[olsr-dev] olsrd secure plugin

Sven-Ola Tuecke (spam-protected)
Wed Feb 23 12:20:19 CET 2005

Hi Jon,

most crypto/key/trustsystems will introduce a centralized instance into the 
system - or (worse) make things really complicated. I personally have 
arguments against both ;-) According to the KISS papers - the current secure 
plugin will do what I suggest, simply rip people off their anon hideout and 
offer a valid email address for administrative purposes to the community.

Regards, Sven-Ola

""Jon Andersson"" <(spam-protected)> schrieb im Newsbeitrag 
> Hello,
> I would suggest that you looked a bit further, and considered updates to 
> the
> security plugin, e.g.
> - automatic generation, change and/or update of the static, pre-shared key
> (Static keys makes my skin crawl...)
> - automated re-keying to exclude users
> - authenication of users
> - etc...
> The solution selected in the security plugin (static, pre-shared key) was
> only meant as a simple proof of concept.
> Unfortunately we never got around to changing it to something better :-(
> I know there has been made extensions on the security plugin that covers
> parts of what I described above, but the paper describing it has not been
> publiched yet.
> Regards,
> Jon
>>thanks for your reply. Well, here in Berlin we are working on a small
>>registry system to manage IPs and participants. For now, nearly all users
>>are cooperative which means there is always a chance to make an email note
>>to the one injecting wrong/disfunct HNA4s.
>>To be prepared for the things to come its always good to have options. One
>>of these options will be the secure plugin - we may distribute the key via
>>email just to make sure the database entry of a participant is correct. If
>>rejecting HNAs is not an option, there are plenty of methods left for
>>adjusted responses to administrative/technical problems anyhow.
>>Regards, Sven-Ola
>>"Andreas "Tønnesen"" <(spam-protected)> schrieb im Newsbeitrag
>>> Hi Sven,
>>> The secure plugin only uses a SHA-1 hash function from openSSL
>>as far as I
>>> can remember. I just used the openSSL lib since it is the most 
>>> widespread
>>> lib for theese things. I think it's a good idea to use a much
>>smaller lib,
>>> (or perhaps include hashing code in the plugin?). All you really
>>need is a
>>> hashing function, so if MatrixSSL supports SHA-1/MD5 etc. (which I guess
>>> it does), it should work fine :)
>>> Regarding your HNA blocking question that is a rather tricky
>>one. This has
>>> been discussed before and I belive we came to the conclusion
>>that it would
>>> not be supported in officcial olsrd code. The problem is that
>>this kind of
>>> functionallity has to be distributed if we are to avoid routing loops.
>>> I think the best way is to create a plugin that will broadcast a set of
>>> IPs to ignore when parsing HNA messages. But then there is the security
>>> issue...
>>> I fully agree that this would be a useful feature but IMO it can only be
>>> done if it is distributed.
>>> - Andreas
>>>> Hello oncemore,
>>>> while I'am in questioning mode - the secure olsr plugin rely on the
>>>> OpenSSL
>>>> library which is really huge (in terms of flash/disk space usage). Is
>>>> there
>>>> a chance to link it against MatrixSSL?
>>>> Regards,
>>>> Sven-Ola
>>>> _______________________________________________
>>>> olsr-dev mailing list
>>>> (spam-protected)
>>>> https://www.olsr.org/mailman/listinfo/olsr-dev
>>> ---------
>>> Andreas Tønnesen
>>> http://www.olsr.org
>>> _______________________________________________
>>> olsr-dev mailing list
>>> (spam-protected)
>>> https://www.olsr.org/mailman/listinfo/olsr-dev
>>olsr-dev mailing list
> _______________________________________________
> olsr-dev mailing list
> (spam-protected)
> https://www.olsr.org/mailman/listinfo/olsr-dev 

More information about the Olsr-dev mailing list