2011-02-11 15:39:19

by Joerg

[permalink] [raw]
Subject: WPA for Ethernet?

Hello all,
is it possible to use the mac80211 (software) encryption infrastructure to
encrypt data over non 802.11 interfaces? If not, how hard would this be?

IPsec and other VPN solutions are "tunnel centric" instead of "interface
centric". I'm looking for a way to say "All inbound and outbound traffic through
this interface must be encrypted with the following key.", just like WPA-PSK.

Regards
Joerg



2011-02-12 00:08:19

by Joerg

[permalink] [raw]
Subject: Re: WPA for Ethernet?

John W. Linville <linville@...> writes:
> I believe wpa_supplicant can do the 802.1x authentication to gain
> access to a port on a supporting switch. However, I am not aware
> of any standard for "encrypted ethernet" that would build upon that.

John, thanks for taking the time to answer. An untested idea I had was
bridging the mac80211 hwsim device to an ethernet device. Could this work
and would it do what I want? I suspect not, but maybe...
Alternatively, is it somehow possible to connect the lower layer input/output
of hwsim to another network interface?

> You might consider implementing your own code on top of the TUN/TAP
> driver for point-to-point encrypted links?

How would this differ from OpenVPN?

> John





2011-02-14 12:10:17

by Jouni Malinen

[permalink] [raw]
Subject: Re: WPA for Ethernet?

On Fri, Feb 11, 2011 at 03:39:03PM +0000, jpo234 wrote:
> is it possible to use the mac80211 (software) encryption infrastructure to
> encrypt data over non 802.11 interfaces? If not, how hard would this be?
>
> IPsec and other VPN solutions are "tunnel centric" instead of "interface
> centric". I'm looking for a way to say "All inbound and outbound traffic through
> this interface must be encrypted with the following key.", just like WPA-PSK.

Are you looking for a custom solution that would not work with anyone
else or a standard solutions like MACsec that Henry already mentioned?
You could obviously make the kernel do some custom hacks like trying to
fit IEEE 802.11 encryption into other network types, but it would sound
more reasonable to work on a standard solution..

CCMP is designed for IEEE 802.11 header and as such, it does not really
work as-is with other network types. WPA-PSK 4-way handshake could be
used to manage keys with some small changes, but this would be very much
a custom solution.

--
Jouni Malinen PGP id EFC895FA

2011-02-11 16:29:16

by John W. Linville

[permalink] [raw]
Subject: Re: WPA for Ethernet?

On Fri, Feb 11, 2011 at 03:39:03PM +0000, jpo234 wrote:
> Hello all,
> is it possible to use the mac80211 (software) encryption infrastructure to
> encrypt data over non 802.11 interfaces? If not, how hard would this be?
>
> IPsec and other VPN solutions are "tunnel centric" instead of "interface
> centric". I'm looking for a way to say "All inbound and outbound traffic through
> this interface must be encrypted with the following key.", just like WPA-PSK.

I believe wpa_supplicant can do the 802.1x authentication to gain
access to a port on a supporting switch. However, I am not aware
of any standard for "encrypted ethernet" that would build upon that.
You might consider implementing your own code on top of the TUN/TAP
driver for point-to-point encrypted links?

John
--
John W. Linville ? ? ? ? ? ? ? ?Someday the world will need a hero, and you
[email protected] ? ? ? ? ? ? ? ? ?might be all we have. ?Be ready.

2011-02-11 16:52:07

by Henry Ptasinski

[permalink] [raw]
Subject: Re: WPA for Ethernet?

PiBJIGJlbGlldmUgd3BhX3N1cHBsaWNhbnQgY2FuIGRvIHRoZSA4MDIuMXggDQo+IGF1dGhlbnRp
Y2F0aW9uIHRvIGdhaW4gYWNjZXNzIHRvIGEgcG9ydCBvbiBhIA0KPiBzdXBwb3J0aW5nIHN3aXRj
aC4gIEhvd2V2ZXIsIEkgYW0gbm90IGF3YXJlDQo+IG9mIGFueSBzdGFuZGFyZCBmb3IgImVuY3J5
cHRlZCBldGhlcm5ldCIgdGhhdCANCj4gd291bGQgYnVpbGQgdXBvbiB0aGF0Lg0KDQpTdGFuZGFy
ZCBmb3IgTUFDIGxheWVyIGVuY3J5cHRpb24gZm9yIDgwMiBuZXR3b3JrczoNCg0KaHR0cDovL3d3
dy5pZWVlODAyLm9yZy8xL3BhZ2VzLzgwMi4xYWUuaHRtbA0KDQpLZXkgZXhjaGFuZ2U6DQoNCmh0
dHA6Ly93d3cuaWVlZTgwMi5vcmcvMS9wYWdlcy84MDIuMWFmLmh0bWwNCg0KLSBIZW5yeQ0KDQpI
ZW5yeSBQdGFzaW5za2kNCmhlbnJ5cEBicm9hZGNvbS5jb20=


2011-02-14 13:04:10

by Joerg

[permalink] [raw]
Subject: Re: WPA for Ethernet?

Jouni Malinen <j <at> w1.fi> writes:

> Are you looking for a custom solution that would not work with anyone
> else or a standard solutions like MACsec that Henry already mentioned?

I'm not sure yet. I'm looking for any reasonable solution and obviously
an accepted standard would be a plus, but I would not completely rule out
a custom solution.

> You could obviously make the kernel do some custom hacks like trying to
> fit IEEE 802.11 encryption into other network types, but it would sound
> more reasonable to work on a standard solution..

My ideal solution would work for both, wired Ethernet and 802.11 (in
IBSS-mode btw.).

> CCMP is designed for IEEE 802.11 header and as such, it does not really
> work as-is with other network types. WPA-PSK 4-way handshake could be
> used to manage keys with some small changes, but this would be very much
> a custom solution.

Thanks for sharing your insights. They are much appreciated!

Initially I didn't provide much details because I thought that my questions
were too far off topic for the wireless list. Since it seems people are willing
to discuss it here, I'll provide a more detailed description of my problem:

I'm working on a wireless communication system for public safety organizations.
Normally it uses a wireless MANET with OLSR routing as backbone, but sometimes
the OLSR MANET gets extended over wired Ethernet links.
Up until now the communication is secured with IPsec. This works reasonably
well for unicast data, but gets a really big headache for Multicast (think
video from network cameras).

Now I'm looking for a sane security solution that would work over both, 802.11
and Ethernet and supports Multicast. I could probably get an insane IPsec
solution working, but it would feel less than satisfactory.

Regards
Joerg