23 Jan
2017
23 Jan
'17
6:01 p.m.
Hi Nicolas. Welcome to the libre-mesh community :)
Find my comments in-line.
On 23/01/17 03:59, Nicolas North wrote:
Hi there!
I discovered your truly fantastic project through Ninux. I’m creating a mesh network here
in Milano, Italia, with my project openspace. We are trying to build something truly
scalable that could one day work all over the city. We started out with the excellent
Commotion, and have moved onto a MetaMesh-like setup with pure openwrt and manual
configurations for a lack of pre-compiled images of Commotion.
I’ve now discovered your project which seems to be a dream come true, which is
Commotion-like ease of creation and deployment, but with much wider compatibility. If I
manage to embrace and understand this new world outside of olsr and if we can get a few
details figured out I really think this could be the definitive way to go, at least for
the time being.
Commotion VS Libremesh have been always a nice topic since 2013 when we
did a talk together on the WCW of Berlin. There have been also some
cooperation between teams but obviously we choose different ways. I
would say that our approach is more experimental and innovative while
their is more conservative. What we do by mixing routing protocols on
different layers is kind of crazy for the traditional thinking. But now
that it is implemented and working I would say it is was the correct
choice. To know more http://libre-mesh.org/howitworks.html
However the main missing point IMO for Libremesh is the web interface.
It is still on the to-do list. There is a first very-simple
implementation but we are planning to write it from scratch using LUCI2
as basis instead.
So the current idea under libre-mesh is that you prepare a
/etc/config/lime and/or /etc/config/lime-defaults configuration file for
your mesh network (it has a lot of options and it is very flexible). And
thanks to the implemented heuristics it should automatically work on all
your nodes. So one config for all nodes.
You can check out the details of our current
MetaMesh-like configuration here should you be curious:
https://openspacex.github.io/openNET.io [temporary address]. It basically adds on top of
MetaMesh to try and reach Commotion’s configuration flexibility, like WPA2 on AP and MESH
levels, olsrd-secure, and other nifty little details. The writing of this howto is a work
in progress, but we should be finished in about a week.
All of this is the result of over a year of work on our part, thank to all of the amazing
projects like yours out there. While approaching your project as a total newbie that has
only worked with Commotion and MetaMesh, is there anything in the large scale that works
so fundamentally differently in libremesh from how our previous setup works, that we
should be considering before starting out?
Thanks to you for working on this also :)
If we start using LiMe to our network, we’d like to
introduce WPA2 encryption on the AP and MESH wireless networks. And is it possible to
separate the 2.4ghz and 5ghz MESH wireless networks SSIDs? Also, do you authenticate nodes
on the network, like olsrd-secure does? If so, how? Is it possible to change the ssh port
of the various nodes [security-by-obscurity self-alert]?
WPA2 AP encryption is already implemented and working. Check [1] for
more details. About Mesh Encryption, there is currently a thread about
this issue. If you rally need this (IMHO a preshared key on a open mesh
network makes not sense), you can use 802.11s for link layer instead of
Ad-Hoc (which is already supported and tested on LiMe). 802.11s has its
on link layer encryption mechanism, but I never tested it. Check this as
an example [2]. If everything works as expected you might use these to
options on /etc/config/lime (wifi section):
option mesh_encryption 'psk2/aes'
option mesh_key 'your-secret-password'
Let us know if you try it please.
About authenticate nodes, LiMe will do it automatically if you choose to
use bmx7 instead of bmx6. Bmx7 has very advanced security extensions,
much more powerful than OLSR+plugin. However it is still in beta state.
You can learn more about bmx7 here [3][4]. But don't worry, everything
is done automatically :)
[1] http://libre-mesh.org/docs/config.html
[2] https://wiki.openwrt.org/doc/howto/mesh.80211s
[3] http://bmx6.net/projects/bmx6/news
[4] http://bmx6.net/projects/bmx6/documents
To better explain, we’re always trying to figure out
how to make the infrastructure solid and resilient, and how to protect traffic and
authenticate devices with more advanced crypto than simple symmetric keys [like the very
WPA2 on mesh level and olsrd-secure passphrase that I’m inquiring about] that will leak in
a matter of days after we start using them, so we’re the first to recognise the weakness
of these protections, but they could be considered better than nothing perhaps? Do you
have any other ideas?
At the risk of going off-topic, may I ask what your approach to security matters like
this is? In terms of traffic security, device authentication, and network-wide resistance
to “attacks”? What are the weak spots of the protocols you’re using here, in the event of
someone actually trying to take down a part of the network? I ask because I know that with
olsr for instance it’s enough to set an already-in-use static IP to a device to break the
meshing in a serious way, like in traditional networks. How are things here instead? A
friend of mine was thinking of using a blockchain to authenticate the various routers
entering the network, towards the dream of a network that can’t be stopped by anyone or
anything, exactly like bitcoin.
Anyway, back to us. How can I specify these extra details in the config file? I’m
obviously happy to dig through documentation, but I have found nothing specific enough for
my understanding. I’ve been able to change some parameters in chef under
/etc/config/lime-defaults, but not all. I might be completely misunderstanding some
fundamental details here, please excuse my ignorance.
All this is automatically handled by bmx7. Axel is doing a really good
job on this scope. Do not hesitate on joining the bmx mailing list and
asking anything you want to know.
Using blockchain on a 300MHz MIPS device might be very challenging. I
already considered this option on the past but I don't see it as a good
solution for the moment.
Thank you so much in advance and super-kudos for your
amazing work in any event!
Thanks to you.
Cheers!
Nicolas
_______________________________________________
lime-users mailing list
lime-users(a)lists.libremesh.org
https://lists.libremesh.org/mailman/listinfo/lime-users
--
./p4u