OpenHarbors - Dynamic Tunneling of WPA over IP/L2TP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

It's been a while I've last been posting here. But wanted to share
a small project idea which has been on my mind for quite a while
now, especially for wireless community mesh networks like Freifunk,
which I'm now finally able to work on thanks to some nlnet
funding:

https://nlnet.nl/project/OpenHarbors/
https://www.open-mesh.org/projects/open-mesh/wiki/OpenHarbors

The idea is to dynamically tunnel WPA frames over IP/L2TP to some
remote host based on the domain part / realm in the outer, unencrypted
identity in EAPoL. So basically moving the authenticator away from
the wireless AP to some remote site chosen by the user:

If a user uses user123@xxxxxxxxxxx they'd be forwarded to
my-home.net. If customer333@xxxxxxxxxxxxxxxx then to
vpn-provider.org. These domains wouldn't need to be added to a
config on the AP due to being determined/parsed on-demand from EAPoL.

This of course will involve changes to hostapd, which I'm
hoping to get upstream. So I wanted to pitch this idea here
first before I start coding next month, as I think it's generally
nice for OpenSource projects to do so, to avoid that maybe just by
coincidence someone is working on something similar at the same
time. And to avoid going in some direction upstream maintainers
would not like.

My plans for hostapd more specifically are the following:

AP side:

1) Get hostapd to set up an ESSID "OpenHarbors" for the AP
(longterm should probably better use some vendor information
elements? but that would need client side/supplicant support/changes)
2) Get hostapd + Linux kernel to emit WPA CCMP frames encapsulated
in an ethernet frame on the Wifi interface.
3) Get hostapd to use a wifi AP interface per STA for this, similar
to WDS mode.
4) Get hostapd to create an L2TP interface depending on the domain
it found in EAPoL / EAP-TTLS.
5) Get hostapd to create a bridge interface over the per-STA AP wifi
interface and according L2TP interface.


Remote authenticator server side:

1) Get hostapd to listen on an L2TP interface for incoming EAPoL
2) Get hostapd to create a special mac80211_hwsim virtual wifi
interface based on received EAPoL, use it to receive and decrypt the
WPA CCMP frames from the Linux kernel's WPA encryption/decryption
code, have hostapd install the PMK to it.
( 3) either have hostapd create extra L2TP + mac80211_hwsim + bridge interfaces
  per client, or only use this single L2TP interface and apply
  according filters to the bridge?)


If anyone has any thoughts, ideas, suggestions or considerations
on this rough, initial plan, I'd be happy to hear about it.

Regards, Linus

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux