On Wed, May 21, 2014 at 12:59:29AM +0530, Krishnathiepan Rasanayagam wrote:

hello, layer below does it mean layer 2?

Layer above and layer below does not always map to ISO OSI 7 layer model. BATMAN is a layer two mesh, and it runs on top of a L2 network. See what i mean?

Are you interested in transitive trust, or end to end trust of BATMAN peers? If transitive trust is sufficient, then you can do it at L2, trust the one hop neighbors. However if you want end-to-end trust of the mesh, you need to be inside the mesh, so inside BATMAN. If you want end-to-end application trust, you need to be inside the application, L7, or maybe L4 if you use TLS.

It comes down the basic security questions you should always be considering:

What are your assets you need to protect. Who are the attackers. What compromises are you willing to take.

First figure out your security model, then figure out how to implement it.

Andrew

On Wed, May 21, 2014 at 10:30:08PM +0530, Krishnathiepan Rasanayagam wrote:

Hi,

We are trying to add authentication when nodes join the network. Like when other nodes start adding a node in their routing table. basically authenticating the node.

So some form of HMAC on the packets between peers, and only accept them if you can verify the HMAC.

You say here routing tables. So you are trying to authenticate routing information. You don't care about actual data carried over the mesh? That is not authenticated?

We like to do with Threshold cryptography for authenticating.

So you mean you want at least X peers to be able to authenticate a peer before it is allowed to join the mesh? So how do you boot strap the system when the mesh is first forming and you don't have X peers?

Andrew