<p dir="ltr">Exactly.</p>
<p dir="ltr">Which means (in terms of security) that signing packets is only hop-by-hop security, not end-to-end security. Signing the outgoing multicast-packets with a static shared key would do the same job.</p>
<p dir="ltr">Henning</p>
<div class="gmail_quote">On Dec 27, 2012 9:32 AM, "Saverio Proto" <<a href="mailto:zioproto@gmail.com">zioproto@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> I'm not 100% sure that I understand the distinction, but I believe that we<br>
<br>
OLSR messages such as HELLO, TC, HNA have their structure, see RFC or<br>
the structs defined in the C code.<br>
<br>
The OLSR packet is a network packet that can hold many OLSR messages<br>
at the same time.<br>
<br>
OLSR packets are exchanged just within 1-hop neighbors, OLSR messages<br>
are flooded all around the network.<br>
<br>
Saverio<br>
<br>
<br>
<br>
> do both. We sign the messages for negotiating signing parameters with<br>
> neighbors and then we sign the OLSR packets as they are being prepared for<br>
> transmission to neighbors. The plugin adds itself to OLSR as a packet<br>
> transform function and as a preprocessor.<br>
><br>
> The structure of this plugin is taken directly from the olsrd-secure plugin.<br>
> It's possible that the authors of that plugin might know better how to<br>
> answer this question.<br>
><br>
> I hope that answers your question!<br>
><br>
> Will<br>
><br>
><br>
>><br>
>> Henning<br>
>><br>
>> On Sun, Dec 23, 2012 at 5:46 AM, Will Hawkins<br>
>> <<a href="mailto:hawkinsw@opentechinstitute.org">hawkinsw@opentechinstitute.org</a>> wrote:<br>
>>><br>
>>> On 12/22/2012 03:27 AM, Henning Rogge wrote:<br>
>>>><br>
>>>><br>
>>>> I am just curious,<br>
>>>><br>
>>>> do you have also experimented with using IPsec with a static shared<br>
>>>> key to encrypt/sign your traffic hop-by-hop ?<br>
>>><br>
>>><br>
>>><br>
>>> Hello Henning!<br>
>>><br>
>>> Yes, we have experimented with that. We are also actively pursuing<br>
>>> AuthSAE<br>
>>> support (from the 802.11s protocol) for doing zero-knowledge link<br>
>>> encryption. We plan on using both link encryption and route signing as<br>
>>> part<br>
>>> of a defense-in-depth strategy.<br>
>>><br>
>>> Thank you for taking the time to review this submission. Please continue<br>
>>> to<br>
>>> email questions and I will continue to answer them as I am able. :-)<br>
>>><br>
>>> Will<br>
>>><br>
>>><br>
>>>><br>
>>>> Henning Rogge<br>
>>>><br>
>>>> On Fri, Dec 21, 2012 at 9:25 PM, Will Hawkins<br>
>>>> <<a href="mailto:hawkinsw@opentechinstitute.org">hawkinsw@opentechinstitute.org</a>> wrote:<br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>> On 12/21/2012 12:25 PM, Ferry Huberts wrote:<br>
>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>> On 21/12/12 17:54, Will Hawkins wrote:<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>> On 12/21/2012 07:51 AM, Saverio Proto wrote:<br>
>>>>>>>><br>
>>>>>>>><br>
>>>>>>>> Hello,<br>
>>>>>>>><br>
>>>>>>>> do you have your git branch published somewhere on the web ?<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>> No, but I could easily make that happen. You could just pull from<br>
>>>>>>> that<br>
>>>>>>> to review the code then, right?<br>
>>>>>>><br>
>>>>>><br>
>>>>>> I think we would happily look at your code but you have to make it<br>
>>>>>> easy<br>
>>>>>> for us to understand it ;-)<br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>> I'm happy to make it easy for you to understand, once I understand it<br>
>>>>> :-) Just kidding, of course.<br>
>>>>><br>
>>>>> I posted the repo with the mdp branch to github under<br>
>>>>> <a href="https://github.com/opentechinstitute/olsrd-mdp" target="_blank">https://github.com/opentechinstitute/olsrd-mdp</a><br>
>>>>><br>
>>>>> As I said previously, this relies heavily on olsrd-secure and I<br>
>>>>> followed<br>
>>>>> their style (which hopefully matches up with the project's general<br>
>>>>> style).<br>
>>>>><br>
>>>>> I look forward to your feedback. Happy Friday everyone!<br>
>>>>><br>
>>>>> Will<br>
>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>>> Will<br>
>>>>>>><br>
>>>>>>>><br>
>>>>>>>> Saverio<br>
>>>>>>>><br>
>>>>>>>><br>
>>>>>>>> 2012/12/20 Will Hawkins <<a href="mailto:hawkinsw@opentechinstitute.org">hawkinsw@opentechinstitute.org</a>>:<br>
>>>>>>>>><br>
>>>>>>>>><br>
>>>>>>>>> Hello everyone!<br>
>>>>>>>>><br>
>>>>>>>>> The Open Technology Institute has created a new plugin for OLSRd<br>
>>>>>>>>> known<br>
>>>>>>>>> as olsrd_mdp (Mesh Datagram Protocol [MDP] Secure OLSR). The plugin<br>
>>>>>>>>> integrates OLSRd with Serval to create a mechanism for signing OLSR<br>
>>>>>>>>> packets with a shared private key stored in a Serval keyring. This<br>
>>>>>>>>> plugin is a derivative of the olsrd_secure plugin.<br>
>>>>>>>>><br>
>>>>>>>>> Serval is a mesh networking project out of Australia<br>
>>>>>>>>> (<a href="http://www.servalproject.org" target="_blank">http://www.servalproject.org</a>). One of their main products,<br>
>>>>>>>>> serval-dna,<br>
>>>>>>>>> includes a keyring that stores (and optionally locks) a set of<br>
>>>>>>>>> public/private keypairs. olsrd_mdp takes a private key from<br>
>>>>>>>>> Serval's<br>
>>>>>>>>> key<br>
>>>>>>>>> ring and uses it to sign OLSR packets.<br>
>>>>>>>>><br>
>>>>>>>>> It differs from olsrd_secure in a few ways:<br>
>>>>>>>>><br>
>>>>>>>>> 1. olsrd_mdp is configured with a key identifier. The key<br>
>>>>>>>>> identifier<br>
>>>>>>>>> allows the user to specify which keypair from the Serval keyring<br>
>>>>>>>>> will<br>
>>>>>>>>> sign packets.<br>
>>>>>>>>><br>
>>>>>>>>> 2. olsrd_mdp allows for variable-length keys.<br>
>>>>>>>>><br>
>>>>>>>>> 3. olsrd_mdp salts AND signs OLSR packets with a private key.<br>
>>>>>>>>><br>
>>>>>>>>> We would really like to share this plugin with the OLSRd community.<br>
>>>>>>>>> We<br>
>>>>>>>>> developed the plugin in a branch off of master but the plugin<br>
>>>>>>>>> requires<br>
>>>>>>>>> Serval's serval-dna development kit to compile. This brings up two<br>
>>>>>>>>> questions:<br>
>>>>>>>>><br>
>>>>>>>>> 1. How do plugin makefiles alert the user that they need<br>
>>>>>>>>> configuration<br>
>>>>>>>>> to compile correctly? The necessary parameter is documented in the<br>
>>>>>>>>> olsrd_mdp README file. Is there another better way to document<br>
>>>>>>>>> this?<br>
>>>>>>>>><br>
>>>>>>>>> 2. What is the best way to submit the plugin for review for<br>
>>>>>>>>> possible<br>
>>>>>>>>> inclusion? I did my best to follow OLSRd code standards while<br>
>>>>>>>>> developing, but I'd appreciate your feedback in spotting the places<br>
>>>>>>>>> where I inevitably messed up.<br>
>>>>>>>>><br>
>>>>>>>>> Thanks for reading this rather long message. We are really excited<br>
>>>>>>>>> about<br>
>>>>>>>>> the possibility of sharing this plugin with the OLSRd community.<br>
>>>>>>>>><br>
>>>>>>>>> Talk to you soon!<br>
>>>>>>>>> Will<br>
>>>>>>>>><br>
>>>>>>>>><br>
>>>>>>>>> --<br>
>>>>>>>>> Olsr-dev mailing list<br>
>>>>>>>>> <a href="mailto:Olsr-dev@lists.olsr.org">Olsr-dev@lists.olsr.org</a><br>
>>>>>>>>> <a href="https://lists.olsr.org/mailman/listinfo/olsr-dev" target="_blank">https://lists.olsr.org/mailman/listinfo/olsr-dev</a><br>
>>>>>>>><br>
>>>>>>>><br>
>>>>>>>><br>
>>>>>>><br>
>>>>>><br>
>>>>><br>
>>>>> --<br>
>>>>> Olsr-dev mailing list<br>
>>>>> <a href="mailto:Olsr-dev@lists.olsr.org">Olsr-dev@lists.olsr.org</a><br>
>>>>> <a href="https://lists.olsr.org/mailman/listinfo/olsr-dev" target="_blank">https://lists.olsr.org/mailman/listinfo/olsr-dev</a><br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>><br>
>><br>
>><br>
>><br>
><br>
><br>
> --<br>
> Olsr-dev mailing list<br>
> <a href="mailto:Olsr-dev@lists.olsr.org">Olsr-dev@lists.olsr.org</a><br>
> <a href="https://lists.olsr.org/mailman/listinfo/olsr-dev" target="_blank">https://lists.olsr.org/mailman/listinfo/olsr-dev</a><br>
</blockquote></div>