[Olsr-users] PKI architecture for freifunk/funkfeier[was Rogue gateways]

Henning Rogge (spam-protected)
Fri Jan 30 13:02:21 CET 2009

Am Friday 30 January 2009 12:02:23 schrieb Bernd Petrovitsch:
> On Fri, 2009-01-30 at 11:42 +0100, Henning Rogge wrote:
> > Am Friday 30 January 2009 11:30:46 schrieb Bernd Petrovitsch:
> > > On Fri, 2009-01-30 at 10:56 +0100, Henning Rogge wrote:
> > > [...]
> > >
> > > > as we are talking about security, I would like to share some ideas
> > > > about a useful and acceptable PKI architecture for Freifunk/Funkfeuer
> > > > networks.
> > > >
> > > > Theoretically we could just set up a central PKI (which would make
> > > > things very easy), but this would allow the owner/maintainer of the
> > > > PKI to control the whole network. This is not acceptable for a
> > > > community project like Freifunk and Funkfeuer.
> > > >
> > > > My idea is that each gateway to the internet set up it's own PKI root
> > > > key. The owners of the gateways can build something like a web of
> > > > trust between each other.
> > >
> > > So when a "network" administratively forces a limited set of gateways,
> > > you have exactly the situation you wanted above to avoid.
> >
> > No, you can just open your own gateway and begin your own PKI root... and
> > ask
> Assume a network using public IPs: I don't think that a random ISP
> customer (as seen from the ISP) has success in getting the ISP to speak
> BGPv4 with him.
If you want use public IP space you will have some kind of layer-8 policy 
which kind of new gateways you will sign.

But I'm not sure what you try to say with your posts Bernd.
First you complain (at least that's how I understand your post) about the 
possibility of control through a network with few gateways, then you argue 
that you cannot built new gateways easily in a network with public IP space.

If you have a situation like this, the possibility of using public IP space is 
some kind of service. If only a few gateways can provide this service, these 
gateways can always control what network traffic goes through the gateway 
(they don't need to control it, but they can). Other users could start to add 
NAT gateways, but these would loose the option for public ips.
Because (most likely) the public-ip gateway group would not sign the key of a 
gateway that does not create a proper tunnel, you will get some kind of 
partition in PKI space. And the user will have to decide if they use only one 
of the gateway groups or both of them.


Diplom Informatiker Henning Rogge
Forschungsgesellschaft für
Angewandte Naturwissenschaften e. V. (FGAN) 
Neuenahrer Str. 20, 53343 Wachtberg, Germany
Tel.: 0049 (0)228 9435-961
Fax: 0049 (0)228 9435-685
E-Mail: (spam-protected)
Web: www.fgan.de
Sitz der Gesellschaft: Bonn
Registergericht: Amtsgericht Bonn VR 2530
Vorstand: Dr. rer. nat. Ralf Dornhaus (Vors.), Prof. Dr. Joachim Ender 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.olsr.org/pipermail/olsr-users/attachments/20090130/30e441c7/attachment.sig>

More information about the Olsr-users mailing list