[OLSR-users] Authentication in MANET topology (long & dry)

John Gorkos (spam-protected)
Sun Mar 28 00:33:44 CET 2004 

MANET gurus:
  I've killed a few brain cells over the last few days, and I'm no closer to a 
solution than before.

The Problem:
  A Wireless Internet Service Provider wants to limit access to his 802.11b, 
large scale mesh network while still maintaining flexibility and minimal user 
involvement.

The Old Solution:
  In a typical (hub-spoke) WISP, security/authentication is usually done by 
creating a tunnel over the wireless portion of the physical connection 
between the customer and the service provider.  Traditional home/SOHO routers 
(like the Linksys BEFWS4 or D-Link DI-604) have PPPOE or PPTP available as 
connection methods.  The ISP then installs a router at each customer premise, 
hooks the customer machines up to the lan side, a wireless radio to the WAN 
side, and the customer is "magically" linked to the ISP.  Only connections to 
the ISP router that come in through an authenticated PPPOE or PPTP connection 
are forwarded on to the internet.  Works great in a spoke-hub architecture, 
but doesn't work for a mesh.

The new goal:
  I mean to build a open, robust network authentication system that will work 
in a meshed ad-hoc wireless network (using OLSR as the routing protocol).  
The system needs to be user-transparent (or minimally invasive) and prevent 
unauthorized use of internet bandwidth.  It should be able to work in a 
meshed network with any number of takeout points, directly connected to the 
internet.

The real beast of this is when you get to multple gateways.  Using PPPOE 
doesn't work across routers, so that's out.  PPTP works, but where do you put 
the server?  At the border of the mesh?  That won't really work, because what 
happens when the gateway internet connection drops?  The beauty of a mesh is 
that packets will just go to another gateway.  So that leaves us with putting 
the PPTP server outside the mesh completely.  That preserves the mesh's 
ability to route packets to the best gateway, but the cost in bandwidth could 
be high.  For example, let's say I have two gateways in my mesh:  one is a 
DSL connection and the other a cable modem.  My PPTP server is located at the 
end of a T1 line in a NOC.  Three different connections to the internet.  
Now, a customer node fires up inside the mesh, creates a PPTP tunnel through 
the closest gateway (say it's the DSL connection), through the internet, and 
down the T1 to the server.  That works, because even if the DSL connection 
goes down, OLSR ensures the PPTP packets get to the PPTP server on the 
gateway.  The problem is, everytime the user makes  a web request, the 
request goes over the PPTP connection down the T1 to the server, where it 
turns the request around and sends it right back down the T1 to the internet.  
The response comes back to the server down the same T1, where it gets PPTP 
encapsulated and sent BACK over the T1 to the cable modem, and back on to the 
mesh.

MAC authentication, etc, is a thought, but what happens when you have multiple 
customers behind 1 MAC address (remember, on a WRT54g, you can split the 4 
ethenet ports into 4 seperate VLANs, so you can service 4 customers with one 
radio)?  We can't give everyone connected to a radio access just becuase one 
user has it...

This is a stumper, but it's got to have a solution that isn't impossibly hard 
or expensive to implement.  Anyone else run into this, and found a working 
solution?

John Gorkos
Wildcat Wireless

More information about the Olsr-users mailing list