[B.A.T.M.A.N.] About making batman-adv mesh network invisible (by encrypting Beacon frame)

[B.A.T.M.A.N.] About making batman-adv mesh network invisible (by encrypting Beacon frame)

[Xuebing Wang]

Hi community,

We have batman-adv + OpenWRT + ath9k chip + ath9k driver reliably 
running for about 2 years. The biggest batman-adv mesh network is with 
100+ nodes.

As this is a closed network, we have a new requirement which is to make 
our batman-adv mesh network invisible, although the current SSID is just 
some meaningless characters.

One thought is hidden_ssid. But, it seems hidden_ssid is only supported 
for AP mode (not IBSS mode).

802.11w does not protect Beacon frame (because it is before four-ways 
handshake).

As this is a closed network, what about encrypting Beacon (maybe all 
management frames later) using a hard-coded key in wpa_supplicant?

Thanks for your help.

Xuebing Wang

Re: [B.A.T.M.A.N.] About making batman-adv mesh network invisible (by encrypting Beacon frame)

[Simon Wunderlich]

[-- Attachment #1: Type: text/plain, Size: 1071 bytes --]

Hi Xuebing,

at least for Ad-Hoc mode, you can't hide the SSID without changing the kernel 
driver (mac80211). Encrypting the beacon doesn't help here, as the SSID needs 
to be clear text eventually even if management frames get encrypted.

Cheers,
       Simon

On Saturday, March 30, 2019 11:50:27 AM CEST Xuebing Wang wrote:
> Hi community,
> 
> We have batman-adv + OpenWRT + ath9k chip + ath9k driver reliably
> running for about 2 years. The biggest batman-adv mesh network is with
> 100+ nodes.
> 
> As this is a closed network, we have a new requirement which is to make
> our batman-adv mesh network invisible, although the current SSID is just
> some meaningless characters.
> 
> One thought is hidden_ssid. But, it seems hidden_ssid is only supported
> for AP mode (not IBSS mode).
> 
> 802.11w does not protect Beacon frame (because it is before four-ways
> handshake).
> 
> As this is a closed network, what about encrypting Beacon (maybe all
> management frames later) using a hard-coded key in wpa_supplicant?
> 
> Thanks for your help.
> 
> Xuebing Wang


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [B.A.T.M.A.N.] About making batman-adv mesh network invisible

[Xuebing Wang]

Hi Simon,

Thanks a lot for your reply.

With ath9k chip and ath9k driver, do you think it is possible to use 
"proprietary modulation" (slightly modified), so wireshark + wlan in 
monitor mode won't be able to detect wireless frames batman-adv network 
sends?

Xuebing Wang

On 2019/4/1 下午5:59, Simon Wunderlich wrote:
> Hi Xuebing,
>
> at least for Ad-Hoc mode, you can't hide the SSID without changing the kernel
> driver (mac80211). Encrypting the beacon doesn't help here, as the SSID needs
> to be clear text eventually even if management frames get encrypted.
>
> Cheers,
>         Simon
>
> On Saturday, March 30, 2019 11:50:27 AM CEST Xuebing Wang wrote:
>> Hi community,
>>
>> We have batman-adv + OpenWRT + ath9k chip + ath9k driver reliably
>> running for about 2 years. The biggest batman-adv mesh network is with
>> 100+ nodes.
>>
>> As this is a closed network, we have a new requirement which is to make
>> our batman-adv mesh network invisible, although the current SSID is just
>> some meaningless characters.
>>
>> One thought is hidden_ssid. But, it seems hidden_ssid is only supported
>> for AP mode (not IBSS mode).
>>
>> 802.11w does not protect Beacon frame (because it is before four-ways
>> handshake).
>>
>> As this is a closed network, what about encrypting Beacon (maybe all
>> management frames later) using a hard-coded key in wpa_supplicant?
>>
>> Thanks for your help.
>>
>> Xuebing Wang

Re: [B.A.T.M.A.N.] About making batman-adv mesh network invisible

[Simon Wunderlich]

[-- Attachment #1: Type: text/plain, Size: 1918 bytes --]

Hi Xuebing,

I'm not aware of any "proprietary modulation", and I doubt it's possible - at 
least not while using an AP at the same time. You can look into 5/10 MHz mode 
or do other quirks if mesh is the only thing running on your module though.

Cheers,
     Simon

On Saturday, April 6, 2019 2:06:55 PM CEST Xuebing Wang wrote:
> Hi Simon,
> 
> Thanks a lot for your reply.
> 
> With ath9k chip and ath9k driver, do you think it is possible to use
> "proprietary modulation" (slightly modified), so wireshark + wlan in
> monitor mode won't be able to detect wireless frames batman-adv network
> sends?
> 
> Xuebing Wang
> 
> On 2019/4/1 下午5:59, Simon Wunderlich wrote:
> > Hi Xuebing,
> > 
> > at least for Ad-Hoc mode, you can't hide the SSID without changing the
> > kernel driver (mac80211). Encrypting the beacon doesn't help here, as the
> > SSID needs to be clear text eventually even if management frames get
> > encrypted.
> > 
> > Cheers,
> > 
> >         Simon
> > 
> > On Saturday, March 30, 2019 11:50:27 AM CEST Xuebing Wang wrote:
> >> Hi community,
> >> 
> >> We have batman-adv + OpenWRT + ath9k chip + ath9k driver reliably
> >> running for about 2 years. The biggest batman-adv mesh network is with
> >> 100+ nodes.
> >> 
> >> As this is a closed network, we have a new requirement which is to make
> >> our batman-adv mesh network invisible, although the current SSID is just
> >> some meaningless characters.
> >> 
> >> One thought is hidden_ssid. But, it seems hidden_ssid is only supported
> >> for AP mode (not IBSS mode).
> >> 
> >> 802.11w does not protect Beacon frame (because it is before four-ways
> >> handshake).
> >> 
> >> As this is a closed network, what about encrypting Beacon (maybe all
> >> management frames later) using a hard-coded key in wpa_supplicant?
> >> 
> >> Thanks for your help.
> >> 
> >> Xuebing Wang


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]