OpenHarbors - Dynamic Tunneling of WPA over IP/L2TP
Michael Richardson
mcr at sandelman.ca
Wed Jun 19 11:32:20 PDT 2024
Linus Lüssing <linus.luessing at c0d3.blue> wrote:
> It's been a while I've last been posting here. But wanted to share a
> small project idea which has been on my mind for quite a while now,
> especially for wireless community mesh networks like Freifunk, which
> I'm now finally able to work on thanks to some nlnet funding:
> https://nlnet.nl/project/OpenHarbors/
> https://www.open-mesh.org/projects/open-mesh/wiki/OpenHarbors
> The idea is to dynamically tunnel WPA frames over IP/L2TP to some
> remote host based on the domain part / realm in the outer, unencrypted
> identity in EAPoL. So basically moving the authenticator away from the
> wireless AP to some remote site chosen by the user:
Radius already does this, and does it better.
And Radius v1.1 over TLS is a significantly better protocol than the NAT44
hostile MD5-authenticated thing of yore. Take a page from eduroam.
L2TP is a disaster, requires IPsec transport mode to be secure.
Just don't.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 511 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20240619/fcd7e311/attachment-0001.sig>
More information about the Hostap
mailing list