Hi All

I have a few questions I’m hoping you can help me with:

1] How do I make the single ethernet port in ubiquiti devices such as the rocket or the bullet a wan interface and not a lan? I’ve added a wan interface and it works but traffic from lan doesn’t pass through to it, I can only ping an internet destination from luci diagnostics, not from actual lan clients.

2] How can I cook my profile for a device that isn’t listed? Can I submit one for addition? Or do I have to compile it manually outside of chef?

3] Is bmx7 already available in chef? If so how do I select it? And most importantly, will it break compatibility with bmx6 nodes if introduced later on? In a more general question, within the same network in chef, what can break compatibility between profiles?

I had written Pau a very long mail with these questions but I’m sure it was a little overwhelming [sorry about that ;]. I’m also having spam issues due to a recent server migration. I hope someone can help me with this.

Thank you so much in advance! I really appreciate your help.


Nicolas


From: Nicolas North <nk@os.vu>
Date: 27 January 2017 at 23:58:59
To: libremesh users <lime-users@lists.libremesh.org>
Subject:  Re: [lime-users] Security questions and customizations

Hi Pau!

Thank you very much for your very nice and kind introduction to this “new world” for us.

It’s kind of a shocker for us since - as I’ve mentioned - we discovered you exactly when putting the finishing touches on our very long research into olsr based mesh networks, and sparked some heated debate between us as whether to stay with our stable and known setup or to leave it aside and follow on with your project - since it looks extremely exciting.

I’m also amazed at the level of work that Axel [and you / others?] have put into bmx7 [I’ve watched the entire presentation from last year just tonight]. It’s very encouraging for me [being a complete security freak] to see others tackling the issue straight-on and with such open-mindedness. I’ve joined the bmx7 ml and will wait to read what they write :]

The lack of the web interface in LiMe is kind of scary for us, especially when building networks from scratch where even the slightest indication can make a difference in the real world when installing routers and stuff. I’m already missing the coloured strength indicators from olsr, but I’ll get used to it over time.

Thank you for the tips: I’ll try adding wpa2/aes to the AP wireless network. I’m trying with:

option ap_encryption 'psk2/aes' 
option ap_key 'your-secret-password

I now have reworked our naming conventions and allowed for a mixed-band SSIDs. Back to actual technical problems ;]

Ill hold off on 802.11s for now as Im eagerly waiting for bmx7. Is it already available in chef? If so how do I select it? And most importantly, will it break compatibility with bmx6 nodes if introduced later on? In a more general question, within the same network in chef, what can break compatibility between profiles?

A "big chunk" of our research was getting our firmware on every device possible, and we’ve been having a lot of fun with GL Inet mini-routers, that have performed optimally in our tests, supporting both the AP and MESH wireless networks with high speeds and low latency. Also we’ve been experimenting with portable wifi routers / power banks, that are based on older GL Inet router boards, with the idea of using them as a replacement for traditional 3G hotspot, therefore creating a dynamic mesh topology that follows you and others around. How could I, for instance, cook my profile for a device that isn’t listed? Can I submit one for addition? Or do I have to compile it manually outside of chef?

Our network aims to be a city-wide network. It’s a nearly-impossible ambition, but there’s nothing stopping us from trying. Our dream is to have it everywhere, and therefore its security is obviously a core issue. I think that bmx7 combined with some kind of online web-of-trust could be good solution one day, for now we’ll have to wait and see how things evolve.

I hope I’m not violating any ml rules here by saying that our network is a project of our hacker space we’re bringing to life here in Milano, Italia. I won’t say any names in case this does go against the rules [advertising / propaganda / etc… ;]. I’m only mentioning this because, as I wrote on the Ninux ml a few weeks back, I’d love for anyone as passionate as we are about mesh networks to come and check out our humble but ambitious work, and to share with us their experiences, and - who knows - maybe even help us experiment out in the field the next generations of LiMe as you’ve so nicely suggested to us.

In any event I really hope to be able to attend one of the next conferences and meet you in person. I also hope we can somehow contribute to your fantastic project in the future beyond simple testing, once we acquire more skilled people that could actually make the difference for you.

Thank you so much once again. Please let me know what you think! I hope this makes some sort of sense :]


Nicolas


From: Pau <pau@dabax.net>
Reply: libremesh users <lime-users@lists.libremesh.org>
Date: 23 January 2017 at 19:02:02
To: lime-users@lists.libremesh.org <lime-users@lists.libremesh.org>
Subject:  Re: [lime-users] Security questions and customizations

Hi Nicolas. Welcome to the libre-mesh community :)

Find my comments in-line.

On 23/01/17 03:59, Nicolas North wrote:
> Hi there!
>
> I discovered your truly fantastic project through Ninux. I’m creating a mesh network here in Milano, Italia, with my project openspace. We are trying to build something truly scalable that could one day work all over the city. We started out with the excellent Commotion, and have moved onto a MetaMesh-like setup with pure openwrt and manual configurations for a lack of pre-compiled images of Commotion.
>
> I’ve now discovered your project which seems to be a dream come true, which is Commotion-like ease of creation and deployment, but with much wider compatibility. If I manage to embrace and understand this new world outside of olsr and if we can get a few details figured out I really think this could be the definitive way to go, at least for the time being.

Commotion VS Libremesh have been always a nice topic since 2013 when we
did a talk together on the WCW of Berlin. There have been also some
cooperation between teams but obviously we choose different ways. I
would say that our approach is more experimental and innovative while
their is more conservative. What we do by mixing routing protocols on
different layers is kind of crazy for the traditional thinking. But now
that it is implemented and working I would say it is was the correct
choice. To know more http://libre-mesh.org/howitworks.html

However the main missing point IMO for Libremesh is the web interface.
It is still on the to-do list. There is a first very-simple
implementation but we are planning to write it from scratch using LUCI2
as basis instead.

So the current idea under libre-mesh is that you prepare a
/etc/config/lime and/or /etc/config/lime-defaults configuration file for
your mesh network (it has a lot of options and it is very flexible). And
thanks to the implemented heuristics it should automatically work on all
your nodes. So one config for all nodes.

> You can check out the details of our current MetaMesh-like configuration here should you be curious: https://openspacex.github.io/openNET.io [temporary address]. It basically adds on top of MetaMesh to try and reach Commotion’s configuration flexibility, like WPA2 on AP and MESH levels, olsrd-secure, and other nifty little details. The writing of this howto is a work in progress, but we should be finished in about a week.
>
> All of this is the result of over a year of work on our part, thank to all of the amazing projects like yours out there. While approaching your project as a total newbie that has only worked with Commotion and MetaMesh, is there anything in the large scale that works so fundamentally differently in libremesh from how our previous setup works, that we should be considering before starting out?

Thanks to you for working on this also :)

> If we start using LiMe to our network, we’d like to introduce WPA2 encryption on the AP and MESH wireless networks. And is it possible to separate the 2.4ghz and 5ghz MESH wireless networks SSIDs? Also, do you authenticate nodes on the network, like olsrd-secure does? If so, how? Is it possible to change the ssh port of the various nodes [security-by-obscurity self-alert]?

WPA2 AP encryption is already implemented and working. Check [1] for
more details. About Mesh Encryption, there is currently a thread about
this issue. If you rally need this (IMHO a preshared key on a open mesh
network makes not sense), you can use 802.11s for link layer instead of
Ad-Hoc (which is already supported and tested on LiMe). 802.11s has its
on link layer encryption mechanism, but I never tested it. Check this as
an example [2]. If everything works as expected you might use these to
options on /etc/config/lime (wifi section):

option mesh_encryption 'psk2/aes'
option mesh_key 'your-secret-password'

Let us know if you try it please.

About authenticate nodes, LiMe will do it automatically if you choose to
use bmx7 instead of bmx6. Bmx7 has very advanced security extensions,
much more powerful than OLSR+plugin. However it is still in beta state.
You can learn more about bmx7 here [3][4]. But don't worry, everything
is done automatically :)

[1] http://libre-mesh.org/docs/config.html
[2] https://wiki.openwrt.org/doc/howto/mesh.80211s
[3] http://bmx6.net/projects/bmx6/news
[4] http://bmx6.net/projects/bmx6/documents

> To better explain, we’re always trying to figure out how to make the infrastructure solid and resilient, and how to protect traffic and authenticate devices with more advanced crypto than simple symmetric keys [like the very WPA2 on mesh level and olsrd-secure passphrase that I’m inquiring about] that will leak in a matter of days after we start using them, so we’re the first to recognise the weakness of these protections, but they could be considered better than nothing perhaps? Do you have any other ideas?
>
> At the risk of going off-topic, may I ask what your approach to security matters like this is? In terms of traffic security, device authentication, and network-wide resistance to “attacks”? What are the weak spots of the protocols you’re using here, in the event of someone actually trying to take down a part of the network? I ask because I know that with olsr for instance it’s enough to set an already-in-use static IP to a device to break the meshing in a serious way, like in traditional networks. How are things here instead? A friend of mine was thinking of using a blockchain to authenticate the various routers entering the network, towards the dream of a network that can’t be stopped by anyone or anything, exactly like bitcoin.
>
> Anyway, back to us. How can I specify these extra details in the config file? I’m obviously happy to dig through documentation, but I have found nothing specific enough for my understanding. I’ve been able to change some parameters in chef under /etc/config/lime-defaults, but not all. I might be completely misunderstanding some fundamental details here, please excuse my ignorance.

All this is automatically handled by bmx7. Axel is doing a really good
job on this scope. Do not hesitate on joining the bmx mailing list and
asking anything you want to know.

Using blockchain on a 300MHz MIPS device might be very challenging. I
already considered this option on the past but I don't see it as a good
solution for the moment.

> Thank you so much in advance and super-kudos for your amazing work in any event!
>

Thanks to you.

Cheers!

> Nicolas
>
>
>
> _______________________________________________
> lime-users mailing list
> lime-users@lists.libremesh.org
> https://lists.libremesh.org/mailman/listinfo/lime-users
>

--
./p4u

_______________________________________________
lime-users mailing list
lime-users@lists.libremesh.org
https://lists.libremesh.org/mailman/listinfo/lime-users