Instead Recycling is not for some substance like glass, plastic, aluminium, etc. directly recyclables?
No matter, is only for explain what I try to say... :))

2) The security profile with tkip of "virtual" interface influence the main wlan, but the parameters like frequencies, mode and 20 or 20+20 channels are on master interface only
you can set the main interface with 802.11n (or any combo with n) but using tkip on virtual, the main go "mad" and do not work as expected

3) thanks!

The solution can be cable, or 2nd ap on only-b channel 14 Japan tkip
or one microscopic hAP mini act as client + virtual access point, or directly as wifi client on printer ethernet cable
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Questions about TKIP

Sat Jun 05, 2021 7:14 pm

Ask your customers if their cell phones are as old as their printers.........
If a printer is not AES capable explain to your customers that for security obsolescence they need to be life cycled.
Now if you went last year and found a whole bunch of unsold OLD printers and pawned them off on your customers then you should pay for the upgrade.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Questions about TKIP

Sat Jun 05, 2021 7:31 pm

The solution can be cable
Yes, that is of course not a generic solution that can be used in all cases, but if possible connect such broken printers using a cable.
In an install at work where we have some external people renting space and bringing such crap with them, I also did that and in that case
it was required anyway as we have "broadcast/multicast" filtering between devices on the WiFi to reduce the chatter on low bitrate caused
by hundreds of mobile devices doing meaningless multicasts and ARPs. So devices would have trouble finding the printer when it was
connected to WiFi as well, but have no problem when it is connected using a cable.

There is a lot of crap around. E.g. when newer WiFi protocols like 802.11r are enabled the printer refuses to connect.
(not an issue with MikroTik because they have not yet entered the century of more advanced WiFi)
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Questions about TKIP

Sun Jun 06, 2021 12:31 pm

the main go "mad" and do not work as expected
Some strong statements here on TKIP, and difficult to verify what of these are relevant with a specific (MT) implementation.
It feels unpleasant as RouterOS lets you tick TKIP and AES, and also WPA and WPA2, and the ac models support different encodings (DSSS, OFDM) and rates (1-54,HT0-7, VHT0-9) for 802.11a,b,g,n,ac.

What is compatible with what? And what are the consequences of a choice on the other fields? Using TKIP with n or ac is a problem mitigated in different ways.(Like automatic fall back to g, in Intel 2.4 GHz chipset) (https://www.intel.com/content/www/us/en ... eless.html).

There are issues with coexistence in the encoding, like 802.11n-greenfield and 802.11n-mixedmode. Where documents say "greenfield" mode will not be recognized by b and g, and as such require rts/cts for a graceful coexistence. Other documents say manufacturers have given up on "greenfield" and always set "mixedmode" because of too many complaints. The effect in transmissions of just one b client transmitting on an AP is documented as well.

Effects of coexisting encryption is not that clear. (Didn't find it documented). We know that WEP and TKIP does not handle fast transmissions (or is even prohibited in the standards). But what happens if 802.11g and 802.11n and TKIP and AES (and WPA and WPA2) is ticked in the configuration? MT is not clear on this, and shows odd behaviour (e.g. they set support for b rate for n-only, and set no support for g/n !? in the wiki, they corrected the basic rate already there for n-only)
2.4ghz-onlyn, 2.4ghz-b/g/n	basic-b, supported-b, basic-a/g, supported-a/g, ht-basic-mcs, ht-supported-mcs
2.4ghz-g/n		    basic-a/g,supported-a/g,ht-basic-mcs,ht-supported-mcs
.
So it is unclear what to expect, unclear on what to set. Too many combinations, even with the b-encoding out of scope. Other brands .... e.g. set TKIP on WPA and AES on WPA2 with such a multiple selection. What is the MT implementation? ("Registration table" shows the interface rate and what encryption and what authentication type is actually used). The encoding standard (a,b,g,n,ac) is not in that table (didn't find it). Can the used encryption influence the encoding of the radio ???? I don't know. At least I see no relation with the special and very old 802.11b. I expect no "mad" behavior, but can be wrong.

The client device preferring TKIP if enabled but able to use AES is not what we want to see as outcome. Using different security profiles to limit the mixing up seems a very good idea. (I do use a virtual AP for creating a WPA2/PSK exception for old Windows 7 laptops (limited on MAC in an access list), where the main SSID is WPA2/EAP. Customer ('s guest) is king).

Calling a printer that supports only TKIP just crap, is not given for everyone, and depends on the budget/lifestyle of owner and possible unique features of the device. I would not throw it out, and add a hAP Lite as wifi interface if TKIP is a real problem for the regular AP. Or if the printer is wifi only, use the hAP Lite to deliver the TKIP encryption.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Questions about TKIP

Sun Jun 06, 2021 6:10 pm

bpwl, the cost of ink for a printer these days is the cost of a printer so dont cry me a river on not replacing a budget printer with one that has basic security requirements.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Questions about TKIP

Sun Jun 06, 2021 6:46 pm

I know, ... still have 3 sets of ink for my Canon, just replaced the printhead with a Chinese import at the cost of 1/2 ink set (but already bought Canon Megatank M3520)

Still it is a personal balance ... old stuff ... security ... cost.

How bad is TKIP ? Some sunday afternoon reading ... https://www.comparitech.com/blog/inform ... -aes-tkip/
By the way it is spelled "Rijndael" from Vincent Rijmen from KULeuven (https://csrc.nist.gov/csrc/media/projec ... mended.pdf)

Who is online

Users browsing this forum: ccrsxx, lurker888, Maknz and 24 guests