[Olsr-dev] "Secure" Mesh networks

[Sven-Ola Tuecke]

John,

interesting plan. Sorry to be harsh - I taxed you as the average 
encryption-does-it-all bloke. Those normally tend to think that their 
knowlege about some crypto give them an advantage over others.

That baby-cam approach works. Yes - limited area only. We have seen that in 
practise by a community member calling the RegTp (sort of FCC in Germany). 
They have impressive equipment, but the rule says: shared medium, no need to 
put up cooperative radios (such as all-wifi, sharing a channel). So they 
solved by convincing (!forcing) the baby-cam owner. Obvioulsy a cooperative 
approach too...

The iptables approach should work, because you already have a trusted 
environment: you - and only you - can login to that routers probably with 
ssh-pubkey. For a typical mesh meant to share some service this is sufficient 
to keep out the bad boys.

For a mesh with a critical resource such as your emergency thing, you may want 
more. Those military boys are also interested in that topic for their meshed 
battlefield robotos I presume. Maybe it helps to google some patent databases 
on that topic...

// Sven-Ola

Am Dienstag 09 Februar 2010 18:58:43 schrieb John Barrett:
[snipp]
> I plan on publishing both the firmware and the website that will support
> this system. If someone wants to use it to make a public network, then
> more power to them !! I'll even allow them to use my website to manage
> their certificates if they want !! I'm taking into account that not all
> amateur organizations may want to be part of the nation wide mesh that I
> would like to create. I wouldn't make much sense for a network in DE or
> UK to compete with each other or the US for a limited pool of IP
> addresses (16 million per mesh using the current addressing scheme), so
> the website is going to support creating multiple logical mesh clouds.
[snapp]
> The mesh in question will generally be used for accessing the internet,
> and accessing a few servers on the mesh (mail, web, voip).
>
> But when the crunch comes, the mesh will be used for emergency
> communications.
>
> I am unhappy with other solutions for securing the mesh that have been
> proposed by amateur operators, the foremost being to shift the base
> frequency of the router so that it is no longer lined up on the standard
> channel frequencies. Most new operators do not have the electronics
> skills to make these modifications, so my preference is to stick to
> unmodified hardware.
>
> As demonstrated by events such as Katrina, when a disaster occurs that
> results in a call up of em comm resources, they are drawn from all over
> the country. If there is to be a mesh network run by amateurs, then
> there has to be a standard in place in advance that will allow operators
> connect to the mesh without any (and I mean ANY) need to configure their
> nodes upon arrival on scene. They should drive up, power up, and given
> the needed peer links, be able to immediately provide access to the
> services needed.
>
> 1. I want the over-the-air traffic reasonably secure from sniffing (WPA
> is as good as it gets right now)
> 2. I only want authorized nodes on the mesh (certificates and TLS
> handshake + key exchange is workable)
> 3. I want to be able to block out rogue nodes with stolen certs
> (certificate revocation list handles this one, and should be a rare
> occurance -- amateur operators protect their gear)