Here's a silly, simple question which is neither silly if you don't know the answer nor simple given that several close readings of the Mikrotik manual on the subject failed to give me a clue to the answer.

Does the encryption defined by a Security Profile on a wireless interface apply to everything it transmits, or simply to connection/authentication applications to it and Access Pointy-type administration?

Put another way, if I have a Security Profile on a wireless interface is there any need to encrypt PPP tunnels etc across the network to and from it, or that just encrypting the same traffic twice?

If the PPP tunnels terminate at the AP then you're just encrypting traffic twice.

Security Profiles setup WEP or WPA which not only handles secure authentication to the network but secure data transmission to/from the AP.

pppoe encryption is just encrytion over the tunnel.
If someone can connect to the AP they will potentially try and try and try again to do whatever it is they want to do.
This can and will effect the performance of your AP.

Thank you.

So I have a choice of:

A. Using WPA2 security profiles to both protect the routers from unauthorised access and encypt all traffic across the network to prevent it being intercepted and read, or

B. Try to secure the routers with Access Lists and only encrypt user's traffic with end-to-end tunnels? This opens the further possibility of only encrypting 'sensitive' traffic like mail, and http for the paranoid. I assume VoIP, YouTube and streaming TV work better without encryption, and why should you want to encrypt that anyway?

The first is clearly more secure, but with three hops across the network from CPE to gateway all the traffic would presumably have to be decrypted and re-encrypted at every router it passes through - which surely imposes a load on the hardware.

The second would seem to be faster, with encryption only occurring at the CPE and the gateway which has the motor to handle it, but how secure is the Access List system?

I see there is provision in the AP's Access List for a private key to be defined, but the Connect List only calls on a Security Profile. However a Security Profile can define a static key.

Can I take it, then, that a static key defined in an Access List and a station's Security Profile simply authenticates and encrypts traffic between the two? Once the connection is authorised 'normal' traffic is not encrypted?

Use WPA2 PSK and aes cmm for your unicast and group cyphers.
Use a complex string for your Key.

Using aes offloads the work onto the wireless card, which has descrete logic to handle the encryption.
If you merely use encryted pppoe tunnels then the router board is tasked to handle encryption.

Hence using WPA2 with aes has little to no overhead over not using WPA2 aes, and certainly outperforms any other alternative.

Thanks tgrand.

I believe I'm beginning to see some trees in the wood, so I'll quit while I'm ahead.