A WMN combines the advantages of wireless connections with the advantages of a mesh topology. A WMN provides better mobility, a lower cost of deployment, easier network expansion, and robust connections. A WMN is suitable for many applications, including broadband home networking, enterprise networking, building automation systems, and health and medical systems [1,2]. Because the WMN was developed first for industrial purposes, each company had its own proprietary technology, and no industrial standard existed for WMNs. As a result, different WMN devices were incompatible with each other. In 2004, the Institute of Electrical and Electronics Engineering (IEEE) started the 802.11s Task Group (TG) to develop a standard for WMNs . There are many standards related to WMN implementation, including 802.11s (Wi-Fi), 802.15.1 (wireless personal area network (WPAN) Bluetooth), 802.15.4 (WPAN ZigBee), and 802.16a (Worldwide Interoperability for Microwave Access (WiMAX)). The standard for 802.11s was finalized in July 2011 .
The widely deployed 802.11 wireless local area network (WLAN) infrastructure can be connected to a wireless sensor network (WSN) both to save on costs for deploying a new network and to utilize the advantages of 802.11 technologies . A WMN can act as a scalable backbone by connecting separate sensor networks and even by connecting WMNs to a wired network. Initial research reported on the interconnection between WMN and WSN . Subsequently, concerns over the power consumption related to 802.11 were also eliminated with power-efficient standards for the 802.11. Now, a sensor device is able to run for 5 to 10 years on a single AA battery . Such a sensor device can then be used as a gateway for the WSN. The data rate for 802.11 is also very high compared to the common technologies used in a WSN, such as ZigBee, Bluetooth, or 802.15.4 . IEEE 802.11s can be used to form the mesh topology or bridge networks for the WSN.
802.11s allows Wi-Fi devices to organize themselves and configure the network topology automatically. Wi-Fi devices with mesh functionality are referred to as mesh stations (or mesh STA). Mesh STAs that are far apart can still communicate with each other by utilizing wireless routing, where data packets are transmitted through intermediate mesh STAs. Hybrid Wireless Mesh Protocol (HWMP) is the default routing protocol for 802.11s, which must be implemented in layer 2. Thus, each 802.11s node is considered to be a layer 2 device. While the working principles and operations of HWMP have been defined in the drafted standard, the security features for the HWMP are not discussed in the drafted standard . It is possible to treat the HWMP frames as normal management frames and to protect them with the same protocols as defined in 802.11w , but those protocols do not consider a multi-hopping environment.
In this paper, we investigate how to protect routing messages, rather than data messages. In general, routing messages are sent to the immediate neighbors, at which point the neighbors process, possibly modify, and resend the messages. Therefore, some parts of these messages may be changed by the intermediate nodes during their propagation over the network. The most commonly changed parts of the routing message include the hop count and the metric of the path requested or provided. In terms of network security, we do not trust the intermediate node . Thus, for the security of routing messages, the two types of message parts (i.e., the mutable and non-mutable fields) have different security requirements. The mutable fields (MFs) should be updated according to the routing rule as the message is propagated along the path. Each node requires a cryptographic scheme to detect illegal mutable information in the message. For the security of non-mutable fields (NMFs), the data integrity and data-origin authentication service for the field must be provided between the source and destination nodes.
Some prior research exists on securing the layer-3 routing protocols for a WMN . Secure ad hoc on-demand distance vector (SAODV) routing  is a secure variant of the ad hoc on-demand distance vector (AODV) routing. Authenticated routing for ad hoc networks (ARAN)  uses public key cryptography to ensure the integrity of the routing messages. For example, Ariadne  ensures a secure on-demand source routing. The Secure Route Discovery Protocol (SRDP)  uses a one-way hash function for route requests and public key signatures for route reply messages. All of these protocols provide end-to-end security between the source and destination nodes, and each has it own pros and cons [10,14]. Ning et al.  studied some insider attacks against the AODV routing protocol, which is very similar to the reactive mode of HWMP. The authors successfully achieved the attacking goals for routing protocol, including route disruption, route invasion, node isolation, and resource consumption, by misusing the protocol messages, route request (RREQ), route reply (RREP), and route error (RERR) messages. Their misuse actions are message drop, modifying and forwarding, forge replying, and active forging. Both the MFs and NMFs are possible message modification targets. Their attacks are effective to the reactive mode of the HWMP.
Prior research also exists on securing the layer-2 routing protocol HWMP. The secure HWMP (SHWMP)  secures HWMP frames from external attacks. However, SHWMP does not address internal attacks. SHWMP provides integrity service for the MFs and confidentiality service for the NMFs in a point-to-point link. This protocol does not provide integrity assurance from the source node to protect against non-mutable field modification attacks. This protocol also does not have any security schemes for the path error (PERR) HWMP routing protocol frames.
Ben-Othman et al.  proposed a security mechanism based on the identity-based cryptography (IBC) to secure HWMP. Hereafter, we denote this security mechanism as IBC-HWMP. A media access control (MAC) address is used as the identity for all mesh STAs. A private key is used to sign the MF such that the integrity of the MF is protected. Like SHWMP, the IBC-HWMP protocol also does not provide integrity assurance from the source node to protect against non-mutable field modification attacks. This protocol does not have any security schemes for PERR or root announcement (RANN) HWMP routing protocol frames.
In terms of the design process of a secure scheme for a routing protocol, the vulnerabilities analysis of the protocol is the first step. The second step is setting up suitable security requirements to protect against the identified vulnerabilities. The last step is designing a secure scheme that satisfies the requirements. The existing secure schemes have not been designed using this process, and as a result, they are at risk of having security defects.
In this paper, the vulnerabilities of HWMP frames are examined [15,17,18] and security requirements for HWMP are developed based on these vulnerabilities. Next, the security requirements are used to analyze the effectiveness of existing security protocols, including the BIP , CCMP , SHWMP, IBC-HWMP, ECDSA-HWMP , and Watchdog-HWMP . It is useful to analyze these security protocols because CCMP and BIP are the default security protocols used to protect Wi-Fi management frames. SHWMP, IBC-HWMP, ECDSA-HWMP, and Watchdog-HWMP, in contrast, have been developed in recent years to protect the HWMP frames. We present a quantitative complexity comparison among the protocols and an example of security scheme for HWMP to demonstrate how the results of our research can be utilized. We hope that the application of our proposed security requirements and analyses assists future research on HWMP security.
This section presents a brief explanation of the IEEE 802.11s-based WMN. The working principle behind the default wireless routing protocol, HWMP, is explained, and the concept behind its default metric, Airtime Link Metric (ALM), is reviewed. The advantages of implementing WSN with the IEEE802.11s-based WMN are also discussed.
2.1. IEEE 802.11s-Based Wireless Mesh Network
A Wireless Local Area Network (WLAN) is commonly used to provide network access to wireless device users. The most common WLAN uses access points (AP) to provide Internet connectivity to users (STAs). Each AP is connected to a wired LAN. Figure 1 shows the common way to deploy a WLAN. The coverage is limited by the range of the AP. STAs outside the coverage range cannot connect to the AP.
There are times when wireless repeaters are used to extend the reach of the wireless connection. Wireless repeaters are able to relay wireless frames between an AP and an STA. Wireless repeaters do not require a wired connection, but they must be connected wirelessly to an AP at all times to function. The advantage of using wireless repeaters is that a wired connection is not required. The use of wireless repeaters enables the cost of extending the wireless connection to be relatively lower, and they can be set up in areas where a wired connection cannot reach. However, the wireless connection between the AP and wireless repeater must be set statically during the set-up time. Figure 2 shows how the wireless repeater can extend the coverage of an AP to provide connection to STAs that are farther away. In the figure, the wireless repeater is denoted as Re.
The WMN enables STAs to provide the same functionality as an AP and repeaters. IEEE 802.11s draft defined STAs that support the mesh functionality as mesh station (mesh STA). The STAs shall be able to forward wireless frames and act as APs to connect legacy IEEE 802.11 STAs. A mesh STA that connects the WMN to the Ethernet is defined as a mesh gateway. Figure 3 shows how the wireless network works when IEEE 802.11s is implemented. The coverage will be further extended whenever a mesh STA joins the WMN.
Figure 4 shows a WMN with additional mesh STAs. The largest difference between a repeater and a mesh STA is the latter's ability to form a wireless connection automatically and efficiently. The best path can be found by using HWMP, which is based on the shortest path algorithm. With HWMP, wireless traffic can be routed in an efficient way through path formation. ALM is used to calculate the link qualities, which are also known as the path distances. If any mesh STA is down, a new path can be formed automatically and efficiently based on HWMP.
This WMN deployment guarantees the coverage of the WLAN. However, note that the wireless connection is much slower compared to the wired connection. Thus, this WMN provides the same or larger coverage, but the connections will be slower compared to the conventional approach of using wired APs. Furthermore, multi-hop actions will cause the connection speed to be further decreased. One of the primary considerations when deploying a WMN is to make sure that all mesh STAs can reach the mesh gateway at all times with a sufficient bandwidth. The mesh gateway is also known as a gateway in WSN. In IEEE 802.11s, the mesh STA and the gateway are called a mesh point (MP) and a mesh portal (MPP), respectively.
2.2. Hybrid Wireless Mesh Protocol
HWMP is the default routing protocol for the IEEE 802.11s-based WMN. This protocol enables paths to be set up automatically. Paths are selected by choosing the best path based on the metrics. The concept of finding the best path is based on the Bellman-Ford or Dijkstra's algorithm , which solves the shortest path problem.
2.2.1. HWMP Frame Formats
There are four frames directly involved in the path discovery process, including the Path Request (PREQ), Path Reply (PREP), Path Error (PERR), and Root Announcement (RANN). The frame formats are shown in Figure 5.
When considering security for routing frames, it is convenient to separate the fields into MFs and NMFs. In Figure 5, the MFs are the highlighted fields, while the rest of the frames are NMFs. MFs contain information that will be updated whenever the frames are propagated (e.g., the path metric and hop count). NMFs, in contrast, contain information that cannot be modified by an intermediate mesh STA. Note that all frames are encapsulated with the wireless MAC header (HDR) before transmissions. The HDR contains information such as the transmitter address and the receiver address. The HDR is not shown in Figure 5.
2.2.2. Operation Mode 
IEEE 802.11s defines HWMP as a basic routing protocol for a WMN. HWMP is a hybrid routing protocol that combines a reactive mode and a proactive mode. The protocol's reactive mode operation is based on AODV, while the proactive mode uses tree-based routing. HWMP is located on layer 2; therefore, it uses MAC addresses instead of IP addresses to route message communications. In addition, note that the term ‘path selection’ is used instead of ‘routing’ in layer 2 routing. The main purpose of the on-demand routing protocol is to support the mobile mesh points, while the proactive routing protocol supports the fixed nodes. The airtime metric is a default routing metric that is used to measure the link quality. In HWMP, on-demand routing and proactive routing can simultaneously operate.
HWMP sets up an MP as a root MP to build the proactive tree. Three different methods for proactive tree-building in HWMP are shown in Figure 6. The first method only uses the PREQ mechanism. The second method uses the PREQ and PREP mechanisms together. The third method uses the RANN, PREQ, and PREP mechanisms. If a MP is configured as a root MP, at least one of the proactive PREQ and RANN mechanisms should be configured. In the proactive PREQ mechanism, the proactive PREP flag can be set or not. When the proactive PREP flag is not set, then only the proactive PREQ mechanism is used to build the proactive tree.
If a root MP is configured to use the proactive PREQ mechanism, then it will periodically broadcast a proactive PREQ with an increasing sequence number. Any intermediate MPs that receive a proactive PREQ will process it in similar way as the PREQ mechanism performs on-demand path discovery.
The proactive PREP flag in the PREQ controls whether the PREP is sent in response to a proactive PREQ. If the flag is not set, then no PREP is sent in response to the reception of a proactive PREQ. This situation is called the non-registration mode. In this mode, a path tree from all of the MPs to the announced root MP is established, but the MPs are not registered proactively at the root MP. If a source MP attempts to establish a bidirectional communication path with the root MP, the source MP can send a gratuitous PREP before the first data frame to register its address with the root MP. The non-registration mode creates a path that does not strain the network and thus maintains proactive paths to the root MP.
If the proactive PREP flag is set, then the MP must send the PREP in response to the reception of a proactive PREQ. This situation is called the registration mode. In this case, MPs register with the root MP by sending a PREP in response to the proactive PREQ.
If a root MP is configured to use the proactive RANN mechanism, then it will periodically broadcast a RANN with an increasing sequence number. The RANN mechanism propagates only the path metrics to the root MP and all of the MPs in the mesh network. The RANN mechanism does not create or update any paths in the routing table. If an MP wants to create or update a path to the root MP, then it will send a unicast PREQ to the root MP, and the root MP will respond with a PREP. PREQ/PREP processing is performed in a similar manner as PREQ/PREP processing during on-demand path discovery. This mechanism establishes a forwarding tree for each MP toward the root MP. Multiple root MPs can be configured in a mesh network that is running HWMP, which means that multiple proactive trees can be built simultaneously by the different root MPs.
The hybrid routing event occurs when a root MP is configured as a registration mode. When a source MP wants to send data to a destination MP but has no path to the destination in its routing table, the source can send the data frames to the root MP. Because the mesh network is in registration mode, the root MP knows that the destination is inside of the mesh network. The root MP forwards the data frame to the destination together with an indication that both the source and destination are in the same mesh. This data frame activates the destination MP to initiate a path discovery for the destination. This procedure will establish the optimal path between the source and destination MPs, and the subsequent data frames will be forwarded on this path.
The interesting part about HWMP is how the protocol discovers paths for mesh STAs or, in other words, the wireless routing. Figure 7 shows an example of how a bi-directional path can be formed using the PREQ and PREP frames. In this example, mesh STA A is the originator, while mesh STA D is the target. Tables 1 and 2 are generated based on the scenario depicted in Figure 7. Table 1 is an example of a routing table for mesh STA C after it received the PREQ frame that originated from mesh STA A. Table 2 is an example of a routing table for mesh STA B when it receives the PREP frame replied by mesh STA D. The path discovery process is completed once the reverse and forward paths are formed. At that point, mesh STA A and D can communicate with each other using the path [A,B,C,D].
When a PREQ frame is received, the forwarding information for the originator mesh STA and the transmitter mesh STA can be updated. When a PREP frame is received, the forwarding information for the target mesh STA and the transmitter mesh STA can be updated. The forwarding information is created and updated according to the message and type of node, as described in Table 3. The table is sourced from the 802.11s drafted standards .
A HWMP sequence number is required to differentiate between the old and the new PREQ/PREP forwarding information. The sequence number is increased if a new PREQ frame is transmitted so that the other mesh STA can identify it as a new path request. The mesh STA will only process the PREQ frame if its sequence number is higher than the sequence number that it has saved in its routing table. If the sequence number is similar, the mesh STA will compare the path metric information and update the forwarding information if and only if the PREQ path metric is better. According to the drafted standards , the sequence number should not be increased too rapidly to avoid changing paths too often.
ALM is the default metric used for IEEE802.11s. The ALM path metric is determined by cumulating the link metric value along a path. A path with a lower path metric indicates that it is a better path (i.e., it indicates a lower airtime cost or a lower transmission time). This metric measurement will influence the accuracy of the path quality measurement. If the measurement is accurate, efficient paths can be selected so that an optimum network performance can be achieved.
The hop count refers to how many transmissions are required before a frame can reach its destination. Based on the drafted standards , if a direct transmission occurs without hopping, the hop count field will be recorded as 1. For HWMP, there is no need for a mesh STA to store information about all intermediate mesh STAs within a path. The hop count already reflects the number of mesh STAs in the path.
Even though not all of the intermediate mesh STAs are known, the next hop mesh STA address must be identified. By referring to the routing table, a mesh STA can forward frames to the next hop address. An example of this operation is described in Figure 6 and Table 2
Use this sample format to take your questions from description and evaluation above to turn them into a smoothly written paper. The "XXX" is your answer:
In "Why I Hate Cats" author John Stephans explains XXX (give a summary of article).
"Why I Hate Cats" is an XXX essay which makes the claim XXX. The essay opens with XXX and makes the claim XXX in paragraph XXX that XXX. The rest of essay is organized by XXX (very brief description of the outline of essay perhaps telling where the description of problem is, where claims are and where support is located in the paper).
Because the article was published in XXX, the intended audience is probably XXX and they believe XXX. Stephans wants to convince them XXX. The author establishes his/her authority by XXX. The author assumes an audience who XXX. He (She) establishes common ground with the audience by XXX. The purpose of the author is XXX. The constraints on discussing this issue are XXX.
The support includes XXX. The support is adequate (inadequate) and is relevant (irrelevant) to the author’s claim because XXX.
Overall, the article is effective (or ineffective) because XXX.