A Solution For Making WiFi Cost Effective

rkohutek writes "This whitepaper came out of my employer's desire to deploy high speed wireless internet to an underserved, mostly rural area. Although very easy to do on the ground level, I found it to not be a cake walk when it came to actually making it a viable network case -- in a "normally" deployed wireless network it is very easy to spoof an IP or MAC address and hop on the network and get free bandwidth. This is not acceptable and the acronym WARTA, Wireless Authentication, Routing, Traffic control, Accounting was thought up to cover the things that we needed to do. Read on for how we managed to make it work using Free Software: HTML or PDF." Update: 06/07 20:42 GMT by T : He sends along word of this mirror as well.

Mirror

[rkohutek]

As an article poster, I saw that it was gonna get hit pretty hard, so here's a mirror:

http://129.19.75.194/~jakalowiw/warta/

Cheers,
Randal

Hmm...

[DrLudicrous]

Free software being used to keep people from getting free bandwidth. How ironic.

Re:Hmm...

[SkArcher]

Free as in Speech, not Free as in beer.

Re:Hmm...

[akb]

Last I looked the T1's they are using to connect these people to the 'net were not free.

Re:Hmm...

[humble]

The point is really that the bandwidth can be authenticated and tracked.

I just don't understand why you don't make it a mesh instead and only charge for traffic that hits the terrestrial net? That would extend everyone's range as well.

Re:Hmm...

[evilviper]

Free software being used to keep people from getting free Root access on computers. How ironic.

How to make WiFi Cost Effective.

[Malicious]

How do I make WiFi Cost Effective?
Simple, I use someone else's network.

Re:How to make WiFi Cost Effective.

[sixdotoh]

i know this is offtopic, but since war driving was mentioned . . .

hey, i was reading a book and it was saying how the term "war dialing" (old-school stuff with regular modems) came from the movie War Games. is this true? and if this is true, i guess war driving/chalking come from the same source?

Re:How to make WiFi Cost Effective.

[ward99]

It was shown in Wargames, but it didn't "Come" from it. People had been doing it (and calling it that) for at least several years before. This solution is interesting - I'm trying to get a WiFi network up locally to support a local AE beta. One of the concerns in starting a big WiFi project locally has been addressed by this artical.

Re:How to make WiFi Cost Effective.

[rkohutek]

Wow, I helped someone out with my whitepaper. My life is complete.

Thanks for reading it!
randal

Re:How to make WiFi Cost Effective.

It was shown in Wargames, but it didn't "Come" from it. People had been doing it (and calling it that) for at least several years before.

And, pray tell, Why The Fuck were people calling it WAR dialling before the movie WARgames came out?

Re:How to make WiFi Cost Effective.

[FuegoFuerte]

This article is a great start, and gives me some ideas on how to solve certain problems. The thing to remember, however, is this is still not secure in any way. Authentication wise it may be (what type of auth is going over the air? Chap? Pap?) but data wise it certainly isn't. A somewhat better solution security-wise is PPTP (which someone already mentioned), though it has plenty of problems of its own. The ultimate solution (while maintaining easy Windows compatibility) is IPSec over L2TP. Only problem is, last I checked this is a bitch to set up a Linux server for, if it is possible at all. The IPSec is possible enough (FreeSWAN, etc) but getting it working over L2TP gets rough real quick. Course, last I checked into this was about 6 months ago, so things may have progressed since then.

Re:How to make WiFi Cost Effective.

[collinl]

Because those doing it were taking planned, systemaic hostile actions against one or more targets to find weaknesses, with the goal usally of finding cheap telephone access.

Assume the network is insecure

[Megor1]

Just like with 802.11b you might as well assume the wireless part is insecure and use something like an SSL pipe to actually connect the user to the net.

Pfft.

[Gay+Nigger]

That's a non-solution. Did you read the article? It requires that you send authentication tokens via the open airwaves. That is NOT the way to run a secure system. Anybody with two braincells or more can see that any yokel can just fire up airsnort and grab the information out of the air. What a worthless proposal. Wireless will never be secure.

Re:Pfft.

[night+tilda]

I had the impression that authentication is done with ppp, and CHAP should be able to deal with an insecure connection medium, yes?

Free software?

[garrulous]

"Read on for how we managed to make it work using Free Software: HTML or PDF." I didn't realize that one could route wireless signals with nothing but HTML and PDF standards.

Re:Free software?

[sixdotoh]

the tricky one is PDF. your only allowed to convert files to PDF's 5 times before you have to pay . . .

Dear God!

[PurpleFloyd]

Looks like someone finally found a use for PPPoE! I've wanted that damned protocol to die for quite a while, but I can see it being useful in this situation. DSL, on the other hand, is where it deserves to die a painful death, along with whatever suits decided that "emulating the dial-up experience" is better than an always-on connection.

Re:Dear God!

[jjeffries]

Indeed, I use PPPoE to authenticate the folks around my hood that I let use my connection. WEP slows things down too much and isn't much in the way on encryption anyway, and with SSH tunnels I was getting about 10k/sec through the wireless--my gateway router is a P100, perfect for routing but a little slow with the number crunching.

You'll need to be careful with machines conencting from behind a PPPoE link and force an MTU lower than 1500--I use 1412 and that seems to work. If you can ping and do other things with small packets, but web pages don't load, or load a little bit and then stall, that's a sign of an MTU problem.

PPPoE also makes shared-equipment DSL service a possibility, for better or worse (probably worse, coming from someone who works for an ISP that owns their own DSLAMs)...

Re:Dear God!

[gallir]

Looks like someone finally found a use for PPPoE!

PPPoE is used a lot in DSL and cable-modem links.

Re:Dear God!

WTFH?! Are you retarded? Can't you hold it in long enough to finnish reading the post where he mentions that?

Re:Dear God!

[Junkster+Julian]

Looks like someone finally found a use for PPPoE! I've wanted that damned protocol to die for quite a while, but I can see it being useful in this situation. DSL, on the other hand, is where it deserves to die a painful death, along with whatever suits decided that "emulating the dial-up experience" is better than an always-on connection.

This might be the only chance I get to remind everyone that v.92 is probably the most undersold networking standard any of us have seen in years.

The v.92 standard (not to be confused with the simple v.90 standard) was released by Conexant (formerly Rockwell International Corporation, the dudes who helped pioneer MODEMs together with folks like USRobotics, Hayes, etc.) can interpret call-waiting signals and issue "modem-on-hold" command(s) to the remote modem.

This new feature is "pretty darn" useful as it re-establishes POTS as a viable networking channel as users will no longer feel like they are being forced to choose between: a) receiving telephone calls, b) being connected to the Internet, c) ordering, installing, rewiring, securing, and budgeting an additional POTS line, or d) subscribing to "overkill-type" high-speed services just to send someone an email.

Due to the sheer demographic penetration of POTS versus other newer high-speed and wireless technologies, ISPs might want to consider upgrading their modem pools to support the new standard (and market support for the new standard as the no-more-busy-signals-ever-again (and-we-mean-it-this-time) godsend it, well, is!). 'Nuf said.

Greets.

Re:Dear God!

I have some experience setting up v.92 modem dialups.

And I can tell you v.92 doesn't work. I know the ISPs in question had v.92 on there end, because a certain lucent winmodem with a certain driver that was breifly released and retracted, that I got from a guy on usenet, would hang up or "data hold" on call waiting. But no standard driver worked; the US Robotics v.92 external modems don't work, even if you re-flash the system; and yes I did extensive searched on groups.google.com and found out that the US Robotics don't use the same control strings as everyone else, etc.

It's not just the US Robotics either.

The fact is, V.92 is one of the biggest advertising frauds ever pulled off. I can't believe how many different modems we purchased over 2 years trying to get that working. Where is the class action lawsuit ? It definitely turned me off to the products of all the big modem manufacturers, I just don't trust those companies anymore, I probably never should have.

Re:Dear God!

[PurpleFloyd]

If you read my post all the way through, you would have noticed that I said that its use in DSL and cable modem connections is pointless (it provides little extra security, but wastes bandwidth and irritates end users). PPPoE is a good choice here because public wireless access can't authenticate based on physical links; there must be some way to ensure that a user's resources aren't being stolen. This is where PPP and RADIUS authentication come in handy, and this is what makes PPPoE a reasonable solution for wireless 802.11x.

Re:Dear God!

[evilviper]

can interpret call-waiting signals

Yeah, but before v.92, all you had to do was to buy a $40 box to do the same job.

it re-establishes POTS as a viable networking channel

You mean "for residential users".

Here is the problem as I see it.
For those of us who don't have call waiting right now, that is an additional ~$3/month charge.

This wonderful feature will screw-up any current connections you have when a call comes in, which means you can't really leave a download going while you are away.

Connecting, using dial-up, is still time-consuming.

Disconnections still happen.

You have to hang-up to make outgoing calls still.

You can't e connected while talking on the phone, and looking up information for people I'm speaking with is a very common occurance.

You still have to pay the $20/month for a decent ISP.
And, although I've avoided it thus far:

Your connection speed is still limited by the quality of your lines, and everything else.
My point is this... With POTS, I would be paying $23/month. That's $20/month for the ISP (no decent ISP is much less than $20), and $3 for call-waiting.

With that, I haven't added in the setup cost of buying a $100+ modem, or (necessary at the time I considered this) the $40+ box, etc.

Now, considering everything, I would rathe pay twice as much as dial-up, and get a DSL connection, without any of the limitations of dial-up... I get (at worst--usually better than) one half T-1 speeds, can be connected constantly, can make outgoing calls, can hook it up to my home network, etc., etc., etc.

Perhaps dial-up is still good enough that some of the population wouldn't pay 2x as much for the benefits of DSL, but I dare say that dial-up's days are severely numbered... No doubt, lower-cost DSL services will come along for those who want a cheaper connection, and aren't very worried about reliability and speed.

I, for one, will be glad to see dial-up die off. It's been a performance bottleneck, a limitation to computer adoption, etc.

Re:Dear God!

[TheSync]

The MTU limit on PPPoE also breaks Windows Terminal Services - which so stupid!

I wouldn't worry

[rice_web]

Take a long time to look things over and ask: is the piracy worth the risk? If a few individuals use the service illegally, but you have a solid base of paying users, isn't that better than not entering the market at all and missing out on an opportunity or implementing a costly security feature that could mitigate any profit?

Re:I wouldn't worry

[rice_web]

Granted, I realize that the software was free, but what about maintenance and updates..... it is still a costly measure. I, for example, do not expect a virus-protection program to keep intruders out (I'd have to be naive), and this program certainly can't be foul-proof.

Re:I wouldn't worry

[gmack]

The piracy is *not* worth the risk. The last thing you need is some wardriver grabbing every available ip and starting a spam run. Just picture it.. thousands of complaints and no way at all to deal with them. I'd imagine that would get blacklisted pretty quickly. Or they could use your network to break into things without getting busted.. not fun either when the buck stops with you.

Overall though I think 802.11 is the wrong tool for this job.. why use it when something like Moterola Canopy has a larger range *and* is more secure?

Dump 802.11 and the pppoe link and problem solved.

At least I hope so. I'm submitting a proposal for a rural network on monday.

Re:I wouldn't worry

[rkohutek]

We already have an Alvarion deployment in downtown Colorado Springs, CO ... we decided to go with generic 802.11b for this rural project for pure financial reasons. Alvarion CPE is wildly expensive, and Canopy CPE is only a little less cost-prohibitive. Compared to normal 802.11b gear, where you can buy a good, business-class antenna & radio for $200 (less than half the cost of alvarion/canopy gear) ... the higher priced ones, although full of neato features, just don't justify the cost in our particular situation.

randal

Re:I wouldn't worry

[rkz]

they might even crapflood slashdot and make you get the pink page when you visit, then you would have to commit sucicide!

Re:I wouldn't worry

[glenstar]

Did you look at Proxim's Tsunami MP.11 line? They have some great features, such as provisioning directly from the base station, etc...

I thought...

[confused+philosopher]

I thought we were supposed to make WiFi affordable by using empty Pringles cans and Floppy disks as the antennas rather than shelling out big bucks for custom made ones?

Solution

in a "normally" deployed wireless network it is very easy to spoof an IP or MAC address and hop on the network and get free bandwidth.

At my school anyone with a wifi card can get onto the network, but it just takes you to a web page where you have to put in a userid and password to access anything else on the network and the internet. They never ask for any information about your computer such as MAC address.

Re:Solution

[rkohutek]

We thought about doing the walled-garden approach, but decided that it would piss of our customers to much to have to go through a portal page (login) that couldn't be automated (like ppp can be).

randal

Re:Solution

You don't suppose the server might know your MAC address already do you? It wouldn't have to ask...

Re:Solution

[WoofLu]

I had been looking to solutions like that one for a while, while I was reading the specs, it really seemed like the picture I had in my head (:

anyway, the portal approach, when on an unknown network abroad can be a good thing, but on a daily basis, I'd just get crazy! So, merging the two ideas would just be great: PPPoE login for long-time customers, and ability to use the captive portal to register only for a couple of hours...

Thanks for your contribution.. I hope to be using something alike sometime soon here in Luxembourg (that spot between France, Germany and Belgium (: ).

Re:Solution

[rkohutek]

But then you put in a NIC, or put in a router ... it takes a reconfig by somebody, which is no fun. Also, if the auth server is farther away than on-LAN, you lose the ability to report MACs (generally).

Our solution abstracts away from the hardware, so replacing a NIC or putting in a router requires no customer contact ($$), and utilizes industry standard protocols to tie everything together instead of a website-based, almost "Coffee Shop" style authentication.

randal

Re:Solution

[isorox]

Hmm, what about coverage though? Regulations in the EU are a lot stricter (max 100mW EIRP for example, the 'A' zone - america etc, can do 4W EIRP, so you can legally stick a 13dB antenna on a 100mW access point. In the EU, you cant. Theres also issues with deliberatly broadcasting outside. I want to push wireless 6 miles from town to my (future) home, but as

1) Thats in Greece. I speak 27 words of greek, and I dont want to try and explain the technicalities of it if the greek radio agency come round
2) I'm only 40 degrees off some massive radar military dishes. I dont want to explain the technicalities of it if the greek radio agency come round in a tank with machine guns

(Maximum legal power / gain)

Any links that are more specific on the legalities across Europe (which I would assume are the same) would be appreciated.

Re:Solution

how does that work incidentally?

Re:Solution

[rkohutek]

We partner with a local HotSpot provider called Unwired Access (http://www.unwiredaccess.net) that does this, and this is how it works:

The *nix machine by default denies all traffic and null routes everything, except for clients going to the login page. JoeSixPack fires up his machine, leases an IP from the *nix machine. He fires up his browser, and the *nix machine automatically forwards all HTTP requests to the local login-portal. JoeSixPack signs in, the *nix machine authenticates, then pokes holes in the firewall for that client and starts up timers and whatnot. As soon as JoeSixPack signs off, the *nix machine closes the firewall holes.

You could use SSL forms and authentciation and such, but tying all that into RADIUS auth/accounting would require some custom programming, but this setup also has a lot of room for abuse as there is no per-packet encryption, no tunneling, nada.

randal

Re:Solution

[bobthemuse]

And after a computer is authenticated, how do you think the router at the other end of the wireless network knows to let her traffic through? When she enters a proper user/pass, either her IP or MAC are recorded and that traffic allowed to go through. Spoof them, and you're on with her username. Not secure.

Re:Solution

[WoofLu]

Yes, the regulations in Europe are different than in the US and other countries. The limit is lower than overseas.

I am talking about the regulation I know. In Luxembourg, the regulating agency, ILR, conducted a survey last year and has published the very promising results a while ago. What they say is that 802.11b wireless networks could broadcast on the public domain with a per-accesspoint authorisation and not a traditional per-client license, which is great for this kind of networks.

Re:Solution

[adolf]

It is apparent the mods are still deep in the depths of an intense crack binge.

So you enter your username and password, and are authenticated as a valid user; then what?

Some little shred of magical software says to the magical routing gear, "Hey, that guy who just popped up, you know, 00:A0:CC:21:9D:CD, aka 10.5.27.98? Let's let him use the network for a bit, OK?"

And lo, you have access.

And awhile after you've been silent (ie, you go home for the day), the magical widgets forget about you. Next day, you start over again.

Now suppose that awhile = 5 minutes. That's a 5 minute window, after you close your laptop and head for the car, for me to instruct my NIC to assume 00:A0:CC:21:9D:CD as its MAC address, and my IP stack to become 10.5.27.98.

After that, I can silently and discretely assume your identity, until you return.

Questions and answers:

How do I know your MAC address? You broadcast it over the fucking radio with every packet you send.

How do I know you're headed out for the day? You broadcast that over the fucking radio too, when you -thought- you were having a quick, private chat with your girlfriend about dinner.

Thank you for flying 802.11. We hope you've enjoyed the security of the public airwaves.

Re:Solution

[evilviper]

but it just takes you to a web page where you have to put in a userid and password to access anything else

That was how most of the free ISPs worked torwards the end of their service... Of course, all I had to do was manually select to use a normal DNS server and it worked just fine.

My point is, how secure is their system really? If they're just doing a DNS trick, Gnutella and other P2P apps would still work just fine. In fact, anything that uses IP addresses (rather than DNS names) will still work.

So, just because it looks like they've taken some steps, doesn't mean they've really made the network any more secure.

They never ask for any information about your computer such as MAC address.

They don't need to ask you, I'm sure they automatically detect it.

Re:Solution

[Laurion]

At the college I'm at we do something similar. Wireless or Wired we assume the network is insecure, and when you first connect up all you can get is a page where you have to enter your username and password. Behind the scenes it's already got your MAC address information from the routers, and when you enter a valid username and password it puts all that into a database of authorized computers, and will then give you a valid IP address instead of a 10.*.*.* address.

Re:Solution

[praedor]

Wont work at Purdue for their wlan network. It uses VPN and to get on you require a uid and pword. Nothing useful is passed in the clear at all. Sniffing the network gets you squat but encrypted (VLAN) packets.

Re:Solution

[evilviper]

First of all, VPN != VLAN ...

Second, the parent said nothing about a VPN.

Also said, was that the user-id and password are input through a web page... That's a quite unusual setup for a VPN to say the least!

"Free"

[JeremyR]

You find the difference between "free speech" and "free beer" ironic?

Re:"Free"

[rkz]

Sco wont sue you for drinking free beer!

Re:"Free"

[Elwood+P+Dowd]

If that's not flamebait, then my name isn't Elwood P Dowd.

And it isn't.

AirSnort the PPPoE authentication?

Am I missing something, or couldn't someone just sniff a valid PPPoE username/password to gain access to the system? Are the login credentials sent in clear text or are they encrypted?

Re:AirSnort the PPPoE authentication?

[rkohutek]

We utilize CHAP primarily with PAP as a backup. CHAP offers end-to-end encryption of the authorization session, while PAP does not.

Cheers,
randal

Re:AirSnort the PPPoE authentication?

[miu]

Slightly OT, but CHAP is not encrypted, the password is never sent, just challenge/response. (If I give you this challenge what will you give me back, does it match what I computed the response should be for the password I have for you on record with the challenge I gave you.)

Also, the entire auth session is seldom encrypted, LCP takes place in the clear, as does RADIUS

Re:AirSnort the PPPoE authentication?

Your solution doesn't prevent someone from using an authenticated connection.

In a wireless environment, no packet can be trusted unless it has been cryptographically authenticated, either by a hash or by being encrypted.

If you do want to use PPP, you have to use some sort of Encryption Contol Protocol. I'm not sure what's out there. There's at least a 3DES ECP RFC.

I suspect that you won't find anything satisfactory on the default XP driver, though I may be selling M$ short.

To avoid authenticating each packet that goes across the air is to accept successful abuse of your service. Operators generally take this route.

Re:AirSnort the PPPoE authentication?

[puneetb]

actually Radius does not send the password in the clear (even when doing PAP and not CHAP). The password is sort of encrypted (simple XOR) using the shared secret and some random bytes (authenticator). Like CHAP, you can still perhaps carry out an offline dictionary attack, but its not as simple as reading the password in clear from an ethereal capture.
-Puneet

Re:AirSnort the PPPoE authentication?

[puneetb]

CHAP is prone to offline dictionary attacks, and hence not really recommended for Wireless-type environments (which are much easier to sniff).
Also CHAP *requires* the Radius server to have access to all user passwords in cleartext. If that server is ever compromised, *ALL* your passwords are compromised. You cant use /etc/passwd types of passwords (crypt, MD5, SHA1, other one-way hashes) with CHAP. MS-CHAP-V2 sort of addresses some of these issues.
-Puneet

Re:AirSnort the PPPoE authentication?

[miu]

Yeah, both User-Password and Tunnel-Password will be XORed with a block built from packet contents and the secret (using the result of XORing the previous 16 bytes to XOR the next until the rounds on length are exhausted). My point was that RADIUS itself is not encrypted (and the PAP password is available in the clear over LCP).

The scariest part about using RADIUS in a scenario like this is that the request/response "Authenticator" pairs only validate the two password types (pap and tunnel setup and may be used to carry the chap challenge) and that the response is valid for the request (acct or auth). No validation of requests (and request source) is possible with the standard, your RADIUS vendor and NAS vendor may support a couple different ways of attempting to validate requests, but probably not.

The upside to using RADIUS here is that it is standard and probably good enough, most people with real security concerns use RADIUS to setup an initial tunnel connection and do secondary authentication over that.

Re:AirSnort the PPPoE authentication?

[miu]

Your solution doesn't prevent someone from using an authenticated connection.

Agreed.

If you do want to use PPP, you have to use some sort of Encryption Contol Protocol. I'm not sure what's out there. There's at least a 3DES ECP RFC.

I remember some drafts on using EAP to negotiate a TLS key (might be published as an RFC by now) since EAP is supported in ECP you are at the mercy of the PPP implementor of your NAS and client as to how much magic you can do during connection establishment.

I suspect that you won't find anything satisfactory on the default XP driver, though I may be selling M$ short.

You are selling MS short on this one, XP has fairly good EAP and ECP support and is a decent PPP implementation overall. The problem is supporting w2k, 95, 98, etc. Some of those have problems doing LCP correctly.

To avoid authenticating each packet that goes across the air is to accept successful abuse of your service. Operators generally take this route.

You must use TLS or ipsec, or authenticated connections can be hi-jacked. Even with session encryption your infrastructure may be vulnerable to attack.

Re:AirSnort the PPPoE authentication?

[miu]

CHAP is prone to offline dictionary attacks.

Pretty much. If you see the following exchange:

NAS -> user: challenge = 123456
user -> NAS: reponse = 584602

you could start generating hashes for '123456' against a dictionary of 100 common passwords and look for one that hashes to '584602'.

CHAP-Challenges are 16 bytes so precomputed dictionary attacks are unlikely due to storage requirements. what is more likely is an attacker would generate just the hashes for the challenge he just saw with the 100 bad passwords and throw the entire thing away if he does not get a hit, if one of them matches the response then the attacker wins and gets to steal service from you. Requiring good passwords of at least 17 character (ha!) is about the only way to prevent this.

PAP in a wireless environment is even worse. Sure the password is obscured in RADIUS, but it is sent in the clear from the user to the NAS during LCP.

How about...

[PS-SCUD]

Making the antenna out of an old floppy drive and paper clips? [Slashdot story]

Re:How about...

[The+Zody]

I still go for the pringles can approach.

Who wants to start a sourceforge page?

[nounderscores]

And then become a huge contributor?

_________________________________
The Spiders are coming

Just a question:

[lfourrier]

(In fact two)

1)What is the cost of providing the communication service, and
2)what is the cost of :
mettering, securing, financing, billing, authenticating, supporting, marketting, *ing of the communication service?

Once everybody understands that, community owned telcos can become a reality. (One can always dream).

Re:Just a question:

[rkohutek]

On our side, the actual tower itself is pretty cheap. We started out with a single T1, (we're waiting on our third one to go in next week), $350 install for that, $250 for a used cisco 2501 + dsu/csu, we already had the AP and antenna laying around. And our tower is $200/mo ... so, the physical setup was, in total, maybe $900? CPE is running us right around $150-200, depending on which model is required.

The OSS backend, though, is what I usually spend my day maintaining. Mail servers, billing, customer management, all that stuff ... man. I spend probably 20 hours a week upgrading / tweaking / maintaining. I'm sure that to startup, you could do it all for free with OS stuff, but it would take a lot of work. A *LOT* of work. Especially making everything tie together -- that's the really hard part. So to answer your question ... that's the really, really expensive part.

randal

Re:Just a question:

[Demerara]

I think the question he just wanted to ask was:

Is metering, securing, financing, billing, authenticating, supporting, marketting, *ing of the communication service more expensive than the cost of the bandwidth stolen by those who can MAC/IP spoof?

If not, can I ask it anyway!!

Re:Just a question:

[rkohutek]

Yes, unbelievably more expensive. If somebody wants to spoof a user (which they have to do to get online), then they can get up to 256kbps. If we oversell our t1 6 to 1, that makes for 36 slots. You take one with your hack. Worst case, you actually take up 1/6th of the bandwidth, costing us right around $60. Then you utilize about $6 of upstream bandwidth. So *worst* case, Mr. Hacker costs us $66 if he goes at it for a *whole month*.

That's less than 1 day's pay for a tech support guy. Backend operating service and support costs *way* more than the resources that user actually consumes.

We're not too concerned if somebody hops on for free occasionally - if it happens too often and people find out about it, the bad rap costs *a lot* more than any stolen service.

randal

Re:Just a question:

[praedor]

Something critical appears to be missing from the costs side...the T1 lines. You mention that you have them with a 3rd on the way, ignoring that these cost a good deal more per month than any of the other costs you outlined. This gives the naive a false impression as to the real costs of providing an internet connection (and why free as in beer just isn't reasonable...SOMEONE is paying to get the connection into the backbone).

Thus, you need to not only recoup the monthly (minor) costs of your tower rent, man hours for support, etc, but also your T1 costs. What is the minimal number of customers you need to break even, let alone make a profit? And at what price point? You'd need a lot of people if you only charge $10/month, half as many at $20/month, etc, etc. What are the reasonable targets given your real costs and desired goals?

Built to be vulnerable...

[no_mayl]

This Article on Radius has a section on vulnerabilities.
And it does seem pretty weak against snooping during the authentication phase.
Somebody mentioned tunneling via SSL. Right on dude.
--
jpa

better for who?

[SweetAndSourJesus]

It may not be better for you, but it's certainly better for your ISP if you connect using PPPoE. IP space is getting pretty limited, and if they can service 10 customers with 4 IP addresses, all the better for them.

You don't honestly think they took your convenience into consideration when making the decision to use PPPoE, do you?

Not acceptable to who?

[twitter]

This is not acceptable and the acronym WARTA, Wireless Authentication, Routing, Traffic control, Accounting was thought up to cover the things that we needed to do.

Fine for you. The rest of us are setting up mesh nodes so we don't need to pay a monthly fee to anyone. Good luck, but don't cry when people get around you with their own equipment.

Re:Not acceptable to who?

Crooks always think they can get away with it which, and you need no other proof, is a sure sign of their stupidity.

Simpler way to make it cheaper...

[MosesJones]

1) Live in a big city in an apartment block with people who drive BMWs, Mercs etc

2) Buy a WiFi card

3) Use the internet connection of other people in the bulding...

I know of one person who made issues configuring there WiFi card... then realised it was because they were browsing someone elses network.

Is it wrong to take advantaeg of Stupid people ? George Bush does it, Bill Gates does it... why shouldn't we ?

Re:Simpler way to make it cheaper...

George Bush takes advantage of himself?

Re:Simpler way to make it cheaper...

[RAMMS+EIN]

``Is it wrong to take advantaeg of Stupid people ? George Bush does it, Bill Gates does it... why shouldn't we ?''
You've just said it.

Re:Simpler way to make it cheaper...

[grumpygrodyguy]

George Bush takes advantage of himself?

Actually, old money employs people like Karl Rove to manipulate the naivety of George Bush, and thus, take advantage of the rest of us.

Use RADIUS

[bdc0]

Another way would be radius for authentication, which appears to be the articles focus. That's very popular for authication, including growing interest from the wireless operator space. See Free Radius for one such implementation.

ipfw question?

[argoff]

1. When I first got the traffic control tunnels working, I noticed that my throughput was 1/2 of what it was supposed to be. A very hostile guy named "AxLaptop" in #freebsd on EFNet was not only a huge jerk, but also just pissed enough to through me the bone that you need to have "out" and "in" on your ipfw pipes. If you do not put those words in, you will get half bandwidth as it is going through each ipfw pipe twice -- one packet takes up twice the bandwidth = half bandwidth.

I don't get it. Doesn't the firewall process the traffic after it's been picked up off the network. Even if it did process it twice, it shouldn't make traffic twice as slow because the thruput on the motherboard bus on the computer is probably 100 times faster than on the network card anyhow.

Re:ipfw question?

[AxLaptop]

Read the man page on 'ipfw' and it EXPLAINS that you need the in/out options, and why. Dont be idiots and ignore documentation

Re:ipfw question?

[rkohutek]

Hahaha, I knew you'd come chime in ;-)

randal

Re:ipfw question?

[AxLaptop]

Next time read the docs yourself and you wont be treated like a moron

Re:ipfw question?

[rkohutek]

I think the issue is not with "reading" the documentation -- I did this for hours to no avail. I think the real issue is *understanding* what the documentation is saying -- it's with making the leap that:

"note that we use the out modifier so that the rule is not used twice. Remember in fact that ipfw rules are checked both on incoming and outgo-ing packets."

means that *not* doing so results in half-bandwidth. I think that's a huge conclusion to leap to without understanding the internals of how ipfw works, and there is very little documentation of this effect.

randal

pptp

[akb]

Why not replace pppoe w/ pptp? That would give basically the same infrastructure but with encryption of your customers' data.

The only downside would be lack of a free client for os9.

Re:pptp

[rkohutek]

The main reason for this is that very few (cheap) SOHO routers support PPTP. All of them support PPPoE. We use what works and what is cheap.

randal

Re:pptp

Then you are asking to be abused. The tunnel has to authenticate each packet that goes over the air. Keeping track of someone else's PPP state-machine is not much harder than changing one's MAC.

Are you also rolling out WPA?

Re:pptp

[hakalugi]

yup. don't count on the FVS318 from netgear to save you. me and lotsa loosers at broadbandreports.com 's hardware forums have had very little luck w/ this model and creating tunnels to anything but its twin(s) on the far end of a connection.

Re:pptp

[rkohutek]

Yes, theoretically, if you could attach to the correct tunnel interface on the BSD box and spoof the PPPoE section of the ethernet packet, after doing the WEP breaking and MAC spoofing, then, yes, you could get free service. But you know, if somebody is going through that to get some free internet, then by all means go right ahead. You're only going to get 256kbps or so -- not a big deal to me as a network admin.

As soon as the standards are set 100% and we get firmware & driver updates for everything (I believe a winxp patch is out already?), yes, we will definitely deploy the Wireless Authentication Protocol.

Re:pptp

The tunnel interfaces correspond to PPP sessions. If I'm hijacking someone's PPPoE connection, I am automagically on the correct tunnel. You probably should have mentioned that WEP was turned on. You could legitimately make the statement that if someone's going to go to the trouble of breaking WEP, then they can have your service. Tracking a PPP state-machine is nothing beside breaking WEP.

Since all you're worried about is accounting, you could totally authenticate by having DHCP talk to a RADIUS server. I've written it. It doesn't take much time. Your scripts add in firewall rules to allow the IP you've just given out and they poll the firewall either periodically or on lease expiry or renewal to collect use statistics. I don't think it's any more scripting and it has less overhead.

Re:pptp

Do you happen to know where I can find a PPTP client for Solaris?

I tried to do something useful

I tried to post the short article, but the lameness filter barfed with too many junk characters. It can't tell the difference between config files and junk!

Proud to be a /. article poster, murdering the bandwidth of students since 1998!

But the filter let me post this!

pptp

[akb]

If they replace pppoe w/ pptp they have encryption of data with basically the same infrastructure. The client has shipped w/ every Windows version since '95 and there are free clients for every OS I can think of 'cept os9.

HTML

That wasn't really HTML. It wasn't labelled as having been produced by anything in particular but since "ariel" was the specified font and since every line had a
to delimit it we should probably deduce it was something tied to the Evil Empire.

Re:HTML

[rkohutek]

Actually, that is not true. What *did* happen is that it was written in vi, and that is not web friendly. I tried 'ing everything, and that did not work. So I did a find replace on \r\n and changed it to
\r\n, resulting in
at the beginning of every line.

And I used "arial", which is a standard web font.

And yes, I used Photoshop 5 on windows to make the pics.

randal

Re:HTML

[rkohutek]

meh, that is ...
\r\n changed to < br>\r\n

McDonalds and Starbucks

[Glonoinha]

Umm Starbucks seems to be able to lock down its Wifi, and McDonalds seems to be able to lock down their wireless connection (get a free two hour connection with a Happy Meal, or something like that) ...

Here is a thought, stop at Starbucks, buy a hideously overpriced ice-coffee or something, let the caffeine stimulate your brain, and buy an hour or day or however they sell it worth of their 'net access. Whatever they do to keep you from freeloading ... that's what you do to keep folks from freeloading on your network.

Simple. Don't reinvent the wheel, leverage the gazillion dollars Starbucks and McDonalds paid consultants, particularly if they use the same method ... if they both do the same thing it means that two different sets of consultants at $225 an hour were able to convince two massive corporations to go with it.

Re:McDonalds and Starbucks

[swv3752]

They used a simpler solution: PPPoE.

Re:McDonalds and Starbucks

[FuegoFuerte]

Problem: Starchunks (actually the wireless is run by T-Mobile) isn't really that locked down at all. Assuming there's one other person there with a paid account using it, it's quite trivial to freeload. I leave how as an exercise to the reader (not to be carried out, of course...). Also, T-Mobile last I heard does not filter certain types of packets, making other ways of freeloading possible. Again, this is all left as a mind-exercise to the reader though.

Haven't heard much about McD's wireless, as I and most people I know refuse to eat that slop.

Re: Pulling the standard

[Junkster+Julian]

The fact is, V.92 is one of the biggest advertising frauds ever pulled off. I can't believe how many different modems we purchased over 2 years trying to get that working. Where is the class action lawsuit ? It definitely turned me off to the products of all the big modem manufacturers, I just don't trust those companies anymore, I probably never should have.

My guess is that v.92 was released as a true standard but was very possibly half-baked.. or worse ignored as a standard in favour of hopeful vapourware "would-be" world-class standards like 3G, WiFi, and arguably bluetooth.

By "world-class standard" I mean a standard which can be relied upon without the need for gateway products and/or services: if I want to call anyone in the world from my POTS, I can. Conversely, if I want to use a 3G phone anywhere outside of say North America, Japan, Europe, etc., chances are I will not be able to due to compatibility limitations we are perpetually frustrated by. POTS is far...far more reliable, and the very mention of v.92 (and its attempted implementation) is evidence to that fact.

All this to say that analog telecomm needs a standard on-ramp that dial-up users and ISPs can depend on that compares to the general stability enjoyed by voice telecommunications users. MODEMs are that standard, and v.92 is the logical progression therein.

So are we destined to dialing ATDT*70W? ..or hoping some upcoming wireless "standard" doesn't go toe-to-toe with some other industry like, say, radio? ...Is that "it" for POTS in general? Are all our COs to be replaced with wireless stations with uplinks to geostationary satellites or something? WTF? Erm.. someone? Where's the something-for-everyone philosophy here? I mean I can live with the upgrade-or-die philosophy, but it that really necessary? Why not just standardise v.92 (the same way we did it with v.90) and get on with our lives?

Good Case for a Public Network?

[serutan]

Another great illustration of the tremendous effort people are willing to invest to make sure the right number of beans are in the right piles.

I am really looking forward to when the Internet becomes a public utility and Internet access is more like like freeway access (not toll roads, not GPS-scanned roads, just freeways). A global communication system, like a highway system, benefits you all the time, not just while you are personally using it.

Why not IPSEC?

[po8]

The "obvious" answer would have been to use FreeS/WAN or similar to set up an IPSEC tunnel to your wired network and be done with it. Windows supports IPSEC as well, and it seems like it would solve most of your problems. Am I missing something?

Re:Why not IPSEC?

[yhetti]

According to everything I've read, interop. between IPSwan and...well, basically anything else is shoddy at best. Trying to get Windows 2000 or XP to work with FreeSwan is not something a normal technician could do on a service call. Windows 95/98/ME is basically out the question. I may be wrong, but that's the impression I get.

Wi-Fi

[Unixinvid]

How about making totally free?

putty plink?

[Mr2cents]

I am not convinced of the security of this method.. Maybe it could be possible to use ppp and plink.exe to set up a secure tunnel? It could work, if you can get a ppp negotiation happen over a ssh tunnel on windows..

slick

[zogger]

nice setup man, I bookmarked your html page. I like the cheap aspect of it. You also seemed to have gotten a deal on that T-1. Questions? what kind of range are you getting off that 90 foot tower, and is the tower itself on a hill much higher than your customers? Are the hills (and tress I guess)affecting coverage? Last, how many are you serving or do you think you can serve?

Rural broadband needs to be done, and waiting for some mythical perfect solution is that..waiting.And waiting. And waiting. It is teh suxors. Satellite internet is teh big bucks suxors.

It's a gimme none of the big guys are going to do it any time soon, so small mom and pops or co-ops wil have to be it, and I've been accumulating various web references and whatnot to see what's working. Yours is a nice simple *(relatively) description and write up, good job! I hope this gives some geeks some ideas on self employment, plus helping small communities, rather than sending out dozens of resumes for months and months to these big corporations. Work is work, and the rural areas are much cheaper to live in usually most places, much less crime, and other sorts of goodness, and MOST of them have zero broadband for sale.

Maybe this is a dumb question but...

[santos_douglas]

If their goal is deploying wifi in a 'rural' area, is unpaid access really that big a problem? I mean it's not like there's a subdivision in between points. Are they worrying about the one or two farmers in between piggybacking?

Re:Maybe this is a dumb question but...

[rkohutek]

It's really not that big of an issue, as bandwidth doesn't cost us much money. What we tried to eliminate was JoeSixPack turning on his laptop and instantly getting free service, and then us not knowing about it. Additionally, it keeps track of each user independently while leveraging all of our existing ISP resources.

Our solution simply makes our service unusable unless you A) login or B) do a lot of work. No network is impenetrable, but we're wagering that 99% of people will go with A) getting a login instead of spending hours B) hacking our network.

*That* is why we're not going hogwild with IPSec tunnels, or pptp, or anything of the sort - sure, we anticipate it, but instead of making it hard on us and our customers, we instead anticipated losing some service to miscreants.

randal

Re:Maybe this is a dumb question but...

[santos_douglas]

Yeah, I wasn't suggesting this was a waste of time or anything. It sounds incredibly useful to me, even more so in an urban environment. I have personally been kicking around the idea of starting a wireless network around the university here and maybe covering some of the more densely packed housing such as apartments and condos. The biggest tripping point is exactly what you address with this - unauthorized access.

no signal

[zogger]

Those mesh network things are a good idea too, I like them, the concept, however, you need people in reasonable proximity all the way to the fat pipes internet someplace. A lot of rural places you will wind up with areas that no one can reach the net with any sort of big bandwith. You'll be stuck running your whole network through some dialup modem, or someone eats the T-1. Around here they are close to one grand per month,last I looked anyway. I don't know many folks who would want to spend 100$ to 200$ to 300$ a month to have broadband. Or be happy with just a big local wan of 12 houses max or something spread out over many square miles. In suburbia around some big metro area, all across an area like that, swell, oodles of access points and enough people in it so it's a miniature full internet all by itself. Ya got your multi thousands of points in a mesh in some extended metro area, or 12 or 4 or something potential points. Example, my neighborhood, less than 10 houses all around for any distance, and several big hills/baby mountains seperating them. Maybe 1/3 of those people might be interested enough for broadband access, WAG on my part. So either way, still not happening, I just like seeing the solutions that ARE working someplace, because eventually someone is going to pull it off, or maybe uncle sugar will free up some spectrum or let more powerful transmitters be used OR SOMETHING. No one is in any hurry to run cable, fiber or anything else. MY idea was some sort of aimed point to point thingee relay that bolted to the existing telephone poles, then you only need them on the turns in the road. I haven't seen anything like that yet, some small doodad that bolts on and is wireless and real cheap and can be made easily self powered with a small solar panel perhaps. Fantasy device so far.

Coverage might suck too, whatever you use with radio waves, some folks on hilltops, some in the valleys, and the valleys won't even get new cell phones working right now, if you are driving and need to make a call you learn fast to STOP and pull over at the top of a hill, so I'm not sure any of the mesh stuff would work all that great, or even this other technique. I know my FRS radios are dismal if there's a hill in the way between the partys using them, and those have more wattage i believe than the other devices are allowed. heck, even non modded CBs suck. 2 meters work ok at high(er) wattages, that's about it. THAT'S the big problem, the low power that is allowed *by de law* and rough terrain. Unless every part of your mesh can afford a huge tower. If you can do that, go satellite, it's the same thousand dollars or more, and probably faster and you don't have to dork with it much. Let alone this lightning deal that exists.

aaaakkk

Free huh?

[Julian+Morrison]

All those so called public utilities aren't free. You don't pay tolls for driving on the freeway - why? because you've already paid, in gas tax and car tax.

TANSTAAFL

Why not use 802.1x?

[Eponymous+Flowered]

I could be missing something here, but isn't this situation what 802.1x is designed for?

It plays nicely with RADIUS, allows for secure authentication and encryption based on certificates, and works at layer 2 rather than layer 3.

PPPoE by contrast won't stop a determined hacker for longer than it takes to google "airsnort". There's no encryption in the setup described (as far as I can tell) and adding it would stop most PPPoE clients from working.

If you've got Windows there are quite a few options for 802.1x clients, but open1x seems to work fine on linux with freeradius.