Hosting Provided By

[Users] [LONG] Freeswan - IP&MAC theft

From: Jan Spitalnik <spitalnik(at)penguin.cz>
Date: Fri Oct 10 2003 - 08:29:24 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Problem 1
- -------------
We run a community network based on WiFi technology in our neighborhood, connecting students or families as internet access here is very expensive. So we share the expenses&knowledge to run the network. But we've become concerned how to secure the network. The problem is that we have central access point (AP) which has omnidirectional antenna with with all our clients are connected. So actually everyone can connect to our network, the problem is that we've seen an abuse of our network. We looked at Wired Equivalent Privacy (WEP), but it's design is so flawed that considering it secure is nonsense. It takes about 100MB to 1GB of captured traffic to get the key and he could be back in the network. And it'd quite a problem to change the key on all the computers every day :) Our problem is that when we blocked the IP address of the intruder he changed it. So we changed our strategy to "block all; allow listed", so he changed his IP to some of our clients. Then we tried to block his MAC address, and it ended that he used mine MAC&IP address to access the network. So for now he's allowed to access the network as we don't have means of controlling him. We are considering deploying IPSec, but the question is, will IPSec help us with this problem?

Problem 2
- --------------
We have quite complex configuration, as we are connected to other AP's through out the city. So we use dynamic routing with OSPF (zebra, quagga). Won't it interfere with freeswan? Our router has four NICs:

wlan0 - link to internet provider
wlan1 - omnidirectional antenae for local clients
wlan2 - link to the other AP

eth0 - connects clients from the house where the AP is.

And we want to have setup where only the traffic that is on the wlan1 is secured by freeswan. (client <--> AP or client <--> AP <--> client2). But all traffic going from AP to non-wlan1 interface is to be unecrypted.

scenario 1:
(encrypted) (not encrypted)
Client <-------> AP < ------> Internet(wlan0) or other AP (wlan2) or eth0

scenario 2:

all encrypted
Client <-------> AP <--------> Client2

Do you need help?

Is it possible to do such thing with IPSec?

Problem 3
- --------------
The router is modest PentiumII - 266MHz. Will it be able to sustain the IPSec load (at peak we have a load as 10Mb ethernet)? I've looked into documentation it says that we'll need 500+ machine as we run other services (apache, bind, dhcp, iptables).

Well if you read up to here, Thank you just for reading :-)

PS: If you are able to read czech you can read about the project on www.czfree.net
PS2: Could you please keep the CC list? Thank you

-- Jan Spitalnik spitalnik@penguin.cz

It has been pointed out to me that a recent email sig of mine may have caused offence to accordion players. For this I humbly apologise!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/hqYnyp31s6YpjQ8RAmTrAJ9JMccXv/C0YxXgS8VfDEo31EKUrQCdH2wg Mv3DcidzNBTzgX0OLpSDVH4=
=i77D
-----END PGP SIGNATURE-----

FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Fri Oct 10 08:43:07 2003

This message: [ Message body ]
Next message: Rudi Verago [vlain]: "Re: [Users] Freeswan-winxp: give me a hand"
Previous message: Giacomo Mulas: "[Users] Using native pluto with native Linux ipsec..."
In reply to Sam Sgro: "Re: [Users] freeswan configuration issue (at least i hope so)"
Next in thread: Ralf Spenneberg: "Re: [Users] [LONG] Freeswan - IP&MAC theft"
Reply: Ralf Spenneberg: "Re: [Users] [LONG] Freeswan - IP&MAC theft"
Reply: Jim Carter: "Re: [Users] [LONG] Freeswan - IP&MAC theft"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:05 EDT

Do you need more help?