Hi, It's been a while I've last been posting here. But wanted to share a small project idea which has been on my mind for quite a while now, especially for wireless community mesh networks like Freifunk, which I'm now finally able to work on thanks to some nlnet funding: https://nlnet.nl/project/OpenHarbors/ https://www.open-mesh.org/projects/open-mesh/wiki/OpenHarbors The idea is to dynamically tunnel WPA frames over IP/L2TP to some remote host based on the domain part / realm in the outer, unencrypted identity in EAPoL. So basically moving the authenticator away from the wireless AP to some remote site chosen by the user: If a user uses user123@xxxxxxxxxxx they'd be forwarded to my-home.net. If customer333@xxxxxxxxxxxxxxxx then to vpn-provider.org. These domains wouldn't need to be added to a config on the AP due to being determined/parsed on-demand from EAPoL. This of course will involve changes to hostapd, which I'm hoping to get upstream. So I wanted to pitch this idea here first before I start coding next month, as I think it's generally nice for OpenSource projects to do so, to avoid that maybe just by coincidence someone is working on something similar at the same time. And to avoid going in some direction upstream maintainers would not like. My plans for hostapd more specifically are the following: AP side: 1) Get hostapd to set up an ESSID "OpenHarbors" for the AP (longterm should probably better use some vendor information elements? but that would need client side/supplicant support/changes) 2) Get hostapd + Linux kernel to emit WPA CCMP frames encapsulated in an ethernet frame on the Wifi interface. 3) Get hostapd to use a wifi AP interface per STA for this, similar to WDS mode. 4) Get hostapd to create an L2TP interface depending on the domain it found in EAPoL / EAP-TTLS. 5) Get hostapd to create a bridge interface over the per-STA AP wifi interface and according L2TP interface. Remote authenticator server side: 1) Get hostapd to listen on an L2TP interface for incoming EAPoL 2) Get hostapd to create a special mac80211_hwsim virtual wifi interface based on received EAPoL, use it to receive and decrypt the WPA CCMP frames from the Linux kernel's WPA encryption/decryption code, have hostapd install the PMK to it. ( 3) either have hostapd create extra L2TP + mac80211_hwsim + bridge interfaces per client, or only use this single L2TP interface and apply according filters to the bridge?) If anyone has any thoughts, ideas, suggestions or considerations on this rough, initial plan, I'd be happy to hear about it. Regards, Linus _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
