HI,
I like brainstorming like this. We wanted batmand (and especially its core routing algorithm) to be decentral and simple. So no central point of control/failure and therefore also no HNA server. Of course there are many potential attack vectors in a community mesh and probably there will always be until you completely restrict the access. Therefore IMHO the preferable security to be solved should be:
- detect and protect against (usually accidental) misconfigurations like duplicate addresses.
- find mechanisms to limit the impact of denial of service or other attacks to the local environment (neighborhood).
Certificates and signatures might be a theoretical solution. I am not a security expert but many people have stated that frequent signature validation (like every OGM) will definitely exceed the cpu performance of the small embedded devices we use for our networks.
On Donnerstag 18 Dezember 2008, Stephan Enderlein (Freifunk Dresden) wrote:
Theoretically, if the node can reestablish a new connection after its forced disconnection within the dad timeout (100secs by default) then it should not be kicked out. But, the preliminary for this is that: the node must re-appear using the same primary IP for its primary interface and continuing with the foreseen sequence-number range.
The router always will have the same IP. But it can take a little time to establish the vpn connection (over internet) to connect to other batman clouds. So it is possible that the 100 seconds are reached easily. At moment the firmware has no way to set the time of the forced disconnection. But If the user are using a different router or the firmware will later support a timed disconnection, it is possible that user leave the default time. Assuming this other may connect there disturbing routers at same time to turn off attractive nodes with many connections.
You can tweak the dulicate address timeout detection using --dad-timeout .
Because the duplicate address detection is working based on expected sequence numbers you can avoid being ignored by other nodes after a restart by correcting your initial sequence number to a number accepted by other nodes using --initial-seqno.
ciao, axel
All nodes must be reachable and they must ping the hna regulary (if ping is supported or check for certain services) and tell the local batmand to remove a specific hna from its internal list. But this is also not secure because the bad guy may redirect such requests and pretend the IP is reachable.
I think there must be a central server that collects "HNA requests" if they are valid, the batman node that has requested to propagate a HNA can add it. For this batman should support such a procedure internally perhaps like the visualisation server, else the bad guy may simply add hna per command line. It should be possible to generate two versions of batmand, one that acts as HNA server (only few authenticated servers) and one as HNA client (requesting to publish HNA and build in in all nodes).
To avoid running a faked batmand client to disturb a mesh, batman should support certificates to protect its OGM and other packets. Is there a way to make a batman network unique by using certificates? batman should always send signed OGM and other batman packets and also check for the correctness on receiption.
For HNA authentication and signed batman traffic you may use cacert.org. If someone then tries to disturb a batman network by setting up its own HNA server, you just may look into the certificate to get the user.
Cheers Stephan
Dipl.Informatiker(FH) Stephan Enderlein Freifunk Dresden
B.A.T.M.A.N mailing list B.A.T.M.A.N@open-mesh.net https://list.open-mesh.net/mm/listinfo/b.a.t.m.a.n