still that can be better than no security at all...
I think before you start throwing crypto, keys, certificates, etc on something you/we should evaluate whether there are others ways. Also, it is important to realize that encryption itself does not make things secure (encryption != security). If we start talking about "no security at all" I'd rather ask first what we are securing and against whom ...
i basically agree, but some people might like to set up a more controlled environment. even in a community network this might be useful at times, for example if you want to set up a backbone network.
So, we are starting to talk about these rare cases, right ?
one way to solve this without a static key which has to be known to all nodes is using a public key infrastructure (PKI) with a certificate authority (CA). the clients can generate their own private and public keys and send the public key to be signed by the CA. that could go hand in hand with adding their nodes to a map and accepting some basic agreement (pico peering). after it has been signed they could start using encryption for an extra level of mesh security.
I think many things would be _possible_ but I don't see that happen. But why everything has to be so complicated ? Do you read that: static key, PKI, CA, private and public keys, signed by the CA, .... Only a few people master this kind of security properly. The only end user PKI that "works" out there are web certificates and their level of security is more ashaming.
that's true, but it doesn't help if the underlying mesh protocol can be disturbed easily by un-authenticated nodes and your traffic never reaches the other endpoint.
there are two different layers of adding authentication and encryption. one is the mesh protocol itself the other one is end-to-end user encryption. both are necessary if you want to make your network secure.
I can't agree here. I believe a well designed mesh protocol which is more resistant out of the box is mucher better than this encryption bloat. If you *really* need the encryption, please use one of the established and widely tested security protocols for the lower layers. Encryption is incredible hard to do right and we are definitely no experts in this area. We want to develop a slick, fast routing protocol. If you want this level of security I *strongly* vote against a home made "security plugin".
Keep in mind that security is a concept and not something you can simply enable.
Greetings, Marek
Hi -
have to say I fully agree with Marek.
cu elektra
still that can be better than no security at all...
I think before you start throwing crypto, keys, certificates, etc on something you/we should evaluate whether there are others ways. Also, it is important to realize that encryption itself does not make things secure (encryption != security). If we start talking about "no security at all" I'd rather ask first what we are securing and against whom ...
i basically agree, but some people might like to set up a more controlled environment. even in a community network this might be useful at times, for example if you want to set up a backbone network.
So, we are starting to talk about these rare cases, right ?
one way to solve this without a static key which has to be known to all nodes is using a public key infrastructure (PKI) with a certificate authority (CA). the clients can generate their own private and public keys and send the public key to be signed by the CA. that could go hand in hand with adding their nodes to a map and accepting some basic agreement (pico peering). after it has been signed they could start using encryption for an extra level of mesh security.
I think many things would be _possible_ but I don't see that happen. But why everything has to be so complicated ? Do you read that: static key, PKI, CA, private and public keys, signed by the CA, .... Only a few people master this kind of security properly. The only end user PKI that "works" out there are web certificates and their level of security is more ashaming.
that's true, but it doesn't help if the underlying mesh protocol can be disturbed easily by un-authenticated nodes and your traffic never reaches the other endpoint.
there are two different layers of adding authentication and encryption. one is the mesh protocol itself the other one is end-to-end user encryption. both are necessary if you want to make your network secure.
I can't agree here. I believe a well designed mesh protocol which is more resistant out of the box is mucher better than this encryption bloat. If you *really* need the encryption, please use one of the established and widely tested security protocols for the lower layers. Encryption is incredible hard to do right and we are definitely no experts in this area. We want to develop a slick, fast routing protocol. If you want this level of security I *strongly* vote against a home made "security plugin".
Keep in mind that security is a concept and not something you can simply enable.
Greetings, Marek _______________________________________________ B.A.T.M.A.N mailing list B.A.T.M.A.N@open-mesh.net https://list.open-mesh.net/mm/listinfo/b.a.t.m.a.n
On Apr 10, 2008, at 11:41 AM, Marek Lindner wrote:
i basically agree, but some people might like to set up a more controlled environment. even in a community network this might be useful at times, for example if you want to set up a backbone network.
So, we are starting to talk about these rare cases, right ?
I don't think it is so rare. Non community wireless networks will probably like to sign their routing packets in addition to other crypt layers.
a.
b.a.t.m.a.n@lists.open-mesh.org
-
Aaron Kaplan -
elektra -
Marek Lindner