wireless gateway & openbsd

Austin Godber plug-discuss@lists.plug.phoenix.az.us
Mon, 14 Oct 2002 17:58:36 -0700 

Tom Emerson wrote:
> Hmmm, I thought all the wireless buzz was about making open access 
> available everywhere ... so that people driving by your home will be able 
> to check their email & surf as they pass by??
> 
>  ... wasn't this the AP access project that bases access on the MAC 
> address? (and it is totally spoofable).  My two cents worth, assume 
> _somebody_ is going to be sniffing your AP and potentially access your 
> network, secure your network with this in mind.
> 
>  - tom e.
> 
> On Mon, 14 Oct 2002, Mike Starke wrote:
> 
> 
>>Has anyone read the following paper?
>>http://www.nas.nasa.gov/Groups/Networks/Projects/Wireless/
>>
>>If so, has anyone attempted to replicate their configuration?
>>
>>I've been using my bsd box as AP for about 6 months and have slowly
>>began to implement some of the same things they have done. I am at
>>a point where I need to write the web authentication part and was
>>wondering if anyone has already done something like this: No sense
>>in me duplicating something.
>>
>>As a side note, I don't know about the folks on this group, but I 
>>for one have certainly found the pf filter(s) in OpenBSD far easier
>>to read & maintain than I ever did in Linux (ipchains/iptables).
>>Am I the only one that found this so?
>>
>>v/r
>>-Mike

Yeah,
	Their security is based on MAC filtering.  I have made a wireless 
gateway from an OpenBSD box and established an IPsec tunnel between the 
gateway and each client and the gateway.  The target client is windows 
2000 but of course it will work with anything that uses ISAKMP.  I wrote 
a paper about it which is available here:

http://cactus.eas.asu.edu/Partha/Papers-PDF/2002/wise-godber.pdf

	There isn't really any detail about the gateway's configuration.  Well, 
I tell the relevant things, but don't show config files or anything.  I 
should have a semipublic package in a week or so.  I need to update it 
for OpenBSD 3.1 and fix a thing or two.

	The goal with my project was to provide the gateway administrator the 
ability to provide public access and private access.  And possible do 
bandwidth shaping on the public users (thus hopefully guaranteeing the 
private users some bandwidth).

	Of course on stnadard hardware the IPsec can bog down your gateway 
machine.  I didn't do much load testing, but I figured that with 
hardware encryption (e.g. www.soekris.com) much of that trouble would be 
eliminated.

	I will send out an update once I complete the package.

Austin

PS - I have yet to use PF, but IPF was quite nice.  PF looks similar so 
I imagine it to be just as pleasant (perhaps better).