[OpenWireless Tech] Hello World

Fri Nov 2 01:40:20 PDT 2012

Hi!

On 01:00 Fri 02 Nov     , Todd Freeman wrote:
> So I looked through the archives and I see some repeating patterns.
> 1st people really want to jump on the VPN bandwagon and assume all users
> can use it, but noone ever mentions where the other end of the VPN is
> supposed to connect to. "the internet" is a copout answer. Its the
> subtle way of saying "well people are going to have to pay for something
> or figure something out on their own"
> This is kinda what separates free from non-free, you can't offer a
> service for "free" with "oh by the way you have to pay for this addon or
> it doesn't work"  That's not free, it's just marketing BS.
> It was suggested that the person running the AP would also run the VPN,
> there are so many problems with this its not funny.
> It is essentially putting all your security hope on a completely random
> AP. It's odd that people would suggest that while also pointing out that
> the system must be designed to allow for malicious APs.

The discussion back then was not about "how to connect a city to the
internet", it was about hotspots. You do not need to pay for a VPN. You
can configurate your home router to be the end point to connect to. The
idea was to protect hotspot operators from being liable by allowing only
safe protocols. At the same time it protects from malicious AP owners.

What are the problems with that?

> This of course all ignores the processing overhead of so many layers of
> encryption, if people are connecting to some linksys home router, it is
> not going to have the CPU to handle many VPN tunnels.

Your "linksys" home router only to handle one connection - yours.

> I think an important point we need to ask ourselves here is, what do you
> want the fundamental coverage to be like, and how do you expect the
> clients to use the network. Please do not take offence to this, but from
> what I can tell the roadmap is designed to be very similar to tor,
> something you use every once in a while to do a limited number of things
> because its ungodly slow, but with the added bonus of very spotty
> coverage and no idea where any of the APs are, so you would be biking/
> walking around (not driving because you would leave wifi range before
> you even detected it). Also the quality is impossible to maintain even
> to a minor degree as you will likely have a lot of people with DSL
> modems and 128-512k upload caps.
> 
> What I like to envision is something similar to clear4g, A network with
> ubiquitous coverage that is always on, and the security is managed by
> any local org (towns/cities/educational institutions etc..) not by the
> people running the APs. By making sign up for the central cert auth
> anonymous and easy, the network operator can still comply with DMCA
> requests, etc.. by terminating the account (but leave email acct intact
> for 30days for them to remove anything they need) Thus the network
> operator still gets safe harbour protections without permanently
> blocking anyone’s access, and without having any useful information to
> give to LE by design.

This is a nice idea. But how is this supposed to scale up to provide service
for every city in the world? And what is the difference to mobile phone
networks today?

> But one of the things the above system has that is crucial for its
> adoption, is capacity. So long as we use industry standards for the auth
> mechanism (wpa2-ent) which almost all routers already support, the home
> users only have to change the router mode from router to AP with
> wpa2-ent,and point it at the local network operators servers. no special
> firmware required. Anyone can make a system more complex, layering on
> encryption with a shovel is not the answer.

This is the exact case where the encryption layer would be required. Well,
except you do not lots of random individuals (AP-owners) to be able to sniff
your passwords.

> By allowing the network operator things like centralized auth, they can
> also be encouraged to run addon services like increased bandwidth caps
> as well as location based services or even telco services. This is how
> we will be able to break the monopoly comcast,verizon,att, et al .. have
> on internet. We need to be able to make a business case to people we
> want to run this system.

... and create a new monopoly in the process?

> So as I said, what do you want the client experience to be like ? If you
> want it to be like tor, noone will want to use it for their everyday
> use. Besides if we already have tor, what is the point of making another
> tor ?

I guess the question is rather what client experience we can provide. If AP
operators are not willing to take the legal risks like you do, what can we do?

> Yes the system I am proposing does requires a bit of work in getting the
> systems to all talk to eachother, but I think that is still much more
> simple then inventing entirely new authentication systems. Also we
> should never design a system that allows either the router operator or
> the end user to be insecure by doing nothing, and requires "addons" to
> be secured. We all know how that goes 70% of the time.
>
> TLDR; network needs to be designed with very low overhead, not rely on
> VPNs to be secure, and have throughput that is better then tor.

... except your network needs VPNs or some sort of higher-layer encryption to
be secure (see above).

> and
> finally it has to be easy to incentiveize large orgs to adopt it.

what do you mean?

	-Michi
-- 
programing a layer 3+4 network protocol for mesh networks
see http://michaelblizek.twilightparadox.com