[Olsr-users] High-level questions about encryption on OLSR ad-hoc mesh

Henning Rogge (spam-protected)
Tue Mar 1 08:28:31 CET 2011


On Tue March 1 2011 06:49:13 Ben West wrote:
> First off, a low-level question ...
> 
> Is any information available about the key (type, content, length) used by
> the olsr-secure plugin?  I see that the module exists in v0.6 of OLSR, but
> I can't find any documentation about how to generate the key file.  Also,
> am I correct in undestanding that his plugin basically works to prevent
> route spoofing by an untrusted node, but not to actually encrypt mesh
> traffic?
The secure plugin does not encrypt the traffic of the mesh at all, its just a 
group-key based signature system for the OLSR packets. The key has to be 
supplied in a textfile.

> Now, the high-level question ...
> 
> Have there been any nifty developments in options for encrypting an OLSR
> mesh running ion ad-hoc mode, or this is perhaps a path with diminishing
> returns?  My platform is Ubiquiti 5GHz M devices running OpenWRT 10.03-rc4
> with ath9k driver, and I've been able to set up a unencrypted mesh with
> OLSR v0.6.
If you want to encrypt the mesh traffic, you might think about using IPsec for 
the unicast connections in the mesh.

Securing the OLSR broadcasts is more difficult.
 
> I read that WPA/WPA2 encryption is not possible in ad-hoc mode, and that
> WEP encryption may be possible (tho I couldn't get it working), but I
> understand that WEP encryption now-a-days is as easy to crack as rot13
> obfuscation.
You need to listen to 40000-80000 encrypted IP packets before you can 
calculate the 128 Bit key. Thats only a few minutes on a 802.11g full speed 
download.

> Since I don't plan on having end users connect to the 5GHz mesh, only to
> use it for back-haul, I don't have to worry about encryption schemes that
> are compatible with end users (e.g. smartphones, Windoze boxes).  However,
> is putting encryption into an ad-hoc OLSR mesh even worthwhile, should the
> relevant drivers come to support it?  Or am I better off putting wired
> VPN-cable routers on the fringes of the mesh, wherever encryption may be
> demanded?

If you have a "closed group" and want to protect it from influence from the 
outside, some kind of layer 2 encryption/authentification would be perfect. 
Unfortunately wpa-supplicant does not support WPA2 in adhoc-mode 
(theoretically it should be possible).

If you just want to secure your traffic from evasdropping, just use IPsec or 
OpenVPN.

Henning Rogge
-- 
Diplom-Informatiker Henning Rogge , Fraunhofer-Institut für
Kommunikation, Informationsverarbeitung und Ergonomie FKIE
Kommunikationssysteme (KOM)
Neuenahrer Straße 20, 53343 Wachtberg, Germany
Telefon +49 228 9435-961,   Fax +49 228 9435 685
mailto:(spam-protected) http://www.fkie.fraunhofer.de
GPG: E1C6 0914 490B 3909 D944 F80D 4487 C67C 55EC CFE0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.olsr.org/pipermail/olsr-users/attachments/20110301/ef1721aa/attachment.sig>


More information about the Olsr-users mailing list