• Use proven technology: IPsec with either X.509 or DNSSEC/DHCP

• Don't care about the link layer. Enforce crypto, do authentication in IP layer (“There is no OSI model”)

• IPsec supoprted by most network devices

• IPsec has been deployed widely, and has not been broken in many years.

• No patents, licences, royalties or binary-only software or firmware

• Possibility to seperate WiFI and Crypto operations, so that the radio, or even AP, doesn't need to do the crypto operations that are CPU expensive

Notes: