[OpenWireless Tech] Open Wireless encryption

Björn Smedman bs at anyfi.net
Mon Aug 12 13:50:47 PDT 2013 

On Mon, Aug 12, 2013 at 10:47 PM, Björn Smedman <bs at anyfi.net> wrote:
> On Mon, Aug 12, 2013 at 9:32 PM,
> <michi1 at michaelblizek.twilightparadox.com> wrote:
>> On 21:10 Mon 12 Aug     , Björn Smedman wrote:
>> ...
>>> Another way to move the trust anchor out of the AP is to just not
>>> terminate the IEEE 802.11 protocol there, instead forwarding the raw
>>> encrypted 802.11 frames over IP across the WAN to a trusted location.
>>> The 802.11 security will then protect the connection end-to-end - sort
>>> of like a VPN but with all the advantages of link level security.
>> ...
>>> This "WPA over the wire" approach is a technically ambitious. But
>>> we've already gone through the trouble of implementing it (see
>>> http://anyfi.net) and would love to share with the community.
>> ...
>>
>> I have seen the anyfi.net project recently and I wondered about how it scales.
>> Every AP needs needs to know about and send beacons for every "trusted
>> location". Correct my if I am wrong.
>
> No, it's not that bad at all. It's designed to scale to millions upon
> millions of "trusted locations" [1]. Slightly simplified it works like
> this [2]:
>
> When you connect a new device to your home Wi-Fi router it sends a
> small registration message to a server. The registration message
> contains the MAC address of the device and the IP address of your home
> router, and the server stores this association. You can think of this
> server as sort of a DynDNS server, but with a device MAC as the key.
>
> APs simply listen for new devices on the radio (technically on a
> monitor interface), and when it sees a new MAC it sends what we call a
> matchmaking request to the central server. The request contains the
> MAC of the device, and the server answers with the IP address of the
> home router, pretty much like a DynDNS server would. The AP uses this
> IP address to establish a Wi-Fi over IP tunnel to the home router.
>
> At this point a virtual access point is dynamically allocated and the
> AP starts answering probe requests from the client device. There's a
> bit more magic behind the scenes though; we make the access point
> visible only to the relevant device, and we can also pack more than
> one network onto a single beacon. [Let me know if you want to know
> more - I'm not trying to be secretive just brief.]
>
> From there it's all peer-to-peer: The device authenticates against the
> home Wi-Fi router with the credentials that it used previously. This
> is what makes the user experience completely seamless; the device
> can't tell the difference between a remote connection and a local one.
>
> But to make a long story short: You can basically expect it to scale
> up to all the Wi-Fi networks on the planet, as long as everybody is
> not in the same place (in which case you have about the same
> scalability as for "normal" Wi-Fi).

Oops, the two references were supposed to be:

1. http://anyfi.net/documentation#architecture

2. http://anyfi.net/documentation#a_how_it_all_fits_together

Cheers,

Björn

More information about the Tech mailing list