[B.A.T.M.A.N.] Batman-adv secure

[B.A.T.M.A.N.] Batman-adv secure

[Filippo Sallemi]

Hi all,
I don't known if this is a old argument but exsist the possibility to
implement a secure mesh network?
For example a tecnique that crypt batman-adv traffic with a preshare
key or similar or
using ebtables to block all INPUT and OUTPUT traffic and allow only
the specified nodes mac?

Rgds

--
Filippo Sallemi

Re: [B.A.T.M.A.N.] Batman-adv secure

[Marek Lindner]

Hi,

> I don't known if this is a old argument but exsist the possibility to
> implement a secure mesh network?
> For example a tecnique that crypt batman-adv traffic with a preshare
> key or similar or
> using ebtables to block all INPUT and OUTPUT traffic and allow only
> the specified nodes mac?

Please consult our FAQ and feel free to ask unanswered questions afterwards:
http://www.open-mesh.org/wiki/open-mesh/FAQ


Regards,
Marek

Re: [B.A.T.M.A.N.] Batman-adv secure

[Filippo Sallemi]

Hi guys,
I've read the open-mesh FAQ but I'm not able to resolve my problem.
I understood that the mesh network is a public network and that every
user have to make sure their connection is secure but i don't want
that another node (alien) can connect to my network so i thinked about
use ebables to block all traffic (such as policy DROP of iptables) and
allow only certain nodes to comunicate with other.

I need some like this
ebtables -i wlan0 DROP
ebtables -i wlan0 --src <node mac> ACCEPT

but don't work for me

Any suggest?

Rgds
2011/8/16 Marek Lindner <lindner_marek@yahoo.de>:
>
> Hi,
>
>> I don't known if this is a old argument but exsist the possibility to
>> implement a secure mesh network?
>> For example a tecnique that crypt batman-adv traffic with a preshare
>> key or similar or
>> using ebtables to block all INPUT and OUTPUT traffic and allow only
>> the specified nodes mac?
>
> Please consult our FAQ and feel free to ask unanswered questions afterwards:
> http://www.open-mesh.org/wiki/open-mesh/FAQ
>
>
> Regards,
> Marek
>



-- 
Filippo Sallemi

Re: [B.A.T.M.A.N.] Batman-adv secure

[Sven Eckelmann]

[-- Attachment #1: Type: text/plain, Size: 809 bytes --]

On Tuesday 04 October 2011 23:39:04 Filippo Sallemi wrote:
> Hi guys,
> I've read the open-mesh FAQ but I'm not able to resolve my problem.
> I understood that the mesh network is a public network and that every
> user have to make sure their connection is secure but i don't want
> that another node (alien) can connect to my network so i thinked about
> use ebables to block all traffic (such as policy DROP of iptables) and
> allow only certain nodes to comunicate with other.
> 
> I need some like this
> ebtables -i wlan0 DROP
> ebtables -i wlan0 --src <node mac> ACCEPT
> 
> but don't work for me

ebtables is for made for bridges. So you have to send the whole traffic over a 
bridge that does the filtering for you. But I doubt that it actually fix your 
problem with alien nodes.

Kind regards,
	Sven

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [B.A.T.M.A.N.] Batman-adv secure

[Antonio Quartulli]

Hi Filippo,

On Tue, Oct 04, 2011 at 11:39:04PM +0200, Filippo Sallemi wrote:
> Hi guys,
> I've read the open-mesh FAQ but I'm not able to resolve my problem.
> I understood that the mesh network is a public network and that every
> user have to make sure their connection is secure but i don't want
> that another node (alien) can connect to my network so i thinked about
> use ebables to block all traffic (such as policy DROP of iptables) and
> allow only certain nodes to comunicate with other.
> 
> I need some like this
> ebtables -i wlan0 DROP
> ebtables -i wlan0 --src <node mac> ACCEPT
> 
> but don't work for me
> 
> Any suggest?
> 

If you dig a bit in the mailing list archive you can probably find some other
threads talking about this topic. ebtables only work on bridges, therefore it
won't work on simple interfaces like wlan0..


> Rgds
> 2011/8/16 Marek Lindner <lindner_marek@yahoo.de>:
> >
> > Hi,
> >
> >> I don't known if this is a old argument but exsist the possibility to
> >> implement a secure mesh network?
> >> For example a tecnique that crypt batman-adv traffic with a preshare
> >> key or similar or
> >> using ebtables to block all INPUT and OUTPUT traffic and allow only
> >> the specified nodes mac?
> >
> > Please consult our FAQ and feel free to ask unanswered questions afterwards:
> > http://www.open-mesh.org/wiki/open-mesh/FAQ
> >
> >
> > Regards,
> > Marek
> >
> 
> 
> 
> -- 
> Filippo Sallemi

-- 
Antonio Quartulli

..each of us alone is worth nothing..
Ernesto "Che" Guevara

Re: [B.A.T.M.A.N.] Batman-adv secure

[Filippo Sallemi]

Hi,
after some hours spend to find another threads talking about this
topic I'm not able to resolve my problem but I have another two
question about this.
1. Can I user macfilter option in wireless config without decerase performance?
2. Exists another tool such ebtables but that work on a simple interface?

Rgds

2011/10/4 Antonio Quartulli <ordex@autistici.org>:
> Hi Filippo,
>
> On Tue, Oct 04, 2011 at 11:39:04PM +0200, Filippo Sallemi wrote:
>> Hi guys,
>> I've read the open-mesh FAQ but I'm not able to resolve my problem.
>> I understood that the mesh network is a public network and that every
>> user have to make sure their connection is secure but i don't want
>> that another node (alien) can connect to my network so i thinked about
>> use ebables to block all traffic (such as policy DROP of iptables) and
>> allow only certain nodes to comunicate with other.
>>
>> I need some like this
>> ebtables -i wlan0 DROP
>> ebtables -i wlan0 --src <node mac> ACCEPT
>>
>> but don't work for me
>>
>> Any suggest?
>>
>
> If you dig a bit in the mailing list archive you can probably find some other
> threads talking about this topic. ebtables only work on bridges, therefore it
> won't work on simple interfaces like wlan0..
>
>
>> Rgds
>> 2011/8/16 Marek Lindner <lindner_marek@yahoo.de>:
>> >
>> > Hi,
>> >
>> >> I don't known if this is a old argument but exsist the possibility to
>> >> implement a secure mesh network?
>> >> For example a tecnique that crypt batman-adv traffic with a preshare
>> >> key or similar or
>> >> using ebtables to block all INPUT and OUTPUT traffic and allow only
>> >> the specified nodes mac?
>> >
>> > Please consult our FAQ and feel free to ask unanswered questions afterwards:
>> > http://www.open-mesh.org/wiki/open-mesh/FAQ
>> >
>> >
>> > Regards,
>> > Marek
>> >
>>
>>
>>
>> --
>> Filippo Sallemi
>
> --
> Antonio Quartulli
>
> ..each of us alone is worth nothing..
> Ernesto "Che" Guevara
>



-- 
Filippo Sallemi

Re: [B.A.T.M.A.N.] Batman-adv secure

[Antonio Quartulli]

On Wed, Oct 05, 2011 at 10:25:08 +0200, Filippo Sallemi wrote:
> Hi,
> after some hours spend to find another threads talking about this
> topic I'm not able to resolve my problem but I have another two
> question about this.
> 1. Can I user macfilter option in wireless config without decerase performance?

mh..Honestly I don't know, I think that any kind of filter will affect the
performance somehow. Probably (if I am not wrong) the macfilter configuration on the node
firmware is an hostapd feature (do you use openwrt, right?).

> 2. Exists another tool such ebtables but that work on a simple interface?
> 

Don't think so..but I could be wrong. IIRC we discussed about the possibility of
creating br0, enslave wlan0 (or whatever is your phy device) into br0 and then
use ebtables on br0. Really ugly IMHO :p

Cheers,


-- 
Antonio Quartulli

..each of us alone is worth nothing..
Ernesto "Che" Guevara

Re: [B.A.T.M.A.N.] Batman-adv secure

[Filippo Sallemi]

Thanks for your reply Antonio, but in my scenario there are three mesh
networks (with batman-adv) and I need to block access from nodes of
each other.
However enslaving wlan0 on br0 is very very ugly.

Other ideas?

2011/10/5 Antonio Quartulli <ordex@autistici.org>:
> On Wed, Oct 05, 2011 at 10:25:08 +0200, Filippo Sallemi wrote:
>> Hi,
>> after some hours spend to find another threads talking about this
>> topic I'm not able to resolve my problem but I have another two
>> question about this.
>> 1. Can I user macfilter option in wireless config without decerase performance?
>
> mh..Honestly I don't know, I think that any kind of filter will affect the
> performance somehow. Probably (if I am not wrong) the macfilter configuration on the node
> firmware is an hostapd feature (do you use openwrt, right?).
>
>> 2. Exists another tool such ebtables but that work on a simple interface?
>>
>
> Don't think so..but I could be wrong. IIRC we discussed about the possibility of
> creating br0, enslave wlan0 (or whatever is your phy device) into br0 and then
> use ebtables on br0. Really ugly IMHO :p
>
> Cheers,
>
>
> --
> Antonio Quartulli
>
> ..each of us alone is worth nothing..
> Ernesto "Che" Guevara
>



-- 
Filippo Sallemi