ditto bruno .
End to end encryption for clients is better done with openssl . Having to choose our gateway too is similar to having to choose then option or having secure routing or not more over .Entering the prefered gateway is same as entering preferred password the password is more dynamic and a bit more secure imo . If the admin wants he can secure the system and if its a open mesh then no need of security.....well oss is all about options isnt it?
Regards,
On Thu, Apr 10, 2008 at 2:04 AM, bruno randolf bruno@thinktube.com wrote:
On Thursday 10 April 2008 13:22:16 Marek Lindner wrote:
IMHO the olsr secure plugin idea has a good intention but the concept is broken. There are several aspects:
- As long as only a single instance (one admin) knows the key everything
is
fine. But every node joining the mesh will need that key. Either the
admin
has a _lot_ of freetime or you have to hand out the key. In the later
case
check Ebay from to time to time to find out about the value of your key.
still that can be better than no security at all...
;-) - Furthermore, batman is used for _community_ meshing. Everybody
should
be able to join quickly ...
i basically agree, but some people might like to set up a more controlled environment. even in a community network this might be useful at times, for example if you want to set up a backbone network.
one way to solve this without a static key which has to be known to all nodes is using a public key infrastructure (PKI) with a certificate authority (CA). the clients can generate their own private and public keys and send the public key to be signed by the CA. that could go hand in hand with adding their nodes to a map and accepting some basic agreement (pico peering). after it has been signed they could start using encryption for an extra level of mesh security.
- You give your users a FALSE impression of security: "We have the
secure
plugin enabled - we are secure!". Still everybody can sniff the data,
man
in the middle, etc
yes people have to understand that only the mesh protocol will be encrypted, not the data.
- Encryption on an embedded device like a router is a performance killer
if
the encryption is not done in the hardware itself.
it's not too bad as long as the bandwith is low, as it would be the case with protocol traffic.
- Most important: Nothing is better than end to end encryption /
authentication / authorization.
that's true, but it doesn't help if the underlying mesh protocol can be disturbed easily by un-authenticated nodes and your traffic never reaches the other endpoint.
there are two different layers of adding authentication and encryption. one is the mesh protocol itself the other one is end-to-end user encryption. both are necessary if you want to make your network secure.
bruno _______________________________________________ B.A.T.M.A.N mailing list B.A.T.M.A.N@open-mesh.net https://list.open-mesh.net/mm/listinfo/b.a.t.m.a.n