[Olsr-users] High-level questions about encryption on OLSR ad-hoc mesh

Henning Rogge (spam-protected)
Wed Mar 2 08:16:23 CET 2011 

On Tue March 1 2011 17:05:00 Eric Malkowski wrote:
> Ben-
> 
> Did you find this note on WPA-NONE for AD-hoc mode.  It was on my list
> of things to try on my setup, but never got around to it
> 
> http://lists.freebsd.org/pipermail/freebsd-net/2010-April/025052.html
Yes, WPA-NONE would be great... but according to my knowledge it is not 
supported by most platforms (including linux).

> I wanted to chime in here on my experience with the secure plugin.  I've
> done an outdoor network each year for the Head Of The Charles Regatta
> very similar to what Ben wants to do (Mesh Ad-hoc backhauls on 5.8,
> local radios for AP on 2.4) and found that 2 years ago when bringing up
> the last node in the network, routes would disappear within minutes
> whenever the total nodes on the network was 10 or more.  In doing
> investigation I found OLSRd was crashing on what appeared to be random
> nodes (i.e. not sure if they were MPRs / non-MPR neighbors etc. -- I
> wasn't able to characterize since we were scrambling to just make it
> work). Usually it would crash w/in the secure plugin (kernel was
> reporting some of those details in dmesg I think -- olsr secure .so
> (share lib)).  I ended up having to frantically add a bunch of static
> routes and shut OLSR off on a node or two to get stability.  This was
> running 0.5.8r6 I believe.
Nobody has done any work on the secure plugin (except fixing compiler things) 
for years.

> The next year I brought up the who setup on the bench and found when
> bringing up the 10th node, usually w/in minutes one or more OLSRd
> crashes.  I tried to run in gdb and do a stack trace but the stack had
> nothing useful (seemed corrupt), so I went to plan B -- I turned off the
> secure plugin -- this year we ran a 12 node network for the entire
> weekend with no crashes and rock solid stability.
Maybe the debug information was not included into your binary.
 
> I'm thinking there is something that overflows or gets stomped on in the
> secure plugin implementation when the number of nodes is 10 or more.
> Perhaps the signature calculation is overstepping a buffer or something
> to that effect.
Yes, might be.
 
> 1. Use the ahdemo mode for MADWIFI -- no management frames at all: no
> beacons, no association, no probes, just data.  Then we don't see other
> "things" on our frequency doing ad-hoc and they typically don't see us
> unless using a sniffer etc.  This also avoids ad-hoc "cell" splits --
> they just talk.
Yes. Its not a help against someone who really wants to join your net, but 
against accidents.
 
> 2. Use WEP -- simple iwconfig commands to set a static WEP key for all
> of the 5.8 ghz radios works well for me.  WEP is weak, but the more
> things you do the better (and the wireless chip does the crypto keeping
> the CPU free for everything else).
WEP is similar than ahdemo. Its like a 50 cm high fence, you show that you 
don't want other people inside, but it cannot stop them for more than a few 
moments.

> 3. Use the OLSR secure plugin to have signed OLSR packets so if someone
> cracks the WEP they can't poison the mesh routing
Maybe we could reintroduce a filtering mechanism that you can have a whitelist 
of originator-IPs. That might be easier and more stable for your net.

> 4. No DHCP or DNS services answering on the mesh interface -- mesh
> interface job is to just find routes with OLSR and route data.
Yes, that sounds like a good job too.

> Someone with decent knowledge of the setup could certainly cause
> trouble, but with over 300,000 people attending the event smart phones
> and all it hasn't been a problem.  Plus the event is only for 1 weekend
> and the entire setup is temporary outdoor.  This year we had to turn off
> the OLSR secure and it still wasn't an issue -- people are attracted to
> the 2.4 ghz APs since they run DHCP w/ a splashpage for access etc.
> These all end up being HNAs.
Yes, I don't think your "attacker profile" is an attack against the routing 
protocol, more a "I want internet too" attack. ;)
 
> If I manage to get around to trying out WPA-NONE, I'll let you know my
> results.
I would be REALLY interested in this.

Henning Rogge
-- 
Diplom-Informatiker Henning Rogge , Fraunhofer-Institut für
Kommunikation, Informationsverarbeitung und Ergonomie FKIE
Kommunikationssysteme (KOM)
Neuenahrer Straße 20, 53343 Wachtberg, Germany
Telefon +49 228 9435-961,   Fax +49 228 9435 685
mailto:(spam-protected) http://www.fkie.fraunhofer.de
GPG: E1C6 0914 490B 3909 D944 F80D 4487 C67C 55EC CFE0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.olsr.org/pipermail/olsr-users/attachments/20110302/d9c71d70/attachment.sig>

More information about the Olsr-users mailing list