-
Notifications
You must be signed in to change notification settings - Fork 28
WMABS DP 001 Territorial Rollout Plan
DEPLOYMENT PLAN
────────────────────────────────────────
WMABS-DP-001
Territorial Rollout Plan
Phased Deployment Framework for Standards-Based Wireless Mesh Infrastructure in Multi-Jurisdiction Environments
────────────────────────────────────────
Document ID: WMABS-DP-001
Version: 0.1 (Draft)
Date: 2026-02-09
Classification: Internal / Restricted
Parent Spec: WMABS-SP-001 v0.1
Status: DRAFT
CONFIDENTIAL --- FOR AUTHORISED DISTRIBUTION ONLY
Document Control
Revision History
Version Date Author Description
0.1 2026-02-09 H. Martin Initial draft --- territorial rollout framework
Review and Approval
Role Name Date Signature
Systems Architect
RF Engineering
Lead
Regulatory
Compliance
Operations Manager
Programme Director
Related Documents
Document ID Title Status
WMABS-SP-001 Wi-Fi Mesh Access and Backhaul Draft v0.1
Subsystem --- System Requirements
Specification
WMABS-IF-001 Node Management Interface Planned Specification
WMABS-TP-001 Test Plan and Verification Planned Procedures
WMABS-RP-001 Regulatory Profile Registry Planned
Conventions
This document uses the keywords SHALL, SHALL NOT, SHOULD, SHOULD NOT, MAY, and MUST as defined in IETF RFC 2119. All normative requirements carry a traceable identifier in the format [XX-NNN].
Table of Contents
This document defines the technical, hardware, software, and operational considerations required to deploy the Wi-Fi Mesh Access and Backhaul Subsystem (WMABS) within a defined territory. A territory may be a city, island, rural district, industrial campus, or mixed environment.
The plan establishes a phased deployment framework that achieves four primary objectives:
-
Predictable performance --- each deployment phase produces measurable service-level outcomes before the next phase is initiated
-
Regulatory compliance --- every node configuration is validated against the jurisdiction-specific regulatory profile defined in WMABS-SP-001
-
Controlled operational risk --- deployment progresses from low-risk indoor pilot to progressively broader coverage, with explicit go/no-go gates between phases
-
Repeatability --- the framework is parameterised so that it can be instantiated for any qualifying territory without redesign
This plan is subordinate to the system requirements defined in WMABS-SP-001 and SHALL NOT contradict any normative requirement in that specification.
For evaluation and planning purposes, the rollout framework assumes an abstract territory model. These parameters MUST be instantiated with real values for each target country or region before execution begins.
Parameter Abstract Range Notes
Territory size 5--500 km² Total service area footprint
Environment mix Urban / semi-urban / Influences node density rural and backhaul strategy
Building density Low to high Determines indoor propagation loss model
Fixed backhaul Partial (0--80%) Fibre, DSL, or Ethernet availability at potential gateway sites
Climate Moderate No extreme rain-fade or humidity corrections assumed
Population density 50--15,000 per km² Drives client-per-node capacity planning
Regulatory regime Unlicensed RLAN Indoor and outdoor with permitted constraints (DFS/TPC)
Terrain Flat to moderate Line-of-sight elevation feasibility for Phase B links
Power grid Stable (> 99%) UPS sizing if grid is reliability unreliable
Note: Territories with extreme values (e.g., desert climate, mountainous terrain, population density below 10/km²) require a supplementary engineering study before this framework is applied.
WMABS territorial rollout follows a four-phase model. Each phase has defined entry criteria, deliverables, and exit criteria. A phase SHALL NOT begin until its entry criteria are satisfied.
Phase Description Scope Gate
Phase 0 Regulatory and RF Desk-based Approved profile Feasibility Assessment
Phase 1 Core Infrastructure Single site / Stability Pilot (Phase A) campus targets met
Phase 2 Territorial Expansion Multi-site / SLA compliance (Phase A at Scale) regional
Phase B Extended Outdoor Sparse / Per-country (Optional) long-range regulatory approval
Phase 0 is a desk-based assessment that MUST be completed before any hardware is procured or deployed in the target territory. Its purpose is to confirm that a standards-compliant WMABS deployment is legally permissible and technically viable.
[P0-001] The applicable national telecommunications regulator SHALL be identified, along with all statutes, orders, and technical standards governing RLAN operation in the 2.4 GHz, 5 GHz, and (where applicable) 6 GHz bands.
[P0-002] The following regulatory parameters SHALL be determined and documented for each permitted band:
-
Maximum EIRP (indoor and outdoor, if different)
-
Permitted channel widths
-
DFS requirements (applicable sub-bands, CAC duration, non-occupancy period)
-
TPC requirements
-
Indoor-only vs. outdoor-permitted classification
-
Antenna restrictions (gain limits, external antenna rules)
[P0-003] A formal Regulatory Profile conforming to the schema defined in WMABS-SP-001 Annex A SHALL be created and cryptographically signed.
[P0-004] It SHALL be validated that baseline Phase A deployment (internal antennas, standard EIRP) does not require individual operator licences, site-specific permits, or spectrum fees.
[P0-005] A preliminary RF propagation assessment SHALL be performed for the target territory using appropriate path-loss models (e.g., ITU-R P.1238 for indoor, ITU-R P.1411 for short-range outdoor).
[P0-006] The assessment SHALL estimate the node density required to achieve contiguous coverage at the target service level for each environment type (indoor, outdoor urban, outdoor suburban).
[P0-007] The assessment SHALL identify any known sources of co-channel interference, including existing Wi-Fi networks, radar systems in DFS bands, and other RLAN deployments.
Phase 0 is complete when the following deliverables are produced:
-
Approved and signed regulatory profile for the target jurisdiction
-
RF feasibility report with estimated node density and coverage maps
-
Documented confirmation that no individual spectrum licence is required for Phase A
-
Identified risks and mitigations specific to the target territory
Gate decision: Proceed to Phase 1, modify territory scope, or abandon.
Phase 1 deploys a limited-scale mesh network at a single site or campus to validate hardware, software, RF performance, and operational procedures under real-world conditions.
[P1-001] Each WMABS node SHALL incorporate an ARM- or x86-based system-on-chip (SoC) capable of sustained packet forwarding at wire-rate for at least 300 Mbps aggregate throughput, concurrent with cryptographic operations (AES-CCMP-128 minimum).
[P1-002] Each node SHALL provide a minimum of 2 GB RAM and 16 GB persistent storage (eMMC or SSD).
[P1-003] The SoC SHOULD include hardware cryptographic acceleration to offload WPA3 SAE and 802.11i key derivation from the main CPU.
[P1-004] Each node SHALL include at least one dual-band IEEE 802.11ax radio supporting simultaneous 2.4 GHz and 5 GHz operation.
[P1-005] Radios SHALL use internal omnidirectional antennas for Phase A deployments.
[P1-006] Antenna gain SHALL NOT exceed the value encoded in the active regulatory profile for the deployment band and environment classification.
Recommended (non-normative): Tri-radio hardware (two radios for client access, one dedicated to mesh backhaul) is strongly recommended for deployments where the mesh hop count exceeds two hops. This configuration avoids the throughput halving effect inherent in shared-radio mesh designs.
[P1-007] Nodes SHALL support AC mains power (100--240 V, 50/60 Hz) as the primary power source.
[P1-008] Nodes SHOULD support Power over Ethernet (PoE, IEEE 802.3af/at) as an alternative or sole power source.
[P1-009] Indoor-rated enclosures SHALL be used for the Phase 1 pilot. Outdoor-rated enclosures (minimum IP55) are required only if outdoor deployment is enabled in the regulatory profile.
Node identity and key storage benefit from hardware-backed security:
-
A Trusted Platform Module (TPM 2.0) or hardware secure element SHOULD be included for node identity attestation and private key storage
-
If no hardware secure element is present, node identity keys SHALL be stored in an encrypted partition with access restricted to the WMABS control plane
[P1-010] Each node SHALL run a minimal Linux-based operating system. The OS SHOULD use an immutable root filesystem with a read-write overlay for configuration and telemetry data.
[P1-011] The OS SHALL support secure remote firmware updates with cryptographic signature verification and automatic rollback on failure.
[P1-012] 802.11ax drivers SHALL support DFS (including CAC, in-service monitoring, and channel evacuation) and TPC as required by the active regulatory profile.
[P1-013] Mesh routing SHALL be implemented using IEEE 802.11s HWMP or a vendor-specific mesh protocol, as specified in WMABS-SP-001 Section 7.
[P1-014] The mesh routing implementation SHALL support airtime-based link metrics for path selection.
The node-resident control plane is responsible for enforcing deployment policy at runtime:
-
Regulatory profile loading, validation, and enforcement
-
Automatic channel and transmit-power selection within profile constraints
-
Node discovery, mesh peering, and gateway election
-
Heartbeat and keep-alive messaging to the management plane
[P1-015] WPA3-Personal (SAE) and WPA3-Enterprise (802.1X) SHALL be supported as specified in WMABS-SP-001 Section 9.
[P1-016] Inter-node mesh links SHALL be authenticated and encrypted using SAE or Authenticated Mesh Peering Exchange (AMPE).
[P1-017] Certificate- or pre-shared-key-based node identity SHALL be enforced. Nodes without valid credentials SHALL NOT be permitted to join the mesh.
[P1-018] Each node SHALL collect and report the following telemetry at configurable intervals (default: 60 seconds):
-
Per-radio: channel, EIRP, noise floor, channel utilisation, DFS event count
-
Per-link: RSSI, MCS index, packet error rate, retransmission rate, airtime link metric
-
Per-node: CPU utilisation, memory utilisation, uptime, firmware version, temperature
-
Per-client: association state, signal strength, throughput (aggregated, not per-flow)
[P1-019] The Phase 1 pilot SHALL deploy a minimum of one gateway node with upstream backhaul connectivity (Ethernet, fibre, or cellular).
[P1-020] Mesh hop count in the pilot SHALL be limited to a maximum of three (3) hops from any client-serving node to the nearest gateway.
Initial coverage targets:
-
Indoor: single building or campus (e.g., 500--5,000 m² usable floor area)
-
Outdoor (if permitted): localised area within 200 m radius of gateway nodes
Criterion Target Measurement
Mesh uptime > 99.0% over 14 days Telemetry logs
Client throughput (1 hop) > 50 Mbps downlink iPerf3 test suite
Round-trip latency (1 hop) < 10 ms (P95) ICMP / UDP probe
DFS compliance Zero violations RF monitoring logs
Security posture All BSSs WPA3, PMF Configuration audit required
Telemetry pipeline End-to-end data flow Dashboard review confirmed
Gate decision: Proceed to Phase 2, extend pilot duration, or redesign.
Phase 2 extends the validated Phase 1 configuration across the target territory. This phase introduces multi-site coordination, capacity planning, and operational tooling.
[P2-001] Gateway density SHALL be determined by the traffic model and the maximum acceptable mesh hop count. As a planning guideline, one gateway per 5--10 mesh nodes is typical for moderate-traffic deployments with a 3-hop limit.
[P2-002] Each gateway SHALL have independent upstream backhaul. Single-backhaul-point-of-failure topologies SHALL NOT be deployed at territory scale without documented risk acceptance.
[P2-003] A channel reuse plan SHALL be developed for each territory deployment. The plan SHALL assign channels to nodes to minimise co-channel interference while remaining within regulatory constraints.
[P2-004] 20 MHz channel widths SHOULD be used as the default to maximise the number of non-overlapping channels available for reuse.
[P2-005] Where the 5 GHz band is used, DFS channels SHALL be included in the reuse plan to maximise available spectrum. The plan SHALL account for temporary channel unavailability due to radar detection events.
Territory-scale deployments will typically rely on a mix of upstream backhaul technologies at gateway nodes:
-
Fibre-to-the-premises (FTTP) --- preferred where available for highest throughput and lowest latency
-
DSL (VDSL2 / G.fast) --- acceptable for moderate-traffic gateways
-
Cellular (4G LTE / 5G) --- suitable for gap-filling where wired backhaul is unavailable
-
Satellite (LEO) --- viable for remote or island territories where terrestrial backhaul does not exist
[P2-006] The backhaul technology at each gateway SHALL be documented in the site deployment record, including measured throughput and latency.
[P2-007] A centralised or federated network management system SHALL be deployed before Phase 2 reaches 50 nodes.
The management system SHALL support, at minimum:
-
Remote node provisioning (zero-touch or minimal-touch enrolment)
-
Firmware updates with staged rollout and automatic rollback
-
Fault detection, alerting, and escalation workflows
-
Regulatory profile distribution and enforcement verification
-
Dashboard visualisation of per-node and per-link telemetry
[P2-008] DFS-induced channel changes MUST be logged and monitored. Territories with high radar density (e.g., near airports, harbours, or military installations) SHALL maintain a DFS event log for post-deployment analysis.
[P2-009] Co-channel interference hotspots SHOULD be mapped using periodic RF surveys (automated or manual) and mitigated through channel reassignment or node repositioning.
[P2-010] Maximum client density per node SHALL be configured to preserve quality of service. A planning default of 30 concurrent clients per radio is RECOMMENDED; the actual limit SHALL be determined by traffic profiling during Phase 1.
Criterion Target Measurement
Network availability > 99.5% (30-day Management system rolling)
Coverage area > 80% of target RF survey / territory telemetry
Firmware currency 100% of nodes on Inventory report supported release
Incident response time < 4 hours for Ticket system critical faults
Gate decision: Territory declared operationally stable, or Phase B evaluation triggered for underserved areas.
Phase B is evaluated only when territorial characteristics require coverage extension beyond what Phase A (internal antennas, standard EIRP) can achieve. Typical triggers include sparse rural zones, water crossings, building-to-building campus links exceeding 300 m, or areas without viable gateway backhaul.
Phase B is not assumed to be part of every territorial rollout. It is an opt-in extension that requires explicit regulatory validation per WMABS-SP-001 Section 10.
[PB-001] Phase B nodes MAY use external antennas, including omnidirectional, sectoral, panel, or Yagi-type directional antennas.
[PB-002] All external antennas SHALL have documented gain specifications (dBi). Combined transmitter power and antenna gain SHALL NOT exceed the EIRP limit in the active regulatory profile.
[PB-003] Mast or rooftop mounting hardware SHALL comply with local building codes and structural loading requirements.
[PB-004] Lightning protection (surge arrestors, grounding) SHALL be installed on all outdoor-mounted nodes with external antennas.
[PB-005] Outdoor-rated enclosures for Phase B SHALL meet a minimum ingress protection rating of IP65.
[PB-006] Phase B RF planning SHALL include line-of-sight validation between link endpoints using terrain and building obstruction data.
[PB-007] Link budget calculations SHALL be documented for each Phase B link, including: transmitter power (dBm), cable/connector losses (dB), antenna gain (dBi) at both ends, free-space path loss at the operating frequency and distance, fade margin (minimum 10 dB recommended), and resulting received signal level.
[PB-008] Phase B links SHOULD use the narrowest channel width that meets throughput requirements (20 MHz preferred) to improve link stability and reduce susceptibility to interference.
[PB-009] Phase B deployments MUST be individually validated for compliance with the deployment jurisdiction's regulatory framework. Validation SHALL cover:
-
Legality of outdoor-mounted external antennas in the deployment band
-
Maximum permitted antenna gain
-
Mounting height restrictions, if any
-
Any additional licensing or notification requirements triggered by external antennas or elevated EIRP
[PB-010] Evidence of regulatory validation SHALL be retained in the deployment record for each Phase B site.
Output: Extended coverage bridging sparse or remote zones, with per-site regulatory compliance documentation.
[SO-001] The management plane SHALL support centralised, federated, or hybrid deployment models depending on territorial size and administrative structure.
[SO-002] Node enrolment SHALL use a cryptographic trust chain: each node presents a device certificate (or equivalent credential) that is validated against a trusted root before the node is admitted to the mesh.
[SO-003] Node revocation SHALL be supported: a compromised or non-compliant node SHALL be remotely disabled and its mesh peering credentials invalidated within one hour of a revocation decision.
[SO-004] Regulatory profile updates SHALL be distributable to all nodes in a territory within 24 hours of release, with confirmation of successful application.
[SO-005] Public user traffic and node operational traffic SHALL be logically isolated as specified in WMABS-SP-001 Section 9.3.
[SO-006] Rate limiting SHALL be applied to public-facing BSSs to prevent individual clients from consuming disproportionate bandwidth.
[SO-007] Anomaly detection (e.g., deauthentication flooding, rogue AP impersonation, unusual traffic patterns) SHOULD be implemented at the management plane.
[SO-008] Non-compliant nodes (e.g., nodes transmitting outside regulatory profile constraints) SHALL be automatically disabled by the management plane and flagged for investigation.
[SO-009] Client association data SHALL be retained only for the minimum period required by applicable law and operational necessity.
[SO-010] Telemetry data SHALL NOT include personally identifiable information (PII) unless explicitly required by a lawful obligation.
[SO-011] All data transmitted between nodes and the management plane SHALL be encrypted in transit.
The following risk register identifies the principal threats to a successful territorial rollout and the corresponding mitigation strategies.
ID Risk Likelihood Impact Mitigation
R-01 Regulatory Medium High Indoor-first rollout; Phase B misclassification disabled by default; of outdoor use, per-country regulatory resulting in profile validation before any non-compliance or outdoor deployment enforcement action
R-02 DFS instability in Medium Medium DFS event monitoring; channel radar-heavy regions reuse plans that include causing frequent non-DFS channels as fallback; channel evacuations site surveys near airports and service and harbours disruption
R-03 Power and mounting Medium Medium PoE support to simplify constraints wiring; early site surveys to limiting viable confirm power availability; node locations battery/UPS contingency for critical gateway nodes
R-04 Backhaul scarcity High High Mixed backhaul strategy in target territory (fibre + cellular + preventing adequate satellite); territory scope gateway density adjustment if backhaul availability is below 30%
R-05 Co-channel High Medium 20 MHz default channel width; interference from BSS colouring; pre-deployment dense existing RF survey; node-level Wi-Fi deployments telemetry for ongoing interference monitoring
R-06 Hardware supply Low Medium Early procurement; chain delays for multi-vendor hardware target territory qualification; local warehousing for Phase 2 scale-up
R-07 Firmware Medium High Immutable OS with secure OTA vulnerabilities update; staged rollout with discovered automatic rollback; post-deployment vulnerability disclosure and patching SLA
A territory SHALL be declared rollout-ready only when all of the following criteria are satisfied:
# Criterion Evidence Required
1 Regulatory profile is approved, signed, Signed profile file + and loaded into the management system validation log
2 Phase 1 pilot meets all exit criteria Pilot report with test (Section 5.4) results
3 Hardware supply chain is validated for Supplier confirmation / the target territory (procurement lead PO records time < 6 weeks)
4 Operational tooling (management system, System acceptance test telemetry pipeline, alerting) is deployed report and verified
5 Phase B decision is explicitly accepted Phase B decision record
or rejected for this territory, with
documented rationale
6 Backhaul availability at gateway sites is Backhaul test results confirmed and tested per site
7 Local operations team is trained on node Training completion installation, troubleshooting, and records escalation procedures
The rollout-ready declaration SHALL be signed by the Programme Director and Regulatory Compliance lead before Phase 2 deployment begins.
Annex A Node Hardware Reference Configuration (Informative)
The following table provides a reference hardware configuration for WMABS nodes. Actual specifications may vary by vendor and deployment requirements. These values are informative and are not normative requirements.
Component Phase A (Baseline) Phase B (Extended)
Processor ARM Cortex-A53 quad-core, Same or higher 1.5 GHz or equivalent
RAM 2 GB DDR4 2--4 GB DDR4
Storage 16 GB eMMC 16--32 GB eMMC/SSD
Radio (access) Dual-band 802.11ax, 2x2 Same MIMO, internal antenna
Radio Shared with access radio Dedicated 5 GHz 802.11ax, (backhaul) 2x2 MIMO
Antenna Internal omnidirectional, Same or external omni (access) 3--5 dBi
Antenna N/A (shared) External directional, (backhaul) 12--23 dBi
Power 12 V DC / PoE (802.3af, PoE+ (802.3at, 30 W) 15.4 W)
Enclosure Indoor: ventilated Outdoor: IP65 aluminium, plastic, 0--40 °C −20 to +55 °C
Security TPM 2.0 (recommended) TPM 2.0 (recommended)
Ethernet 1x Gigabit Ethernet 1--2x Gigabit Ethernet (RJ-45)
Annex B Requirement Traceability Index (Informative)
This annex provides a summary index of all normative requirements for traceability and compliance verification.
Req. Section Level Summary ID
P0-001 4.1 SHALL Identify national regulator and RLAN rules
P0-003 4.1 SHALL Create signed regulatory profile per WMABS-SP-001 Annex A
P0-005 4.2 SHALL Perform preliminary RF propagation assessment
P1-001 5.1.1 SHALL Node SoC: sustained 300 Mbps forwarding with crypto
P1-004 5.1.2 SHALL Dual-band 802.11ax radio, simultaneous 2.4/5 GHz
P1-010 5.2.1 SHALL Minimal Linux OS with immutable root filesystem
P1-018 5.2.5 SHALL Collect and report telemetry at configurable intervals
P2-001 6.1.1 SHALL Gateway density determined by traffic model and hop count
P2-007 6.2 SHALL Centralised management before 50 nodes
PB-002 7.1 SHALL External antenna gain + Tx power within EIRP limit
PB-009 7.3 MUST Per-site regulatory validation for Phase B
SO-002 8.1 SHALL Cryptographic trust chain for node enrolment
SO-005 8.2 SHALL Public/operational traffic isolation
Note: This table is a representative subset. The complete requirement register SHALL be maintained in the project requirements management tool.