batman-adv related query

batman-adv related query

[Moullick Mehra]

Hi,
                        I have been using BATMAN-ADV for a while now.
Just had a question. Is there any way to add a nonce value to the
packet header? The reason being that I want to add an authentication
mechanism where the firewall permits only selected headers that have
this nonce. Hope this makes sense.

Thanks and Regards
Moullick Mehra

batman-adv: User defined nonce in packet header [was: batman-adv related query]

[Sven Eckelmann]

[-- Attachment #1: Type: text/plain, Size: 783 bytes --]

[please use a relevant subject when writing to the mailing list]

On Saturday, 30 January 2021 10:25:51 CET Moullick Mehra wrote:
> Is there any way to add a nonce value to the
> packet header? The reason being that I want to add an authentication
> mechanism where the firewall permits only selected headers that have
> this nonce. Hope this makes sense.

Not with the mainline batman-adv. But you can always add your own changes to 
your code - making it incompatible with mainline batman-adv.

But I would highly recommend to handle authentication on a layer outside of 
batman-adv.

Btw. "nonce" is a "number only used once". And you wrote here that the 
firewall only whitelist one specific nonce. Which would imply that your nonce 
is not used only once...

Kind regards,
	Sven

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: batman-adv: User defined nonce in packet header

[Sven Eckelmann]

[-- Attachment #1: Type: text/plain, Size: 444 bytes --]

[You forgot to reply to the mailing list]

On Saturday, 30 January 2021 10:48:11 CET Moullick Mehra wrote:
> The reason for not having authentication on a layer outside
> batman-adv is that we want the system to have seamless roaming hence,
> require something that goes along with the packets themselves. It
> would be great if you could provide some resource links.

The information are far to vague to give you anything.

Kind regards,
	Sven

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: batman-adv: User defined nonce in packet header

[Sven Eckelmann]

[-- Attachment #1: Type: text/plain, Size: 2199 bytes --]

On Saturday, 30 January 2021 11:06:10 CET Sven Eckelmann wrote:
[...]
> The information are far to vague to give you anything.

I just got two mails which tried to standard new threads and were therefore 
rejected. Still I am forwarding the most relevant one of both to this thread.

But I still think that this is completely unrelated to batman-adv. Because it 
is at the completely wrong layer, doesn't have access to the users device
(and the other way around) and  the firewall wouldn't even see batman-adv packets:

----------  Forwarded Message  ----------

Subject: Users authentication with roaming feature
Date: Saturday, 30 January 2021, 14:18:02 CET
From: Tushar Malpani <tusharmalpani20@gmail.com>
To: b.a.t.m.a.n@lists.open-mesh.org

Hi,
     I have a community mesh setup here in India and we have been
using B.A.T.M.A.N  Adv as our mesh routing protocol. At present, we
are using pfSense firewall/router which hosts a captive portal for
authenticating a users. Am not sure but somehow it seems to work great
with client roaming as the users switches from one node to another
but, since it's easy to bypass a captive portal by changing one's IP
and MAC address we switched to different authentication methods such
and tried using WPA-Enterprise, VPN but none of those gave us a
seamless roaming experience.
So, we moved baked to captive portal as of now and understood it's
working and found that it uses ipfw table under the hood, it adds the
authenticated users IP address in ipfw tables and passes all the
request made by them.
And then we came up with the idea of adding an additional header to
each packet which will have a value(which is unique to each
user).After the first authentication we add that unique value to our
firewall rules which will be similar to what captive portal does but
secure since each value is unique to each user.
Can this be done by tweaking B.A.T.M.A.N Adv code or this is something
which should be done at users devices?
Is this idea as good as we think it is or there is already a better
solution out there?
Can you help point to where to look, learn and build this system?

Thanks and regards
Tushar Malpani
-----------------------------------------

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]