[ArborMesh] Batman vs OLSR
Ryan Hughes
ryan at iheartryan.com
Thu Aug 4 10:10:07 PDT 2011
> I wasn't sure if I would remember to ask this by Friday... is there any weakness in
> either protocol that could allow a rogue or damaged router from bringing down the
> entire mesh. It sounds like with OLSR there is some dependency on some node acting as
> a central authority.
Well, either protocol is pretty vulnerable to malicious nodes. Neither
depends on a central authority.
The thing about central authorities was in assigning IP addresses. This
isn't an OLSR thing -- OLSR says nothing about how to assign IP addresses
to routers. You need some external system to do this. OLSR simply lets
these routers find routes amongst themselves without talking to a central
authority.
We were thinking of assigning IP addresses using Nodewatcher as the
central authority.
Now, Batman also doesn't say anything about how to assign IP addresses to
routers. It routes with MAC addresses.
However, because it's layer 2, it allows us to slip DHCP in there.
Anyway, that's not really an answer to your question. Is there a security
vulnerability with either of these methods?
Well, if we're doing the distributed DHCP business, it's like I'm saying -
if two disparate sets of the network assign the same IP address, then the
two areas are connected, then we have a problem where two nodes on the
same network have the same IP address. If we set the lease time low, then
the problem will only persist for a short time.
If someone went in there with a malicious DHCP server, they could set the
lease times very high, so this problem wouldn't get resolved quickly.
However, let's say that the malicious DHCP server operates on network
segment Z. It assigns an IP address to node A. A well-behaved DHCP
server operates on network segment W, and gives that same IP address to
node B.
Now, segments W and Z merge. A and B have the same IP address. Because
A's DHCP server was mailcious, he's got a lease time of 1 year. But B's
DHCP server gave B a lease time of 5 minutes. So B will back off in 5
minutes, and it's okay that jerk-face wants to hog his IP address.
If there's a malicious DHCP server on each side of the netsplit, then we
might have a problem that lasts for some time. But this can only happen
if there's a netsplit.
Actually, though, if a DHCP server were truly malicious, it could not wait
for a netsplit, and just send out bad IP addresses. Boo on them. Or they
could send out an IP address/netmask/default-gw that would not allow it to
communicate with the network. Actually, the router would continue to
route traffic because it would be speaking batman which doesn't use IP.
But I was thinking that each router would assign its clients IP addresses
based on what it got for its IP address. So if someone borked the DHCP of
the router, and then a client got a new IP address, then the client
wouldn't be able to talk to anybody.
In point of fact, the mesh network relies on cooperation between the
nodes. Now, we could sign the basic network traffic by setting up a vpn.
But we'd have to send out the signing keys to everybody who operates a
node, so there's not really any point; I don't intend to be that selective
in who gets to run a node. If this were a high-security application, I'd
reconsider that stance.
--Ryan
More information about the ArborMesh
mailing list