[ArborMesh] Batman vs OLSR

Ryan Hughes ryan at iheartryan.com
Thu Aug 4 10:10:07 PDT 2011 

> I wasn't sure if I would remember to ask this by Friday... is there any weakness in
> either protocol that could allow a rogue or damaged router from bringing down the
> entire mesh. It sounds like with OLSR there is some dependency on some node acting as
> a central authority.

Well, either protocol is pretty vulnerable to malicious nodes.  Neither 
depends on a central authority.

The thing about central authorities was in assigning IP addresses.  This 
isn't an OLSR thing -- OLSR says nothing about how to assign IP addresses 
to routers.  You need some external system to do this.  OLSR simply lets 
these routers find routes amongst themselves without talking to a central 
authority.

We were thinking of assigning IP addresses using Nodewatcher as the 
central authority.

Now, Batman also doesn't say anything about how to assign IP addresses to 
routers.  It routes with MAC addresses.

However, because it's layer 2, it allows us to slip DHCP in there.


Anyway, that's not really an answer to your question.  Is there a security 
vulnerability with either of these methods?

Well, if we're doing the distributed DHCP business, it's like I'm saying - 
if two disparate sets of the network assign the same IP address, then the 
two areas are connected, then we have a problem where two nodes on the 
same network have the same IP address.  If we set the lease time low, then 
the problem will only persist for a short time.

If someone went in there with a malicious DHCP server, they could set the 
lease times very high, so this problem wouldn't get resolved quickly. 
However, let's say that the malicious DHCP server operates on network 
segment Z.  It assigns an IP address to node A.  A well-behaved DHCP 
server operates on network segment W, and gives that same IP address to 
node B.

Now, segments W and Z merge.  A and B have the same IP address.  Because 
A's DHCP server was mailcious, he's got a lease time of 1 year.  But B's 
DHCP server gave B a lease time of 5 minutes.  So B will back off in 5 
minutes, and it's okay that jerk-face wants to hog his IP address.

If there's a malicious DHCP server on each side of the netsplit, then we 
might have a problem that lasts for some time.  But this can only happen 
if there's a netsplit.

Actually, though, if a DHCP server were truly malicious, it could not wait 
for a netsplit, and just send out bad IP addresses.  Boo on them.  Or they 
could send out an IP address/netmask/default-gw that would not allow it to 
communicate with the network.  Actually, the router would continue to 
route traffic because it would be speaking batman which doesn't use IP. 
But I was thinking that each router would assign its clients IP addresses 
based on what it got for its IP address.  So if someone borked the DHCP of 
the router, and then a client got a new IP address, then the client 
wouldn't be able to talk to anybody.


In point of fact, the mesh network relies on cooperation between the 
nodes.  Now, we could sign the basic network traffic by setting up a vpn. 
But we'd have to send out the signing keys to everybody who operates a 
node, so there's not really any point; I don't intend to be that selective 
in who gets to run a node.  If this were a high-security application, I'd 
reconsider that stance.

--Ryan

More information about the ArborMesh mailing list