[Olsr-dev] New OLSRd Plugin (derivative of olsrd_secure)

Will Hawkins (spam-protected)
Sat Dec 29 06:50:35 CET 2012 

 
On Thursday, December 27, 2012 04:03 EST, Henning Rogge <(spam-protected)> wrote: 
 
> Exactly.
> 
> Which means (in terms of security) that signing packets is only hop-by-hop
> security, not end-to-end security. Signing the outgoing multicast-packets
> with a static shared key would do the same job.

Thanks Saverio and Henning for your responses. That all seems to match up with our goal for this plugin. As I said earlier, having this hop-by-hop security mechanism is just one layer in a defense-in-depth approach to security. 

Thanks again!
Will

> 
> Henning
> On Dec 27, 2012 9:32 AM, "Saverio Proto" <(spam-protected)> wrote:
> 
> > > I'm not 100% sure that I understand the distinction, but I believe that
> > we
> >
> > OLSR messages such as HELLO, TC, HNA have their structure, see RFC or
> > the structs defined in the C code.
> >
> > The OLSR packet is a network packet that can hold many OLSR messages
> > at the same time.
> >
> > OLSR packets are exchanged just within 1-hop neighbors, OLSR messages
> > are flooded all around the network.
> >
> > Saverio
> >
> >
> >
> > > do both. We sign the messages for negotiating signing parameters with
> > > neighbors and then we sign the OLSR packets as they are being prepared
> > for
> > > transmission to neighbors. The plugin adds itself to OLSR as a packet
> > > transform function and as a preprocessor.
> > >
> > > The structure of this plugin is taken directly from the olsrd-secure
> > plugin.
> > > It's possible that the authors of that plugin might know better how to
> > > answer this question.
> > >
> > > I hope that answers your question!
> > >
> > > Will
> > >
> > >
> > >>
> > >> Henning
> > >>
> > >> On Sun, Dec 23, 2012 at 5:46 AM, Will Hawkins
> > >> <(spam-protected)> wrote:
> > >>>
> > >>> On 12/22/2012 03:27 AM, Henning Rogge wrote:
> > >>>>
> > >>>>
> > >>>> I am just curious,
> > >>>>
> > >>>> do you have also experimented with using IPsec with a static shared
> > >>>> key to encrypt/sign your traffic hop-by-hop ?
> > >>>
> > >>>
> > >>>
> > >>> Hello Henning!
> > >>>
> > >>> Yes, we have experimented with that. We are also actively pursuing
> > >>> AuthSAE
> > >>> support (from the 802.11s protocol) for doing zero-knowledge link
> > >>> encryption. We plan on using both link encryption and route signing as
> > >>> part
> > >>> of a defense-in-depth strategy.
> > >>>
> > >>> Thank you for taking the time to review this submission. Please
> > continue
> > >>> to
> > >>> email questions and I will continue to answer them as I am able. :-)
> > >>>
> > >>> Will
> > >>>
> > >>>
> > >>>>
> > >>>> Henning Rogge
> > >>>>
> > >>>> On Fri, Dec 21, 2012 at 9:25 PM, Will Hawkins
> > >>>> <(spam-protected)> wrote:
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> On 12/21/2012 12:25 PM, Ferry Huberts wrote:
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>> On 21/12/12 17:54, Will Hawkins wrote:
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> On 12/21/2012 07:51 AM, Saverio Proto wrote:
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> Hello,
> > >>>>>>>>
> > >>>>>>>> do you have your git branch published somewhere on the web  ?
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> No, but I could easily make that happen. You could just pull from
> > >>>>>>> that
> > >>>>>>> to review the code then, right?
> > >>>>>>>
> > >>>>>>
> > >>>>>> I think we would happily look at your code but you have to make it
> > >>>>>> easy
> > >>>>>> for us to understand it ;-)
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> I'm happy to make it easy for you to understand, once I understand it
> > >>>>> :-) Just kidding, of course.
> > >>>>>
> > >>>>> I posted the repo with the mdp branch to github under
> > >>>>> https://github.com/opentechinstitute/olsrd-mdp
> > >>>>>
> > >>>>> As I said previously, this relies heavily on olsrd-secure and I
> > >>>>> followed
> > >>>>> their style (which hopefully matches up with the project's general
> > >>>>> style).
> > >>>>>
> > >>>>> I look forward to your feedback. Happy Friday everyone!
> > >>>>>
> > >>>>> Will
> > >>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>> Will
> > >>>>>>>
> > >>>>>>>>
> > >>>>>>>> Saverio
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> 2012/12/20 Will Hawkins <(spam-protected)>:
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>> Hello everyone!
> > >>>>>>>>>
> > >>>>>>>>> The Open Technology Institute has created a new plugin for OLSRd
> > >>>>>>>>> known
> > >>>>>>>>> as olsrd_mdp (Mesh Datagram Protocol [MDP] Secure OLSR). The
> > plugin
> > >>>>>>>>> integrates OLSRd with Serval to create a mechanism for signing
> > OLSR
> > >>>>>>>>> packets with a shared private key stored in a Serval keyring.
> > This
> > >>>>>>>>> plugin is a derivative of the olsrd_secure plugin.
> > >>>>>>>>>
> > >>>>>>>>> Serval is a mesh networking project out of Australia
> > >>>>>>>>> (http://www.servalproject.org). One of their main products,
> > >>>>>>>>> serval-dna,
> > >>>>>>>>> includes a keyring that stores (and optionally locks) a set of
> > >>>>>>>>> public/private keypairs. olsrd_mdp takes a private key from
> > >>>>>>>>> Serval's
> > >>>>>>>>> key
> > >>>>>>>>> ring and uses it to sign OLSR packets.
> > >>>>>>>>>
> > >>>>>>>>> It differs from olsrd_secure in a few ways:
> > >>>>>>>>>
> > >>>>>>>>> 1. olsrd_mdp is configured with a key identifier. The key
> > >>>>>>>>> identifier
> > >>>>>>>>> allows the user to specify which keypair from the Serval keyring
> > >>>>>>>>> will
> > >>>>>>>>> sign packets.
> > >>>>>>>>>
> > >>>>>>>>> 2. olsrd_mdp allows for variable-length keys.
> > >>>>>>>>>
> > >>>>>>>>> 3. olsrd_mdp salts AND signs OLSR packets with a private key.
> > >>>>>>>>>
> > >>>>>>>>> We would really like to share this plugin with the OLSRd
> > community.
> > >>>>>>>>> We
> > >>>>>>>>> developed the plugin in a branch off of master but the plugin
> > >>>>>>>>> requires
> > >>>>>>>>> Serval's serval-dna development kit to compile. This brings up
> > two
> > >>>>>>>>> questions:
> > >>>>>>>>>
> > >>>>>>>>> 1. How do plugin makefiles alert the user that they need
> > >>>>>>>>> configuration
> > >>>>>>>>> to compile correctly? The necessary parameter is documented in
> > the
> > >>>>>>>>> olsrd_mdp README file. Is there another better way to document
> > >>>>>>>>> this?
> > >>>>>>>>>
> > >>>>>>>>> 2. What is the best way to submit the plugin for review for
> > >>>>>>>>> possible
> > >>>>>>>>> inclusion? I did my best to follow OLSRd code standards while
> > >>>>>>>>> developing, but I'd appreciate your feedback in spotting the
> > places
> > >>>>>>>>> where I inevitably messed up.
> > >>>>>>>>>
> > >>>>>>>>> Thanks for reading this rather long message. We are really
> > excited
> > >>>>>>>>> about
> > >>>>>>>>> the possibility of sharing this plugin with the OLSRd community.
> > >>>>>>>>>
> > >>>>>>>>> Talk to you soon!
> > >>>>>>>>> Will
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>> --
> > >>>>>>>>> Olsr-dev mailing list
> > >>>>>>>>> (spam-protected)
> > >>>>>>>>> https://lists.olsr.org/mailman/listinfo/olsr-dev
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>> --
> > >>>>> Olsr-dev mailing list
> > >>>>> (spam-protected)
> > >>>>> https://lists.olsr.org/mailman/listinfo/olsr-dev
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>
> > >>
> > >>
> > >>
> > >
> > >
> > > --
> > > Olsr-dev mailing list
> > > (spam-protected)
> > > https://lists.olsr.org/mailman/listinfo/olsr-dev
> >

More information about the Olsr-dev mailing list