PP106: Architecting for Wi-Fi 7, Zero Trust, PQC, and More

This Packet Protector episode is a post-talk debrief recorded live at RSA 2026 in San Francisco. Host Drew Connery-Murray interviews JJ, who co-presented a session titled 'Network Security 2026 to 2030: What Every Fortune 500 Should Know' with JD, a senior network engineer specializing in wireless.

The conversation opens with a diagnosis of the industry's core problem: network engineers have fallen into a pattern of iterating on existing configurations and vendor products rather than rethinking architecture from first principles. JJ frames this not as 'technical debt' but as 'architectural debt' — a distinction she attributes partly to the increasing complexity of vendor-specific products and the time pressure of constant firefighting.

The first major topic is Wi-Fi 7 and its security implications. JJ explains that while organizations have historically treated Wi-Fi upgrades as incremental, the jump to Wi-Fi 7 is qualitatively different. Wi-Fi 7 mandates WPA3 across all bands and introduces new cipher suites — specifically GCMP-256 replacing the 20-year-old AES-128. Critically, Wi-Fi 7 now advertises two cipher suites simultaneously, something that hasn't been done in over two decades and has not been broadly tested for client compatibility. Additionally, even open/unauthenticated networks on Wi-Fi 7 now carry encryption, requiring cryptographic key distribution across access points to support roaming — a new operational complexity. The practical message is that enterprise budgeting and migration planning for Wi-Fi 7 must reflect these deeper changes.

The second major topic is device identity, which JJ describes as a 'linchpin' blocking progress on zero trust, micro-segmentation, SASE, IoT management, and OT integration. The core problem is that MAC addresses — long used as device identifiers in network operations and security — are fundamentally unsuitable: they can be spoofed, are being recycled, and are now being randomized by default across smartphones, laptops, and tablets per IEEE guidance. JJ argues the industry must move to cryptographically significant device identities using certificates. She points to IEEE 802.1AR (device identity standard from ~2007-2009), TPM chips as hardware roots of trust, and the consumer MATTER IoT protocol — which runs on full PKI with certificate authorities — as proof that this is technically achievable. The ACME protocol's device attestation capabilities are also mentioned. The call to action is directed at Fortune 500 buyers to pressure endpoint vendors to support proper certificate-based identity provisioning.

The third topic is zero trust at the LAN edge. JJ distinguishes between software-enforced zero trust (viable in data centers with agents and labels/tags) and the network-enforced segmentation required on the LAN, where there is no equivalent tagging construct for devices. She mentions EVPN/VXLAN as an emerging approach to bring flow-based, identity-tagged policy enforcement to the campus network edge, allowing segmentation policy to follow traffic end-to-end.

The fourth topic is post-quantum cryptography (PQC), which JJ prefers to call 'quantum-resistant cryptography.' She notes that the networking industry's adoption and awareness of PQC sits near the bottom of the technology stack — just above OT — and that this gap needs to be addressed urgently.

JJ also mentions that slides and supporting resources — including a wireless security best practices guide, an Air Snitch Wi-Fi vulnerability briefing, and a zero trust maturity model mapping — are available for free download through the RSA conference agenda page, released by IONS.