[Babel-users] babeld-2.0

Dave Taht d at teklibre.org
Thu Apr 22 17:24:30 UTC 2010 

On 04/22/2010 10:42 AM, Juliusz Chroboczek wrote:
>> I am curious if you have considered adding a security extension to any
>> extent in the upcoming releases?
>>      
> No.  What do you have in mind?
>
>                                          Juliusz
>    

I saw you had left room for it, throughout the protocol specification. A 
problem with all the mesh routing protocols available to date is the 
total lack of security in them.

The only halfway decent IPv6 capable AND secure protocols are BGP and 
OSPFv3, and secure OSPF under ipv6 requires (shudder) IPsec in order to 
work. ( Actually, somebody got OSPF and IPV6 and IPSEC to work recently 
- 
http://blog.linux.gen.nz/2010/04/using-ipsec-to-authenticate-ipv6-ospf-under-linux/ 
)

Given that mesh networks are almost by definition highly insecure, a 
random attacker can seriously disrupt the network via a variety of 
means. It would be nice to reduce the attack vectors somewhat.

Possibly the security extensions like "autokey" in ntp4 - see

http://support.ntp.org/bin/view/Support/ConfiguringAutokey

for an incredibly complex, overly dense discussion, with - as always 
seems to be the case with security systems - too many different options 
for deployment.

(I kind of like the idea of multicast, or at least, secure, ntp, but I 
digress)

and the interesting design of the latest multicast uftp code - see 
http://www.tcnj.edu/~bush/uftp.html  - might be a set of ideas to start 
from.

At the moment I'm actually experimenting with *all* this stuff, 
together, on an openwrt + nanostation M5 based prototype mesh network. 
The M5s are nice - 8MB of flash, 32MB of ram, with a 400Mhz CPU, running 
on the 5.8ghz radio band. They run just about everything I've thrown at 
them so far... 300Mbit 802.11n currently works in AP/STA mode and I have 
hope that the drivers will come along for ad-hoc, soon (currently 
limited to 802.11a). (If anyone has M5's and would like my current build 
of openwrt, let me know offlist)

There are certainly other problems, like secure neighbor discovery 
(rfc3971) was only implemented once, in perl of all things...

... but you gotta tackle things one piece at a time.

More information about the Babel-users mailing list