On Fri, Apr 18, 2014 at 12:35 AM, Cory (NQ1E) cory@nq1e.hm wrote:
(Please trim inclusions from previous messages) _______________________________________________ Unfortunately, none of the wifi security protocols (including WPA with 802.1x) support an authentication-only mode. They all require the traffic to be encrypted as private and unreadable to others. There's also not a whole lot we can do about that since these protocols are baked into the actual wifi chipsets and cannot be modified without a great deal of resources.
However if rule 97.105 applies, this shouldn't matter as it would be deemed necessary to "maintain control of your station".
Since there is no ideal way to both secure layer 2 and remain legal, HamWAN solves this problem at layer 3 by taking advantage of the authentication-only features of IPSec called IPSec(AH) or Authentication Header. When two routers are connected to each other over an RF link, they use the link-local non-routable address space (169.254.0.0/16) on the air so they can speak to just each other. However, those IPs only listen for IPSec(AH) traffic when authenticated with a valid certificate. They can then create a cleartext non-private "VPN" tunnel that allows them to pass traffic for the real network between themselves. Anyone can monitor this traffic, which is good. However, it cannot be successfully altered in transit or spoofed by pirates, which is also good. :)
Totally get this idea and it's not bad at all as it lends to transparency. AH would be the minimum required for authentication for 97.105 but stacking SSL for websites probably would run contrary to the 97.113 rule.