[B.A.T.M.A.N.] securing batman gateway

[B.A.T.M.A.N.] securing batman gateway

[Stefano Scipioni]

[-- Attachment #1: Type: text/plain, Size: 291 bytes --]

I am working on a mesh cloud with wep encryption on wireless channel, olsr
and openvpn to have a tunnel with gateway.

Batman has a tunnel with gateway but is it possible to secure it? In first
step only clients with proper credentials can start tunnel and in second
step tunnel is crypted.

[-- Attachment #2: Type: text/html, Size: 310 bytes --]

Re: [B.A.T.M.A.N.] securing batman gateway

[Alexander Morlang]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Stefano Scipioni schrieb:
> I am working on a mesh cloud with wep encryption on wireless channel,
> olsr and openvpn to have a tunnel with gateway.
> 
> Batman has a tunnel with gateway but is it possible to secure it? In
> first step only clients with proper credentials can start tunnel and in
> second step tunnel is crypted.
> 

As the tunnel connects 2 nodes inside the mesh, ipsec transport (not
tunnel) could secure communication.
http://en.wikipedia.org/wiki/IPsec#Transport_mode

This would require less changes then implementing an additional tunnel
for encryption.

Gruss, Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGgZO7hx2RbV7T5aERAsZzAJoDkkmSR1XF+vsRg/I3gBxEo8gZ0ACgxYg+
RwdE5e4LXLJA0nTlpSHjq+w=
=N3aP
-----END PGP SIGNATURE-----

Re: [B.A.T.M.A.N.] securing batman gateway

[Marek Lindner]

Hi,


> Batman has a tunnel with gateway but is it possible to secure it? In first
> step only clients with proper credentials can start tunnel and in second
> step tunnel is crypted.

I agree that this would be a good idea. Using the batman tunnels would be much 
easier to set up than IPSec as everything is integrated. Besides that a 
lightweight encryption could be implemented which even runs on weaker 
machines.

That feature is planned and a concept already exists. Nevertheless, the batman 
developer team has a divided opinion about this idea. Some of us (inlucing 
me) think that it a good opportunity to help spreading internet gateways 
throughout a city wide mesh. The others fear that this could be the beginning 
of the end of free mesh networks if we implement such control mechanisms.
What do you think ? Why do you want this feature ?

Btw: Does your vis server compile now ?

Regards,
Marek

Re: [B.A.T.M.A.N.] securing batman gateway

[Alexander Morlang]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Marek Lindner schrieb:
> Hi,
> 
> 
>> Batman has a tunnel with gateway but is it possible to secure it? In first
>> step only clients with proper credentials can start tunnel and in second
>> step tunnel is crypted.
> 
> I agree that this would be a good idea. Using the batman tunnels would be much 
> easier to set up than IPSec as everything is integrated. Besides that a 
> lightweight encryption could be implemented which even runs on weaker 
> machines.

What is lightweight encryption? Does lightweight means insecure? Is it
easier, because you are not familiar with IPSEC?

building unsecure crypto ist worse then having no crypto, it would be a
"sicherheitsimulation". building strong crypto is not easy, so many
failed to develop and implement it with more and better
cryptospecialists the the batman team has.

> 
> That feature is planned and a concept already exists. Nevertheless, the batman 
> developer team has a divided opinion about this idea. Some of us (inlucing 
> me) think that it a good opportunity to help spreading internet gateways 
> throughout a city wide mesh. The others fear that this could be the beginning 
> of the end of free mesh networks if we implement such control mechanisms.
> What do you think ? Why do you want this feature ?

Some batman developer once told me, that implementing/supporting service
discovery inside batman is a bad idea, as they want to have batman as
slim as possible.
how does integrating cryptotunnels in a routingprotocol does get conform
to that?

> 
> Btw: Does your vis server compile now ?
> 
> Regards,
> Marek


Greets, Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGg5zfhx2RbV7T5aERAnhIAJ9SuEqQMAi6BjMwTZ2/KQ33ChpQfQCggVei
dI8wMB7ezWgPIS4Ko7kiMJo=
=bY0R
-----END PGP SIGNATURE-----

Re: [B.A.T.M.A.N.] securing batman gateway

[Marek Lindner]

Hi,


> What is lightweight encryption? Does lightweight means insecure?

No. I don't know how much you know about encryption technologies but let me 
tell you that there is technologly which works better on embedded devices 
than other technologly. Simply because it was optimized for that purpose. 
Using a CPU intense encryption does not make the communication more or less 
insecure. The key is the overall security concept.
Since the focus of batman are embedded devices it seems obvious that we should 
choose that direction.


> Is it easier, because you are not familiar with IPSEC?

You misunderstand. It is not a question of you and me. There are people in 
this world who would like to use batman / mesh technology without being an IT 
expert. That applies to most of our users ...


> building unsecure crypto ist worse then having no crypto, it would be a
> "sicherheitsimulation". building strong crypto is not easy, so many
> failed to develop and implement it with more and better
> cryptospecialists the the batman team has.

I totally agree. I never proposed to reinvent the wheel by building our own 
encryption technology. I'm well aware of the many issues which arise once you 
choose that path. 


> Some batman developer once told me, that implementing/supporting service
> discovery inside batman is a bad idea, as they want to have batman as
> slim as possible. how does integrating cryptotunnels in a routingprotocol
> does get conform to that?

I don't see the connection between your example and the current context. 
Batman already builds that tunnel. Why should we not extend that existing 
feature ? Sure, you could create another tunnel in the tunnel.
The question is whether we give the ordinary user a tool at hand which enables 
him to control the access of his internet gateway. What do you think ?

Regards,
Marek