[OpenWireless Tech] Open Wireless encryption
Björn Smedman
bs at anyfi.net
Mon Aug 12 13:47:01 PDT 2013
On Mon, Aug 12, 2013 at 9:32 PM,
<michi1 at michaelblizek.twilightparadox.com> wrote:
> On 21:10 Mon 12 Aug , Björn Smedman wrote:
> ...
>> Another way to move the trust anchor out of the AP is to just not
>> terminate the IEEE 802.11 protocol there, instead forwarding the raw
>> encrypted 802.11 frames over IP across the WAN to a trusted location.
>> The 802.11 security will then protect the connection end-to-end - sort
>> of like a VPN but with all the advantages of link level security.
> ...
>> This "WPA over the wire" approach is a technically ambitious. But
>> we've already gone through the trouble of implementing it (see
>> http://anyfi.net) and would love to share with the community.
> ...
>
> I have seen the anyfi.net project recently and I wondered about how it scales.
> Every AP needs needs to know about and send beacons for every "trusted
> location". Correct my if I am wrong.
No, it's not that bad at all. It's designed to scale to millions upon
millions of "trusted locations" [1]. Slightly simplified it works like
this [2]:
When you connect a new device to your home Wi-Fi router it sends a
small registration message to a server. The registration message
contains the MAC address of the device and the IP address of your home
router, and the server stores this association. You can think of this
server as sort of a DynDNS server, but with a device MAC as the key.
APs simply listen for new devices on the radio (technically on a
monitor interface), and when it sees a new MAC it sends what we call a
matchmaking request to the central server. The request contains the
MAC of the device, and the server answers with the IP address of the
home router, pretty much like a DynDNS server would. The AP uses this
IP address to establish a Wi-Fi over IP tunnel to the home router.
At this point a virtual access point is dynamically allocated and the
AP starts answering probe requests from the client device. There's a
bit more magic behind the scenes though; we make the access point
visible only to the relevant device, and we can also pack more than
one network onto a single beacon. [Let me know if you want to know
more - I'm not trying to be secretive just brief.]
>From there it's all peer-to-peer: The device authenticates against the
home Wi-Fi router with the credentials that it used previously. This
is what makes the user experience completely seamless; the device
can't tell the difference between a remote connection and a local one.
But to make a long story short: You can basically expect it to scale
up to all the Wi-Fi networks on the planet, as long as everybody is
not in the same place (in which case you have about the same
scalability as for "normal" Wi-Fi).
Björn
More information about the Tech
mailing list