WDS with AES encryption

Sergio M. Ammirata ammirata
Sat Feb 14 03:38:19 PST 2004


Going back to my original question: Isn't ccmp/wpa_supplicant supposed to
allow you to encrypt a wds link? How?

>From the readme file:

"TKIP (WEP with per packet keys and Michael MIC, hostap_crypt_tkip.o)
and CCMP (AES-CCM, hostap_crypt_ccmp.o) are used with WPA. These
algorithms require host-based encryption and decryption because the
Prism2/2.5/3 firmware does not support them. wpa_supplicant can be
used to negotiate encryption keys for TKIP/CCMP when operating in
station mode. In addition, these algorithms can be used on WDS
links. Static TKIP/CCMP keys can be set with hostap_crypt_conf. In the
future, hostapd will hopefully get support for WPA Authenticator
functionality."

Notice the part about the fact that those algorithms can be used on WDS ...
Has anyone done it? An example configuration command set would be really
helpful.

Thanks,

Sergio

> -----Original Message-----
> From: hostap-bounces+ammirata=econointl.com at shmoo.com [mailto:hostap-
> bounces+ammirata=econointl.com at shmoo.com] On Behalf Of AthlonRob
> Sent: Friday, February 13, 2004 2:20 PM
> To: hostap at shmoo.com
> Subject: Re: WDS with AES encryption
> 
> On Fri, 2004-02-13 at 11:06, Bruno Randolf wrote:
> 
> I've been using OpenVPN for several months... most recently to bridge
> two remote networks together into one seamless network over a T1
> connection, securely.
> 
> > i just had a look at both this week. this are the main differences,
> imho:
> >
> > * openvpn can use certificates, tinc does not
> 
> OpenVPN seems to prefer the use of certificates, as well.  I generally
> just utilize static shared keys, but the certificate powers OpenVPN
> supports are quite nice.
> 
> > * tinc only needs 1 port for multiple incoming connections, openvpn
> needs a
> > seperate port and configuration file for each tunnel
> 
> This is, essentially, true.  Due to OpenVPN's design, a few individuals
> of late have been working on changing this.  There are now two separate
> schemes available to allow OpenVPN to work with multiple clients all at
> once.  Really, neither is effective with many clients... more than ten
> or twenty... but they both allow primary control over a single TCP or
> UDP port.  They both, I believe, require the use of multiple
> configuration files and TUN/TAP devices.
> 
> > * tinc is more suitable for a peer-to-peer VPN with more than two
> > participants: when you are connected to one peer, and need to send a
> packet
> > to another part of the VPN tinc can automatically create the connection
> to
> > the other one.
> 
> Does it do that, or does it just bridge multiple VPN connections
> together into a single bridged interface?
> 
> > * in contrast openvpn is more oriented towards a single tunnel.
> 
> Point to point.
> 
> > * tinc has been criticized (http://tinc.nl.linux.org/security) for
> having some
> > security flaws, i have not found any security analysis of openvpn.
> 
> I'm not sure there have been any... however, OpenVPN is *so* tied in to
> OpenSSL, it really, IMHO, is as secure as any other OpenSSL based
> application out there.  James seems to have designed it with security in
> mind from the getgo.
> 
> > i think it mainly depends if you want a simple tunnel between 2 hosts
> > (openvpn) or if the VPN should cover more than 2 hosts (tinc).
> 
> If tinc scales well (and I don't know if it does or not), then I would
> have to adjust the deciding factor to be how many hosts.  If we're
> talking less than twenty hosts, of which you're administrator over all,
> OpenVPN would be the route to go.  If we're dealing with more than
> twenty hosts, tinc or some other VPN product would be the way to go.
> 
> OpenVPN is also developed for multiple platforms, including Windows, the
> BSDs, and Linux.  I really don't know about tinc.  :-)
> 
> Rob
> 
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap






More information about the Hostap mailing list