Hi All
I have a few questions I’m hoping you can help me with:
1] How do I make the single ethernet port in ubiquiti devices such as the
rocket or the bullet a wan interface and not a lan? I’ve added a wan
interface and it works but traffic from lan doesn’t pass through to it, I
can only ping an internet destination from luci diagnostics, not from
actual lan clients.
Where did you added it?
You should add it in /etc/config/lime not in /etc/config/network or other places
2] How can I cook my profile for a device that isn’t
listed? Can I submit
one for addition? Or do I have to compile it manually outside of chef?
Usually images for all devices are build but only the one we have tested more
are listed, take a look in the bin dir
3] Is bmx7 already available in chef? If so how do I
select it? And most
importantly, will it break compatibility with bmx6 nodes if introduced
later on? In a more general question, within the same network in chef, what
can break compatibility between profiles?
It is probably already available but you have to select it in your custom
profile, but is not as tested as bmx6 and yes it break compatibility with bmx6
Cheers!
I had written Pau a very long mail with these questions but I’m sure it was
a little overwhelming [sorry about that ;]. I’m also having spam issues due
to a recent server migration. I hope someone can help me with this.
Thank you so much in advance! I really appreciate your help.
Nicolas
From: Nicolas North <nk(a)os.vu>
Date: 27 January 2017 at 23:58:59
To: libremesh users <lime-users(a)lists.libremesh.org>
Subject: Re: [lime-users] Security questions and customizations
Hi Pau!
Thank you very much for your very nice and kind introduction to this “new
world” for us.
It’s kind of a shocker for us since - as I’ve mentioned - we discovered you
exactly when putting the finishing touches on our very long research into
olsr based mesh networks, and sparked some heated debate between us as
whether to stay with our stable and known setup or to leave it aside and
follow on with your project - since it looks extremely exciting.
I’m also amazed at the level of work that Axel [and you / others?] have put
into bmx7 [I’ve watched the entire presentation from last year just
tonight]. It’s very encouraging for me [being a complete security freak] to
see others tackling the issue straight-on and with such open-mindedness.
I’ve joined the bmx7 ml and will wait to read what they write :]
The lack of the web interface in LiMe is kind of scary for us, especially
when building networks from scratch where even the slightest indication can
make a difference in the real world when installing routers and stuff. I’m
already missing the coloured strength indicators from olsr, but I’ll get
used to it over time.
Thank you for the tips: I’ll try adding wpa2/aes to the AP wireless network.
I’m trying with:
option ap_encryption 'psk2/aes'
option ap_key 'your-secret-password’
I now have reworked our naming conventions and allowed for a mixed-band
SSIDs. Back to actual technical problems ;]
I’ll hold off on 802.11s for now as I’m eagerly waiting for bmx7. Is it
already available in chef? If so how do I select it? And most importantly,
will it break compatibility with bmx6 nodes if introduced later on? In a
more general question, within the same network in chef, what can break
compatibility between profiles?
A "big chunk" of our research was getting our firmware on every device
possible, and we’ve been having a lot of fun with GL Inet mini-routers,
that have performed optimally in our tests, supporting both the AP and MESH
wireless networks with high speeds and low latency. Also we’ve been
experimenting with portable wifi routers / power banks, that are based on
older GL Inet router boards, with the idea of using them as a replacement
for traditional 3G hotspot, therefore creating a dynamic mesh topology that
follows you and others around. How could I, for instance, cook my profile
for a device that isn’t listed? Can I submit one for addition? Or do I have
to compile it manually outside of chef?
Our network aims to be a city-wide network. It’s a nearly-impossible
ambition, but there’s nothing stopping us from trying. Our dream is to have
it everywhere, and therefore its security is obviously a core issue. I
think that bmx7 combined with some kind of online web-of-trust could be
good solution one day, for now we’ll have to wait and see how things
evolve.
I hope I’m not violating any ml rules here by saying that our network is a
project of our hacker space we’re bringing to life here in Milano, Italia.
I won’t say any names in case this does go against the rules [advertising /
propaganda / etc… ;]. I’m only mentioning this because, as I wrote on the
Ninux ml a few weeks back, I’d love for anyone as passionate as we are
about mesh networks to come and check out our humble but ambitious work,
and to share with us their experiences, and - who knows - maybe even help
us experiment out in the field the next generations of LiMe as you’ve so
nicely suggested to us.
In any event I really hope to be able to attend one of the next conferences
and meet you in person. I also hope we can somehow contribute to your
fantastic project in the future beyond simple testing, once we acquire more
skilled people that could actually make the difference for you.
Thank you so much once again. Please let me know what you think! I hope this
makes some sort of sense :]
Nicolas
From: Pau <pau(a)dabax.net>
Reply: libremesh users <lime-users(a)lists.libremesh.org>
Date: 23 January 2017 at 19:02:02
To: lime-users(a)lists.libremesh.org <lime-users(a)lists.libremesh.org>
Subject: Re: [lime-users] Security questions and customizations
Hi Nicolas. Welcome to the libre-mesh community :)
Find my comments in-line.
On 23/01/17 03:59, Nicolas North wrote:
Hi there!
I discovered your truly fantastic project through Ninux. I’m creating a
mesh network here in Milano, Italia, with my project openspace. We are
trying to build something truly scalable that could one day work all over
the city. We started out with the excellent Commotion, and have moved
onto a MetaMesh-like setup with pure openwrt and manual configurations
for a lack of pre-compiled images of Commotion.
I’ve now discovered your project which seems to be a dream come true,
which is Commotion-like ease of creation and deployment, but with much
wider compatibility. If I manage to embrace and understand this new world
outside of olsr and if we can get a few details figured out I really
think this could be the definitive way to go, at least for the time
being.
Commotion VS Libremesh have been always a nice topic since 2013 when we
did a talk together on the WCW of Berlin. There have been also some
cooperation between teams but obviously we choose different ways. I
would say that our approach is more experimental and innovative while
their is more conservative. What we do by mixing routing protocols on
different layers is kind of crazy for the traditional thinking. But now
that it is implemented and working I would say it is was the correct
choice. To know more
http://libre-mesh.org/howitworks.html
However the main missing point IMO for Libremesh is the web interface.
It is still on the to-do list. There is a first very-simple
implementation but we are planning to write it from scratch using LUCI2
as basis instead.
So the current idea under libre-mesh is that you prepare a
/etc/config/lime and/or /etc/config/lime-defaults configuration file for
your mesh network (it has a lot of options and it is very flexible). And
thanks to the implemented heuristics it should automatically work on all
your nodes. So one config for all nodes.
You can check out the details of our current
MetaMesh-like configuration
here should you be curious:
https://openspacex.github.io/openNET.io
[temporary address]. It basically adds on top of MetaMesh to try and
reach Commotion’s configuration flexibility, like WPA2 on AP and MESH
levels, olsrd-secure, and other nifty little details. The writing of this
howto is a work in progress, but we should be finished in about a week.
All of this is the result of over a year of work on our part, thank to all
of the amazing projects like yours out there. While approaching your
project as a total newbie that has only worked with Commotion and
MetaMesh, is there anything in the large scale that works so
fundamentally differently in libremesh from how our previous setup works,
that we should be considering before starting out?
Thanks to you for working on
this also :)
If we start using LiMe to our network, we’d like
to introduce WPA2
encryption on the AP and MESH wireless networks. And is it possible to
separate the 2.4ghz and 5ghz MESH wireless networks SSIDs? Also, do you
authenticate nodes on the network, like olsrd-secure does? If so, how? Is
it possible to change the ssh port of the various nodes
[security-by-obscurity self-alert]?
WPA2 AP encryption is already implemented and
working. Check [1] for
more details. About Mesh Encryption, there is currently a thread about
this issue. If you rally need this (IMHO a preshared key on a open mesh
network makes not sense), you can use 802.11s for link layer instead of
Ad-Hoc (which is already supported and tested on LiMe). 802.11s has its
on link layer encryption mechanism, but I never tested it. Check this as
an example [2]. If everything works as expected you might use these to
options on /etc/config/lime (wifi section):
option mesh_encryption 'psk2/aes'
option mesh_key 'your-secret-password'
Let us know if you try it please.
About authenticate nodes, LiMe will do it automatically if you choose to
use bmx7 instead of bmx6. Bmx7 has very advanced security extensions,
much more powerful than OLSR+plugin. However it is still in beta state.
You can learn more about bmx7 here [3][4]. But don't worry, everything
is done automatically :)
[1]
http://libre-mesh.org/docs/config.html
[2]
https://wiki.openwrt.org/doc/howto/mesh.80211s
[3]
http://bmx6.net/projects/bmx6/news
[4]
http://bmx6.net/projects/bmx6/documents
To better explain, we’re always trying to figure
out how to make the
infrastructure solid and resilient, and how to protect traffic and
authenticate devices with more advanced crypto than simple symmetric keys
[like the very WPA2 on mesh level and olsrd-secure passphrase that I’m
inquiring about] that will leak in a matter of days after we start using
them, so we’re the first to recognise the weakness of these protections,
but they could be considered better than nothing perhaps? Do you have any
other ideas?
At the risk of going off-topic, may I ask what your approach to security
matters like this is? In terms of traffic security, device
authentication, and network-wide resistance to “attacks”? What are the
weak spots of the protocols you’re using here, in the event of someone
actually trying to take down a part of the network? I ask because I know
that with olsr for instance it’s enough to set an already-in-use static
IP to a device to break the meshing in a serious way, like in traditional
networks. How are things here instead? A friend of mine was thinking of
using a blockchain to authenticate the various routers entering the
network, towards the dream of a network that can’t be stopped by anyone
or anything, exactly like bitcoin.
Anyway, back to us. How can I specify these extra details in the config
file? I’m obviously happy to dig through documentation, but I have found
nothing specific enough for my understanding. I’ve been able to change
some parameters in chef under /etc/config/lime-defaults, but not all. I
might be completely misunderstanding some fundamental details here,
please excuse my ignorance.
All this is automatically handled by bmx7. Axel is
doing a really good
job on this scope. Do not hesitate on joining the bmx mailing list and
asking anything you want to know.
Using blockchain on a 300MHz MIPS device might be very challenging. I
already considered this option on the past but I don't see it as a good
solution for the moment.
Thank you so much in advance and super-kudos for
your amazing work in any
event!
Thanks to you.
Cheers!
Nicolas
_______________________________________________
lime-users mailing list
lime-users(a)lists.libremesh.org
https://lists.libremesh.org/mailman/listinfo/lime-users
--
./p4u
_______________________________________________
lime-users mailing list
lime-users(a)lists.libremesh.org
https://lists.libremesh.org/mailman/listinfo/lime-users