current-users: Re: Fixed arp entry for WaveLan?

Subject: Re: Fixed arp entry for WaveLan?
To: None <current-users@netbsd.org>
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
List: current-users
Date: 02/21/2000 09:47:31
Thilo.Manske@HEH.Uni-Oldenburg.DE (Thilo Manske) writes:
> On Mon, Feb 21, 2000 at 06:56:00AM +0100, Martin Husemann wrote:
> > Is there an easy way to wire a fixed ARP entry for a wave lan (and block
> > all packets from other cards)?
> 
> > I would like to restrict access via my ray0 interface to a single remote
> > card with a known IEEE 802.11 MAC address.
> An idea:
> 
> Add a static arp entry for that other card (arp -s) and ifconfig ray0
> "-arp".

If the intention is a bit more security, I'm not sure it will buy one
much.  If the wireless intruder uses an IP address that routes to the
internet interface of a computer then the return packets won't need to
be arped on the wireless interface at all.  They will merrily be
returned to the intruder via the internet.

I really think someone needs to figure out how to configure the ipsec
stuff for a wireless link.  The ipsec stuff is in the international
kernel too isn't it?

I did manage to hack together something that limped along using racoon
and statically defined "spadd" lines like the following in
setkey.conf.

on capsicum:
    #
    # capsicum.ray.wsrcc.com -> tepin.ray.wsrcc.com
    #
    spdadd 192.168.197.1/32 192.168.197.14/32 any -P out ipsec
            esp/transport/192.168.197.1-192.168.197.14/use
            ah/transport/192.168.197.1-192.168.197.14/use;
    spdadd 192.168.197.14/32 192.168.197.1/32 any -P in ipsec
            esp/transport/192.168.197.14-192.168.197.1/use
            ah/transport/192.168.197.14-192.168.197.1/use;

on tepin:
    #
    # tepin.ray.wsrcc.com -> capsicum.ray.wsrcc.com
    #
    spdadd 192.168.197.14/32 192.168.197.1/32 any -P out ipsec
            esp/transport/192.168.197.14-192.168.197.1/use
            ah/transport/192.168.197.14-192.168.197.1/use;
    spdadd 192.168.197.1/32 192.168.197.14/32 any -P in ipsec
            esp/transport/192.168.197.1-192.168.197.14/use
            ah/transport/192.168.197.1-192.168.197.14/use;

This doesn't provide any security because the '/use' indicates it is
optional.  When I change to '/require' all communication stops.

When actually using this with racoon, it will run for 10 minutes or so
and then I get 1-2minute hangs that eventually unwedge under a barrage
of pings.  I also see racoon spit out diagnostics that to my untrained
eye don't look too encouraging.

Is anyone already using ipsec and possibly isakmp on their wireless
links yet?

-wolfgang
-- 
       Wolfgang Rupprecht <wolfgang+gnus@dailyplanet.wsrcc.com>
		    http://www.wsrcc.com/wolfgang/
DGPS signals via the Internet  http://www.wsrcc.com/wolfgang/gps/dgps-ip.html