How will Wi-Fi 5 and WPA2 coexist with Wi-Fi 6 and WPA3?

The migration to Wi-Fi 6 is the most complex in roughly a decade, as a new authentication standard is necessary to ensure security integrity. How will the two standards coexist?

How will Wi-Fi 5 & WPA2 coexist with Wi-Fi 6 and WPA3?

At HPE Discover 2019, TechRepublic's James Sanders spoke with Aruba's Larry Lunetta about how the migration to Wi-Fi 6 is the most complex in roughly a decade. The following is an edited transcript of the interview.

Larry Lunetta: So that's bound up in essentially Wi-Fi 6, in the adoption of Wi-Fi 6 and it takes two to make this effective. One is you need the endpoints to be enabled and then you need the access set up. So the access is ahead of the endpoints, not surprising and it's not all fully baked. Some of the Wi-Fi 6 implementations are using chipsets that haven't been verified and part of its marketing versus reality, which is not the case for Aruba by the way. We have a range of access points that fully implement the true Wi-Fi 6 standard. So regarding the sort of the coexistence of WPA2 and WPA3, it really is about Wave 2 and Wi-Fi 6. Wi-Fi 5 and Wi-Fi 6 coexisting, which is very natural. So if we have access points that use a Wi-Fi 5, we'll use WPA2, and the access points use Wi-Fi 6, it will be Wi-Fi, it'll be WPA3 and there's no collision, there's no coexistence problems or anything like that. It's just a natural part of how the standard is going to evolve. And again, we're seeing a lot of uptake on these dual platform access points that can execute Wifi 5 and 6 simultaneously or depending on how the organization wants to implement that. And as the endpoints come on stream, I think you're gonna see more and more people move to the Wi-Fi 6 standard.

James Sanders: With vulnerabilities like DragonBlood, and KRACK that came before it, the need for patching security vulnerabilities in access points over the lifetime of the device is becoming increasingly evident. What's the support lifetime like for Aruba products?

Larry Lunetta: I don't know exactly the sort of the end life distance that we've built-in, it's a long time. We obviously, we've been in business for 17 years. There are products that we are end of life-ing but I think, we measure it, close to seven to 10 years as opposed to anything shorter than that. And the idea that there are flaws, especially security flaws, we have a whole group, we have a lab that basically does vulnerability testing on our own equipment so that it's not we love when people tell us that there's a problem, but we want to find it first. And we have a whole program of when there is a vulnerability that we find, we fix it, communicate it, propagate it, et cetera.

SEE: Vendor risk management: A guide for IT leaders (free PDF) (TechRepublic)

There's been, you referred to some things about WPA3 and some of the analysis that's been done. We looked at that very closely. We took it very seriously. In fact, Aruba's Dan Harkins was the primary author of WPA3. So we have that sense of responsibility associated with the standard. So we took the report very seriously. We looked at it and talked to the IEEE and I think the consensus is what was found is not a fundamental flaw in WPA3. It's about how it was implemented or some of the implementation flaws that were being picked up. So we feel very comfortable that over time those flaws will be patched. They'll be fixed and WPA3 will fulfill its promises. But if that's not the case, it's something that we, like I said, we have a group of people looking for and we'll fix when we find it.

James Sanders: WPA3 was a lot more of a product of necessity just because of how the KRACK attack made WPA2 not exactly viable anymore, because of how session replay works. It's hard to say when is a WPA4 going to be a necessary thing, but what's your expectation of the longevity of WPA3 and if there's a future vulnerability, can it be patched out in software without having to iterate an entirely new system?

Larry Lunetta: So there's a sort of a technical answer and a political answer, right? So the technical answer is we're always looking for ways to improve the security across the wireless experience. I think some of our research is getting more towards the type of encryption we use, how we handle keys, that sort of thing. And that's probably something that we can evolve with software. But from a standards standpoint, there's a lot of cooks in the kitchen, right. And you know the history. WPA2 lived for almost what, 10 years?

So I don't know about the standards process. My guess is that WPA3 is going to be it as a title for a while, but you'll see incremental improvements for that.

Also see