30 Jan
2021
30 Jan
'21
9:25 a.m.
Hi,
I have been using BATMAN-ADV for a while now.
Just had a question. Is there any way to add a nonce value to the
packet header? The reason being that I want to add an authentication
mechanism where the firewall permits only selected headers that have
this nonce. Hope this makes sense.
Thanks and Regards
Moullick Mehra
30 Jan
30 Jan
9:36 a.m.
New subject: batman-adv: User defined nonce in packet header [was: batman-adv related query]
[please use a relevant subject when writing to the mailing list]
On Saturday, 30 January 2021 10:25:51 CET Moullick Mehra wrote:
Is there any way to add a nonce value to the
packet header? The reason being that I want to add an authentication
mechanism where the firewall permits only selected headers that have
this nonce. Hope this makes sense.
Not with the mainline batman-adv. But you can always add your own changes to
your code - making it incompatible with mainline batman-adv.
But I would highly recommend to handle authentication on a layer outside of
batman-adv.
Btw. "nonce" is a "number only used once". And you wrote here that the
firewall only whitelist one specific nonce. Which would imply that your nonce
is not used only once...
Kind regards,
Sven
10:06 a.m.
New subject: batman-adv: User defined nonce in packet header
[You forgot to reply to the mailing list]
On Saturday, 30 January 2021 10:48:11 CET Moullick Mehra wrote:
The reason for not having authentication on a layer
outside
batman-adv is that we want the system to have seamless roaming hence,
require something that goes along with the packets themselves. It
would be great if you could provide some resource links.
The information are far to vague to give you anything.
Kind regards,
Sven
2:01 p.m.
New subject: batman-adv: User defined nonce in packet header
On Saturday, 30 January 2021 11:06:10 CET Sven Eckelmann wrote:
[...]
The information are far to vague to give you anything.
I just got two mails which tried to standard new threads and were therefore
rejected. Still I am forwarding the most relevant one of both to this thread.
But I still think that this is completely unrelated to batman-adv. Because it
is at the completely wrong layer, doesn't have access to the users device
(and the other way around) and the firewall wouldn't even see batman-adv packets:
---------- Forwarded Message ----------
Subject: Users authentication with roaming feature
Date: Saturday, 30 January 2021, 14:18:02 CET
From: Tushar Malpani <tusharmalpani20(a)gmail.com>
To: b.a.t.m.a.n(a)lists.open-mesh.org
Hi,
I have a community mesh setup here in India and we have been
using B.A.T.M.A.N Adv as our mesh routing protocol. At present, we
are using pfSense firewall/router which hosts a captive portal for
authenticating a users. Am not sure but somehow it seems to work great
with client roaming as the users switches from one node to another
but, since it's easy to bypass a captive portal by changing one's IP
and MAC address we switched to different authentication methods such
and tried using WPA-Enterprise, VPN but none of those gave us a
seamless roaming experience.
So, we moved baked to captive portal as of now and understood it's
working and found that it uses ipfw table under the hood, it adds the
authenticated users IP address in ipfw tables and passes all the
request made by them.
And then we came up with the idea of adding an additional header to
each packet which will have a value(which is unique to each
user).After the first authentication we add that unique value to our
firewall rules which will be similar to what captive portal does but
secure since each value is unique to each user.
Can this be done by tweaking B.A.T.M.A.N Adv code or this is something
which should be done at users devices?
Is this idea as good as we think it is or there is already a better
solution out there?
Can you help point to where to look, learn and build this system?
Thanks and regards
Tushar Malpani
-----------------------------------------
850
days inactive
850
days old
b.a.t.m.a.n@lists.open-mesh.org
3 comments
2 participants
participants (2)
-
Moullick Mehra -
Sven Eckelmann