Hello,
I'm currently working on project (part of my Bachelor work) which will use to transfer very sensitive data over the network, and I'd like to use mesh networks to transfer this data. Additionally, it should also be possible for "normal people" to connect to this network (e.g. to surf internet). Preliminary, I've chosen BATMAN to build this network. But I've got a few questions regarding security of this solution:
1. Does BATMAN provide any method of *authenticating* nodes? As I've said earlier, sometimes transferred data will be highly sensitive (for example: information of patients health in hospital), so it's absolutely critical to not allow leaking this information. I can imagine situation when some fake nodes claim "Hey, I'm the server collecting this data"... I think this is also important when someone would try to destroy our mesh network by placing some fake nodes in it. 2. If point nr one isn't possible, maybe there is some other way to ensure security? I don't know too much about security or cryptography, but I can think of solutions such as openVPN or IPsec.
Generally, the goal is to assert security of transmitting some data *without* losing open characteristics of mesh network.
I will very thankful for any answers.
Kind regards, Adrian
- Does BATMAN provide any method of *authenticating* nodes?
As I've said earlier, sometimes transferred data will be highly sensitive (for example: information of patients health in hospital), so it's absolutely critical to not allow leaking this information.
For this sort of application you need end-to-end security. That is, your end devices authenticate each other, probably using certificates. They then negotiate a key and then encrypt all the traffic end-to-end. It does not matter if the data leaks, since its not practical for anybody to decode it. You then don't care about you mesh, its just an untrusted data pipe from A to B.
You should probably get a good book on security and learn all about what Alice and Bob need to do.
The mesh itself is not important. You cannot trust it, hence its not important.
Andrew
Adrian Byszuk wrote:
Hello,
I'm currently working on project (part of my Bachelor work) which will use to transfer very sensitive data over the network, and I'd like to use mesh networks to transfer this data. Additionally, it should also be possible for "normal people" to connect to this network (e.g. to surf internet). Preliminary, I've chosen BATMAN to build this network. But I've got a few questions regarding security of this solution:
- Does BATMAN provide any method of *authenticating* nodes?
As I've said earlier, sometimes transferred data will be highly sensitive (for example: information of patients health in hospital), so it's absolutely critical to not allow leaking this information. I can imagine situation when some fake nodes claim "Hey, I'm the server collecting this data"... I think this is also important when someone would try to destroy our mesh network by placing some fake nodes in it.
No, it doesn't provide any form of authentication. Normally this should be done in any layer above batman-adv. As in other network setups it is possible to create local blackhole by a node which says that it is the perfect route or that he is someone else. Maybe Simon can give more information about such strategies.
I would say that it a good idea not to allow other nodes to join the mesh directly if you have mission critical data send over it.
- If point nr one isn't possible, maybe there is some other way to ensure
security? I don't know too much about security or cryptography, but I can think of solutions such as openVPN or IPsec.
Correct. This is the best idea to do it. To prevent others to enter the mesh setup it should be possible to use wpa_none. Maybe there are other suggestions floating around on the mailing list.
Generally, the goal is to assert security of transmitting some data *without* losing open characteristics of mesh network.
The problem is that you have two different goals. It is ok to say that data must be encrypted over the mesh (vpn/ipsec/..), but it is hard to keep something really open and at the the same time also prevent the user to have control over the mesh (because the mesh is not for the nodes, but the nodes form the mesh).
But if it is only important that data cannot be captured by other people then go for a good higher level encryption and authentication strategy.
And are you sure that you really want to connect endu ser to the mesh directly? It is a lot easier to use dedicated nodes (ask Linus or Marek) which connects to the mesh and provide some kind of gateway to/over the mesh. Those endpoints could for example also use to provide the vpn (depends on your setup).
Best regards, Sven
hi adrian,
there is no authentication, encryption whatsoever built in batman. u can use various ways to secure the services you want to run over an insecure channel like WiFi: 1. the easiest way is to use a transport layer authentication and encryption mechanism. to do this, u have to setup wpa_supplicant and set a shared key (WPA-NONE method, see wpa_supplicant docs for details about using WPA with Ad-Hoc networks). after setting up wpa_supplicant on all nodes, all traffic gets encrypted using the previously setup shared key. this method is neither elegant nor particularly flexible, and by far not as secure as "traditional" WPA2-PSK, as rekeying cannot be carried out (therefore WPA-NONE...) the future will hopefully bring WiFi Direct, a new WiFi standard to secure Ad-Hoc networks using a one-button method (a la WPS)... 2. use IP-Layer security mechanisms (IPSec) setup an IPSec stack in transport mode on all nodes. this method allows using individual certificates for all clients (i.e. u gonna built an PKI) and is way more flexible and by magnitudes more secure than using just a single shared secret, even when things like proper WPA in Ad-Hoc networks might come up in future. IPSec, however, is known to be horrible to setup and imho worth the effort only if there a a few hundret to thousand participating nodes. personally, i do have some basic experience with setting up IPSec on openwrt and i can assist u if help is needed. 3. (or 2a?) built a VPN running on top of the mesh while this might sound like an easy task on the first look -- OpenVPN can be setup within minutes -- it might not be as simple... Most VPN solutions known to me rely central infrastructure (i.e. one or more VPN server reachable for the clients) 4. secure your services, for example using using Kerberos
if u'd ask me, the best is to use either Kerberos (if possible with the services u plan to use) or IPSec transport authentication/encryption or even both (they might share one central directory service feeding both, Kerberos and IKE, but we won't get there too soon...)
good luck!
regards
daniel On Apr 25, 2010, at 9:36 PM, Adrian Byszuk wrote:
Hello,
I'm currently working on project (part of my Bachelor work) which will use to transfer very sensitive data over the network, and I'd like to use mesh networks to transfer this data. Additionally, it should also be possible for "normal people" to connect to this network (e.g. to surf internet). Preliminary, I've chosen BATMAN to build this network. But I've got a few questions regarding security of this solution:
- Does BATMAN provide any method of *authenticating* nodes?
As I've said earlier, sometimes transferred data will be highly sensitive (for example: information of patients health in hospital), so it's absolutely critical to not allow leaking this information. I can imagine situation when some fake nodes claim "Hey, I'm the server collecting this data"... I think this is also important when someone would try to destroy our mesh network by placing some fake nodes in it. 2. If point nr one isn't possible, maybe there is some other way to ensure security? I don't know too much about security or cryptography, but I can think of solutions such as openVPN or IPsec.
Generally, the goal is to assert security of transmitting some data *without* losing open characteristics of mesh network.
I will very thankful for any answers.
Kind regards, Adrian
On Monday 26 April 2010 04:13:37 Daniel Golle wrote:
there is no authentication, encryption whatsoever built in batman. u can use various ways to secure the services you want to run over an insecure channel like WiFi:
[..]
You wrote a pretty good summary of what is out there. Since this question comes up quite often can I somehow convince you to put your text in the wiki / user docs ? Maybe creating a new page "how to secure my mesh" ? It does not need to be perfect. We can improve it over time. :-)
Cheers, Marek
Hello again!
First of all, I'd like to thank all of You for your answers. They where helpful and helped me to clarify some things. I guess it's true that I should learn a bit more about "Alice & Bob" before asking questions. I think I'll use IPsec or Kerberos like Daniel suggested, but of course firstly I'll read more about this. Anyway - Daniel I'll remember what you said about "openWRT" and "help" ;-)
However, I'm still concerned about issue of using fake nodes claiming they are someone else (e.g. sending fake OGMs) for sole reason of destroying the mesh. Do you think this is important issue? Can it be somehow reduced?
However, I'm still concerned about issue of using fake nodes claiming they are someone else (e.g. sending fake OGMs) for sole reason of destroying the mesh. Do you think this is important issue? Can it be somehow reduced?
There are much simpler ways of destroying the mesh, at last locally. e.g, my wife has a cordless telephone which operates in the 2.4GHz band. Pick up the line and wireless in the area dies. That phone quickly got replaced with a DECT phone operating in the USA DECT band, 1.9GHz.
2.4GHz is in the so called ISM band, industrial, scientific and medical. Bluetooth, WiFi, microwave ovens, ZigBee, sometimes radio car keys all work in this band, and all potentially interfere with each other. You are working in a medical environment, so you may find that down by radiography, you can forget WiFi all together?
You really need to tell us your use cases. Do you need a network which has 99.999% uptime? Then dig up the road and lay fibre. Can you live with a best effort network, which will probably die every so often, can easily to DOSed, and performance will probably very depending on day/night, weekday/weekend and the phase of the moon?
Andrew
Hi,
- Does BATMAN provide any method of *authenticating* nodes?
As I've said earlier, sometimes transferred data will be highly sensitive (for example: information of patients health in hospital), so it's absolutely critical to not allow leaking this information. I can imagine situation when some fake nodes claim "Hey, I'm the server collecting this data"... I think this is also important when someone would try to destroy our mesh network by placing some fake nodes in it. 2. If point nr one isn't possible, maybe there is some other way to ensure security? I don't know too much about security or cryptography, but I can think of solutions such as openVPN or IPsec.
I tend to agree with Andrew: If you wish to secure patient data transfers end- to-end encryption is probably what you are looking for (e.g. SSL). But "ensuring security" is a very broad term which we hear quite often. Please check our FAQ: http://www.open-mesh.org/wiki/FAQ
Cheers, Marek
Hello Adrian,
quite good answers have already been on the list. Maybe it is helpful to create VLANs for your purpose on top of the mesh, e.g.: 1. An open patient/customer VLAN for internet traffic etc 2. a hospital internal VLAN for your sensitive information 3. an administration VLAN for maintainance on your nodes
These VLANs should be configured ontop of the meshnodes and should be controlled by the nodes, means that the patients should not be able to access the internal VLAN.
Additionally, you should secure the mesh with WPA-NONE, but as stated before the security of this method is not well researched and might be weaker than WPA2/CCMP. It basically use static keys with either TKIP or CCMP(AES).
best regards, Simon
On Sun, Apr 25, 2010 at 09:36:25PM +0200, Adrian Byszuk wrote:
Hello,
I'm currently working on project (part of my Bachelor work) which will use to transfer very sensitive data over the network, and I'd like to use mesh networks to transfer this data. Additionally, it should also be possible for "normal people" to connect to this network (e.g. to surf internet). Preliminary, I've chosen BATMAN to build this network. But I've got a few questions regarding security of this solution:
- Does BATMAN provide any method of *authenticating* nodes?
As I've said earlier, sometimes transferred data will be highly sensitive (for example: information of patients health in hospital), so it's absolutely critical to not allow leaking this information. I can imagine situation when some fake nodes claim "Hey, I'm the server collecting this data"... I think this is also important when someone would try to destroy our mesh network by placing some fake nodes in it. 2. If point nr one isn't possible, maybe there is some other way to ensure security? I don't know too much about security or cryptography, but I can think of solutions such as openVPN or IPsec.
Generally, the goal is to assert security of transmitting some data *without* losing open characteristics of mesh network.
I will very thankful for any answers.
Kind regards, Adrian
b.a.t.m.a.n@lists.open-mesh.org
-
Adrian Byszuk -
Andrew Lunn -
Daniel Golle -
Marek Lindner -
Simon Wunderlich -
Sven Eckelmann