Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Wireless Networking Hardware

A Solution For Making WiFi Cost Effective 120

rkohutek writes "This whitepaper came out of my employer's desire to deploy high speed wireless internet to an underserved, mostly rural area. Although very easy to do on the ground level, I found it to not be a cake walk when it came to actually making it a viable network case -- in a "normally" deployed wireless network it is very easy to spoof an IP or MAC address and hop on the network and get free bandwidth. This is not acceptable and the acronym WARTA, Wireless Authentication, Routing, Traffic control, Accounting was thought up to cover the things that we needed to do. Read on for how we managed to make it work using Free Software: HTML or PDF." Update: 06/07 20:42 GMT by T : He sends along word of this mirror as well.
This discussion has been archived. No new comments can be posted.

A Solution For Making WiFi Cost Effective

Comments Filter:
  • Mirror (Score:5, Informative)

    by rkohutek ( 122839 ) * <randal@ w e b e r s t r e e t.net> on Saturday June 07, 2003 @03:32PM (#6139749) Homepage Journal
    As an article poster, I saw that it was gonna get hit pretty hard, so here's a mirror:

    http://129.19.75.194/~jakalowiw/warta/

    Cheers,
    Randal
    • by Anonymous Coward
      I tried to post the short article, but the lameness filter barfed with too many junk characters. It can't tell the difference between config files and junk!

      Proud to be a /. article poster, murdering the bandwidth of students since 1998!

      But the filter let me post this!
    • by Glonoinha ( 587375 ) on Saturday June 07, 2003 @07:00PM (#6140436) Journal
      Umm Starbucks seems to be able to lock down its Wifi, and McDonalds seems to be able to lock down their wireless connection (get a free two hour connection with a Happy Meal, or something like that) ...

      Here is a thought, stop at Starbucks, buy a hideously overpriced ice-coffee or something, let the caffeine stimulate your brain, and buy an hour or day or however they sell it worth of their 'net access. Whatever they do to keep you from freeloading ... that's what you do to keep folks from freeloading on your network.

      Simple. Don't reinvent the wheel, leverage the gazillion dollars Starbucks and McDonalds paid consultants, particularly if they use the same method ... if they both do the same thing it means that two different sets of consultants at $225 an hour were able to convince two massive corporations to go with it.
  • Hmm... (Score:5, Funny)

    by DrLudicrous ( 607375 ) on Saturday June 07, 2003 @03:32PM (#6139750) Homepage
    Free software being used to keep people from getting free bandwidth. How ironic.
  • by Malicious ( 567158 ) on Saturday June 07, 2003 @03:32PM (#6139752)
    How do I make WiFi Cost Effective?
    Simple, I use someone else's network.
    • i know this is offtopic, but since war driving was mentioned . . .

      hey, i was reading a book and it was saying how the term "war dialing" (old-school stuff with regular modems) came from the movie War Games. is this true? and if this is true, i guess war driving/chalking come from the same source?
      • It was shown in Wargames, but it didn't "Come" from it. People had been doing it (and calling it that) for at least several years before. This solution is interesting - I'm trying to get a WiFi network up locally to support a local AE beta. One of the concerns in starting a big WiFi project locally has been addressed by this artical.
        • Wow, I helped someone out with my whitepaper. My life is complete.

          Thanks for reading it!
          randal
        • This article is a great start, and gives me some ideas on how to solve certain problems. The thing to remember, however, is this is still not secure in any way. Authentication wise it may be (what type of auth is going over the air? Chap? Pap?) but data wise it certainly isn't. A somewhat better solution security-wise is PPTP (which someone already mentioned), though it has plenty of problems of its own. The ultimate solution (while maintaining easy Windows compatibility) is IPSec over L2TP. Only pro
  • by Megor1 ( 621918 ) on Saturday June 07, 2003 @03:34PM (#6139757) Homepage
    Just like with 802.11b you might as well assume the wireless part is insecure and use something like an SSL pipe to actually connect the user to the net.
    • Another way would be radius for authentication, which appears to be the articles focus. That's very popular for authication, including growing interest from the wireless operator space. See Free Radius [freeradius.org] for one such implementation.
    • pptp (Score:3, Interesting)

      by akb ( 39826 )
      If they replace pppoe w/ pptp they have encryption of data with basically the same infrastructure. The client has shipped w/ every Windows version since '95 and there are free clients for every OS I can think of 'cept os9.
  • by garrulous ( 653996 ) on Saturday June 07, 2003 @03:39PM (#6139782)
    "Read on for how we managed to make it work using Free Software: HTML or PDF." I didn't realize that one could route wireless signals with nothing but HTML and PDF standards.
    • the tricky one is PDF. your only allowed to convert files to PDF [adobe.com]'s 5 times before you have to pay . . .
  • Dear God! (Score:5, Interesting)

    by PurpleFloyd ( 149812 ) <zeno20@attbi.cFORTRANom minus language> on Saturday June 07, 2003 @03:40PM (#6139786) Homepage
    Looks like someone finally found a use for PPPoE! I've wanted that damned protocol to die for quite a while, but I can see it being useful in this situation. DSL, on the other hand, is where it deserves to die a painful death, along with whatever suits decided that "emulating the dial-up experience" is better than an always-on connection.
    • It may not be better for you, but it's certainly better for your ISP if you connect using PPPoE. IP space is getting pretty limited, and if they can service 10 customers with 4 IP addresses, all the better for them.

      You don't honestly think they took your convenience into consideration when making the decision to use PPPoE, do you?
    • Re:Dear God! (Score:4, Interesting)

      by jjeffries ( 17675 ) on Saturday June 07, 2003 @04:43PM (#6139979)
      Indeed, I use PPPoE to authenticate the folks around my hood that I let use my connection. WEP slows things down too much and isn't much in the way on encryption anyway, and with SSH tunnels I was getting about 10k/sec through the wireless--my gateway router is a P100, perfect for routing but a little slow with the number crunching.

      You'll need to be careful with machines conencting from behind a PPPoE link and force an MTU lower than 1500--I use 1412 and that seems to work. If you can ping and do other things with small packets, but web pages don't load, or load a little bit and then stall, that's a sign of an MTU problem.

      PPPoE also makes shared-equipment DSL service a possibility, for better or worse (probably worse, coming from someone who works for an ISP that owns their own DSLAMs)...
    • Looks like someone finally found a use for PPPoE!

      PPPoE is used a lot in DSL and cable-modem links.

      • Re:Dear God! (Score:3, Insightful)

        by PurpleFloyd ( 149812 )
        If you read my post all the way through, you would have noticed that I said that its use in DSL and cable modem connections is pointless (it provides little extra security, but wastes bandwidth and irritates end users). PPPoE is a good choice here because public wireless access can't authenticate based on physical links; there must be some way to ensure that a user's resources aren't being stolen. This is where PPP and RADIUS authentication come in handy, and this is what makes PPPoE a reasonable solution
    • Re:Dear God! (Score:3, Interesting)

      Looks like someone finally found a use for PPPoE! I've wanted that damned protocol to die for quite a while, but I can see it being useful in this situation. DSL, on the other hand, is where it deserves to die a painful death,

      along with whatever suits decided that "emulating the dial-up experience" is better than an always-on connection.

      This might be the only chance I get to remind everyone that v.92 is probably the most undersold networking standard any of us have seen in years.

      The v.92 standard (no

      • can interpret call-waiting signals

        Yeah, but before v.92, all you had to do was to buy a $40 box to do the same job.

        it re-establishes POTS as a viable networking channel

        You mean "for residential users".

        Here is the problem as I see it.
        For those of us who don't have call waiting right now, that is an additional ~$3/month charge.

        This wonderful feature will screw-up any current connections you have when a call comes in, which means you can't really leave a download going while you are away.

        Connecting, u

  • I wouldn't worry (Score:4, Insightful)

    by rice_web ( 604109 ) on Saturday June 07, 2003 @03:42PM (#6139788)
    Take a long time to look things over and ask: is the piracy worth the risk? If a few individuals use the service illegally, but you have a solid base of paying users, isn't that better than not entering the market at all and missing out on an opportunity or implementing a costly security feature that could mitigate any profit?
    • Re:I wouldn't worry (Score:3, Interesting)

      by rice_web ( 604109 )
      Granted, I realize that the software was free, but what about maintenance and updates..... it is still a costly measure. I, for example, do not expect a virus-protection program to keep intruders out (I'd have to be naive), and this program certainly can't be foul-proof.
    • by gmack ( 197796 )
      The piracy is *not* worth the risk. The last thing you need is some wardriver grabbing every available ip and starting a spam run. Just picture it.. thousands of complaints and no way at all to deal with them. I'd imagine that would get blacklisted pretty quickly. Or they could use your network to break into things without getting busted.. not fun either when the buck stops with you.

      Overall though I think 802.11 is the wrong tool for this job.. why use it when something like Moterola Canopy has a large
      • We already have an Alvarion deployment in downtown Colorado Springs, CO ... we decided to go with generic 802.11b for this rural project for pure financial reasons. Alvarion CPE is wildly expensive, and Canopy CPE is only a little less cost-prohibitive. Compared to normal 802.11b gear, where you can buy a good, business-class antenna & radio for $200 (less than half the cost of alvarion/canopy gear) ... the higher priced ones, although full of neato features, just don't justify the cost in our particul
      • they might even crapflood slashdot and make you get the pink page when you visit, then you would have to commit sucicide!
  • by confused philosopher ( 666299 ) on Saturday June 07, 2003 @03:42PM (#6139791) Homepage Journal
    I thought we were supposed to make WiFi affordable by using empty Pringles cans and Floppy disks as the antennas rather than shelling out big bucks for custom made ones?
  • Solution (Score:5, Informative)

    by Anonymous Coward on Saturday June 07, 2003 @03:42PM (#6139792)
    in a "normally" deployed wireless network it is very easy to spoof an IP or MAC address and hop on the network and get free bandwidth.

    At my school anyone with a wifi card can get onto the network, but it just takes you to a web page where you have to put in a userid and password to access anything else on the network and the internet. They never ask for any information about your computer such as MAC address.
    • Re:Solution (Score:2, Interesting)

      by rkohutek ( 122839 ) *
      We thought about doing the walled-garden approach, but decided that it would piss of our customers to much to have to go through a portal page (login) that couldn't be automated (like ppp can be).

      randal
      • Re:Solution (Score:2, Insightful)

        by WoofLu ( 459652 )
        I had been looking to solutions like that one for a while, while I was reading the specs, it really seemed like the picture I had in my head (:

        anyway, the portal approach, when on an unknown network abroad can be a good thing, but on a daily basis, I'd just get crazy! So, merging the two ideas would just be great: PPPoE login for long-time customers, and ability to use the captive portal to register only for a couple of hours...

        Thanks for your contribution.. I hope to be using something alike sometime soo
        • Re:Solution (Score:4, Informative)

          by isorox ( 205688 ) on Saturday June 07, 2003 @06:09PM (#6140264) Homepage Journal
          Hmm, what about coverage though? Regulations in the EU are a lot stricter (max 100mW EIRP for example, the 'A' zone - america etc, can do 4W EIRP, so you can legally stick a 13dB antenna on a 100mW access point. In the EU, you cant. Theres also issues with deliberatly broadcasting outside. I want to push wireless 6 miles from town to my (future) home, but as

          1) Thats in Greece. I speak 27 words of greek, and I dont want to try and explain the technicalities of it if the greek radio agency come round
          2) I'm only 40 degrees off some massive radar military dishes. I dont want to explain the technicalities of it if the greek radio agency come round in a tank with machine guns

          (Maximum legal power / gain [cisco.com])

          Any links that are more specific on the legalities across Europe (which I would assume are the same) would be appreciated.
          • Yes, the regulations in Europe are different than in the US and other countries. The limit is lower than overseas.

            I am talking about the regulation I know. In Luxembourg, the regulating agency, ILR, conducted a survey last year and has published the very promising results a while ago. What they say is that 802.11b wireless networks could broadcast on the public domain with a per-accesspoint authorisation and not a traditional per-client license, which is great for this kind of networks.
    • And after a computer is authenticated, how do you think the router at the other end of the wireless network knows to let her traffic through? When she enters a proper user/pass, either her IP or MAC are recorded and that traffic allowed to go through. Spoof them, and you're on with her username. Not secure.
    • It is apparent the mods are still deep in the depths of an intense crack binge.

      So you enter your username and password, and are authenticated as a valid user; then what?

      Some little shred of magical software says to the magical routing gear, "Hey, that guy who just popped up, you know, 00:A0:CC:21:9D:CD, aka 10.5.27.98? Let's let him use the network for a bit, OK?"

      And lo, you have access.

      And awhile after you've been silent (ie, you go home for the day), the magical widgets forget about you. Next day, y
    • but it just takes you to a web page where you have to put in a userid and password to access anything else

      That was how most of the free ISPs worked torwards the end of their service... Of course, all I had to do was manually select to use a normal DNS server and it worked just fine.

      My point is, how secure is their system really? If they're just doing a DNS trick, Gnutella and other P2P apps would still work just fine. In fact, anything that uses IP addresses (rather than DNS names) will still work.

      So,

      • Wont work at Purdue for their wlan network. It uses VPN and to get on you require a uid and pword. Nothing useful is passed in the clear at all. Sniffing the network gets you squat but encrypted (VLAN) packets.

        • First of all, VPN != VLAN ...

          Second, the parent said nothing about a VPN.

          Also said, was that the user-id and password are input through a web page... That's a quite unusual setup for a VPN to say the least!
    • At the college I'm at we do something similar. Wireless or Wired we assume the network is insecure, and when you first connect up all you can get is a page where you have to enter your username and password. Behind the scenes it's already got your MAC address information from the routers, and when you enter a valid username and password it puts all that into a database of authorized computers, and will then give you a valid IP address instead of a 10.*.*.* address.
  • by Anonymous Coward
    Am I missing something, or couldn't someone just sniff a valid PPPoE username/password to gain access to the system? Are the login credentials sent in clear text or are they encrypted?
    • We utilize CHAP primarily with PAP as a backup. CHAP offers end-to-end encryption of the authorization session, while PAP does not.

      Cheers,
      randal
      • Slightly OT, but CHAP is not encrypted, the password is never sent, just challenge/response. (If I give you this challenge what will you give me back, does it match what I computed the response should be for the password I have for you on record with the challenge I gave you.)

        Also, the entire auth session is seldom encrypted, LCP takes place in the clear, as does RADIUS

        • actually Radius does not send the password in the clear (even when doing PAP and not CHAP). The password is sort of encrypted (simple XOR) using the shared secret and some random bytes (authenticator). Like CHAP, you can still perhaps carry out an offline dictionary attack, but its not as simple as reading the password in clear from an ethereal capture.
          -Puneet
          • Yeah, both User-Password and Tunnel-Password will be XORed with a block built from packet contents and the secret (using the result of XORing the previous 16 bytes to XOR the next until the rounds on length are exhausted). My point was that RADIUS itself is not encrypted (and the PAP password is available in the clear over LCP).

            The scariest part about using RADIUS in a scenario like this is that the request/response "Authenticator" pairs only validate the two password types (pap and tunnel setup and may b

      • CHAP is prone to offline dictionary attacks, and hence not really recommended for Wireless-type environments (which are much easier to sniff).
        Also CHAP *requires* the Radius server to have access to all user passwords in cleartext. If that server is ever compromised, *ALL* your passwords are compromised. You cant use /etc/passwd types of passwords (crypt, MD5, SHA1, other one-way hashes) with CHAP. MS-CHAP-V2 sort of addresses some of these issues.
        -Puneet
        • CHAP is prone to offline dictionary attacks.

          Pretty much. If you see the following exchange:

          NAS -> user: challenge = 123456

          user -> NAS: reponse = 584602

          you could start generating hashes for '123456' against a dictionary of 100 common passwords and look for one that hashes to '584602'.

          CHAP-Challenges are 16 bytes so precomputed dictionary attacks are unlikely due to storage requirements. what is more likely is an attacker would generate just the hashes for the challenge he just saw with the 1

  • How about... (Score:1, Redundant)

    by PS-SCUD ( 601089 )
    Making the antenna out of an old floppy drive and paper clips? [Slashdot story] [slashdot.org]
  • Just a question: (Score:3, Flamebait)

    by lfourrier ( 209630 ) on Saturday June 07, 2003 @04:05PM (#6139877)
    (In fact two)

    1)What is the cost of providing the communication service, and
    2)what is the cost of :
    mettering, securing, financing, billing, authenticating, supporting, marketting, *ing of the communication service?

    Once everybody understands that, community owned telcos can become a reality. (One can always dream).
    • Re:Just a question: (Score:5, Informative)

      by rkohutek ( 122839 ) * <randal@ w e b e r s t r e e t.net> on Saturday June 07, 2003 @04:18PM (#6139917) Homepage Journal
      On our side, the actual tower itself is pretty cheap. We started out with a single T1, (we're waiting on our third one to go in next week), $350 install for that, $250 for a used cisco 2501 + dsu/csu, we already had the AP and antenna laying around. And our tower is $200/mo ... so, the physical setup was, in total, maybe $900? CPE is running us right around $150-200, depending on which model is required.

      The OSS backend, though, is what I usually spend my day maintaining. Mail servers, billing, customer management, all that stuff ... man. I spend probably 20 hours a week upgrading / tweaking / maintaining. I'm sure that to startup, you could do it all for free with OS stuff, but it would take a lot of work. A *LOT* of work. Especially making everything tie together -- that's the really hard part. So to answer your question ... that's the really, really expensive part.

      randal
      • I think the question he just wanted to ask was:

        Is metering, securing, financing, billing, authenticating, supporting, marketting, *ing of the communication service more expensive than the cost of the bandwidth stolen by those who can MAC/IP spoof?

        If not, can I ask it anyway!!
        • Yes, unbelievably more expensive. If somebody wants to spoof a user (which they have to do to get online), then they can get up to 256kbps. If we oversell our t1 6 to 1, that makes for 36 slots. You take one with your hack. Worst case, you actually take up 1/6th of the bandwidth, costing us right around $60. Then you utilize about $6 of upstream bandwidth. So *worst* case, Mr. Hacker costs us $66 if he goes at it for a *whole month*.

          That's less than 1 day's pay for a tech support guy. Backend operating ser
      • Something critical appears to be missing from the costs side...the T1 lines. You mention that you have them with a 3rd on the way, ignoring that these cost a good deal more per month than any of the other costs you outlined. This gives the naive a false impression as to the real costs of providing an internet connection (and why free as in beer just isn't reasonable...SOMEONE is paying to get the connection into the backbone).

        Thus, you need to not only recoup the monthly (minor) costs of your tower rent

  • This is not acceptable and the acronym WARTA, Wireless Authentication, Routing, Traffic control, Accounting was thought up to cover the things that we needed to do.

    Fine for you. The rest of us are setting up mesh nodes so we don't need to pay a monthly fee to anyone. Good luck, but don't cry when people get around you with their own equipment.

    • no signal (Score:2, Interesting)

      by zogger ( 617870 )
      Those mesh network things are a good idea too, I like them, the concept, however, you need people in reasonable proximity all the way to the fat pipes internet someplace. A lot of rural places you will wind up with areas that no one can reach the net with any sort of big bandwith. You'll be stuck running your whole network through some dialup modem, or someone eats the T-1. Around here they are close to one grand per month,last I looked anyway. I don't know many folks who would want to spend 100$ to 200$ to

  • 1) Live in a big city in an apartment block with people who drive BMWs, Mercs etc

    2) Buy a WiFi card

    3) Use the internet connection of other people in the bulding...

    I know of one person who made issues configuring there WiFi card... then realised it was because they were browsing someone elses network.

    Is it wrong to take advantaeg of Stupid people ? George Bush does it, Bill Gates does it... why shouldn't we ?
  • 1. When I first got the traffic control tunnels working, I noticed that my throughput was 1/2 of what it was supposed to be. A very hostile guy named "AxLaptop" in #freebsd on EFNet was not only a huge jerk, but also just pissed enough to through me the bone that you need to have "out" and "in" on your ipfw pipes. If you do not put those words in, you will get half bandwidth as it is going through each ipfw pipe twice -- one packet takes up twice the bandwidth = half bandwidth.

    I don't get it. Doesn't t

  • by akb ( 39826 )
    Why not replace pppoe w/ pptp? That would give basically the same infrastructure but with encryption of your customers' data.

    The only downside would be lack of a free client for os9.
    • The main reason for this is that very few (cheap) SOHO routers support PPTP. All of them support PPPoE. We use what works and what is cheap.

      randal
      • yup. don't count on the FVS318 from netgear to save you. me and lotsa loosers at broadbandreports.com 's hardware forums have had very little luck w/ this model and creating tunnels to anything but its twin(s) on the far end of a connection.
  • Another great illustration of the tremendous effort [wired.com] people are willing to invest to make sure the right number of beans are in the right piles.

    I am really looking forward to when the Internet becomes a public utility and Internet access is more like like freeway access (not toll roads, not GPS-scanned roads, just freeways). A global communication system, like a highway system, benefits you all the time, not just while you are personally using it.
    • All those so called public utilities aren't free. You don't pay tolls for driving on the freeway - why? because you've already paid, in gas tax and car tax.

      TANSTAAFL
  • Why not IPSEC? (Score:3, Interesting)

    by po8 ( 187055 ) on Saturday June 07, 2003 @07:28PM (#6140541)

    The "obvious" answer would have been to use FreeS/WAN [freeswan.org] or similar to set up an IPSEC tunnel to your wired network and be done with it. Windows supports IPSEC as well, and it seems like it would solve most of your problems. Am I missing something?

    • Re:Why not IPSEC? (Score:2, Insightful)

      by yhetti ( 57297 )
      According to everything I've read, interop. between IPSwan and...well, basically anything else is shoddy at best. Trying to get Windows 2000 or XP to work with FreeSwan is not something a normal technician could do on a service call. Windows 95/98/ME is basically out the question. I may be wrong, but that's the impression I get.
  • I am not convinced of the security of this method.. Maybe it could be possible to use ppp and plink.exe to set up a secure tunnel? It could work, if you can get a ppp negotiation happen over a ssh tunnel on windows..
  • If their goal is deploying wifi in a 'rural' area, is unpaid access really that big a problem? I mean it's not like there's a subdivision in between points. Are they worrying about the one or two farmers in between piggybacking?
    • It's really not that big of an issue, as bandwidth doesn't cost us much money. What we tried to eliminate was JoeSixPack turning on his laptop and instantly getting free service, and then us not knowing about it. Additionally, it keeps track of each user independently while leveraging all of our existing ISP resources.

      Our solution simply makes our service unusable unless you A) login or B) do a lot of work. No network is impenetrable, but we're wagering that 99% of people will go with A) getting a login in
      • Yeah, I wasn't suggesting this was a waste of time or anything. It sounds incredibly useful to me, even more so in an urban environment. I have personally been kicking around the idea of starting a wireless network around the university here and maybe covering some of the more densely packed housing such as apartments and condos. The biggest tripping point is exactly what you address with this - unauthorized access.
  • I could be missing something here, but isn't this situation what 802.1x is designed for?

    It plays nicely with RADIUS, allows for secure authentication and encryption based on certificates, and works at layer 2 rather than layer 3.

    PPPoE by contrast won't stop a determined hacker for longer than it takes to google "airsnort". There's no encryption in the setup described (as far as I can tell) and adding it would stop most PPPoE clients from working.

    If you've got Windows there are quite a few options for 802

//GO.SYSIN DD *, DOODAH, DOODAH

Working...