A Solution For Making WiFi Cost Effective

← Back to Stories (view on slashdot.org)

A Solution For Making WiFi Cost Effective

Posted by timothy on Saturday June 7, 2003 @08:30AM from the salt-for-leeches dept.

rkohutek writes "This whitepaper came out of my employer's desire to deploy high speed wireless internet to an underserved, mostly rural area. Although very easy to do on the ground level, I found it to not be a cake walk when it came to actually making it a viable network case -- in a "normally" deployed wireless network it is very easy to spoof an IP or MAC address and hop on the network and get free bandwidth. This is not acceptable and the acronym WARTA, Wireless Authentication, Routing, Traffic control, Accounting was thought up to cover the things that we needed to do. Read on for how we managed to make it work using Free Software: HTML or PDF." Update: 06/07 20:42 GMT by T : He sends along word of this mirror as well.

37 of 120 comments (clear)

Mirror by rkohutek · 2003-06-07 08:32 · Score: 5, Informative

As an article poster, I saw that it was gonna get hit pretty hard, so here's a mirror:

http://129.19.75.194/~jakalowiw/warta/

Cheers,
Randal
Hmm... by DrLudicrous · 2003-06-07 08:32 · Score: 5, Funny

Free software being used to keep people from getting free bandwidth. How ironic.
1. Re:Hmm... by SkArcher · 2003-06-07 08:42 · Score: 4, Insightful
  
  Free as in Speech, not Free as in beer.
  
  --
  
  An infinite number of monkeys will eventually come up with the complete works of /.
How to make WiFi Cost Effective. by Malicious · 2003-06-07 08:32 · Score: 4, Funny

How do I make WiFi Cost Effective?
Simple, I use someone else's network.

--
01101001001000000110000101101101001000000110001001 10000101110100011011010110000101101110
1. Re:How to make WiFi Cost Effective. by ward99 · 2003-06-07 09:02 · Score: 3, Informative
  
  It was shown in Wargames, but it didn't "Come" from it. People had been doing it (and calling it that) for at least several years before. This solution is interesting - I'm trying to get a WiFi network up locally to support a local AE beta. One of the concerns in starting a big WiFi project locally has been addressed by this artical.
2. Re:How to make WiFi Cost Effective. by FuegoFuerte · 2003-06-07 14:47 · Score: 2, Interesting
  
  This article is a great start, and gives me some ideas on how to solve certain problems. The thing to remember, however, is this is still not secure in any way. Authentication wise it may be (what type of auth is going over the air? Chap? Pap?) but data wise it certainly isn't. A somewhat better solution security-wise is PPTP (which someone already mentioned), though it has plenty of problems of its own. The ultimate solution (while maintaining easy Windows compatibility) is IPSec over L2TP. Only problem is, last I checked this is a bitch to set up a Linux server for, if it is possible at all. The IPSec is possible enough (FreeSWAN, etc) but getting it working over L2TP gets rough real quick. Course, last I checked into this was about 6 months ago, so things may have progressed since then.
Assume the network is insecure by Megor1 · 2003-06-07 08:34 · Score: 5, Informative

Just like with 802.11b you might as well assume the wireless part is insecure and use something like an SSL pipe to actually connect the user to the net.

--
Everyone that disagrees with me is a paid shill
Free software? by garrulous · 2003-06-07 08:39 · Score: 5, Funny

"Read on for how we managed to make it work using Free Software: HTML or PDF." I didn't realize that one could route wireless signals with nothing but HTML and PDF standards.
Dear God! by PurpleFloyd · 2003-06-07 08:40 · Score: 4, Interesting

Looks like someone finally found a use for PPPoE! I've wanted that damned protocol to die for quite a while, but I can see it being useful in this situation. DSL, on the other hand, is where it deserves to die a painful death, along with whatever suits decided that "emulating the dial-up experience" is better than an always-on connection.

--

That's it. I'm no longer part of Team Sanity.
1. Re:Dear God! by jjeffries · 2003-06-07 09:43 · Score: 3, Interesting
  
  Indeed, I use PPPoE to authenticate the folks around my hood that I let use my connection. WEP slows things down too much and isn't much in the way on encryption anyway, and with SSH tunnels I was getting about 10k/sec through the wireless--my gateway router is a P100, perfect for routing but a little slow with the number crunching.
  
  You'll need to be careful with machines conencting from behind a PPPoE link and force an MTU lower than 1500--I use 1412 and that seems to work. If you can ping and do other things with small packets, but web pages don't load, or load a little bit and then stall, that's a sign of an MTU problem.
  
  PPPoE also makes shared-equipment DSL service a possibility, for better or worse (probably worse, coming from someone who works for an ISP that owns their own DSLAMs)...
2. Re:Dear God! by Junkster+Julian · 2003-06-07 10:04 · Score: 3, Interesting
  
  Looks like someone finally found a use for PPPoE! I've wanted that damned protocol to die for quite a while, but I can see it being useful in this situation. DSL, on the other hand, is where it deserves to die a painful death, along with whatever suits decided that "emulating the dial-up experience" is better than an always-on connection.
  This might be the only chance I get to remind everyone that v.92 is probably the most undersold networking standard any of us have seen in years.
  The v.92 standard (not to be confused with the simple v.90 standard) was released by Conexant (formerly Rockwell International Corporation, the dudes who helped pioneer MODEMs together with folks like USRobotics, Hayes, etc.) can interpret call-waiting signals and issue "modem-on-hold" command(s) to the remote modem.
  
  This new feature is "pretty darn" useful as it re-establishes POTS as a viable networking channel as users will no longer feel like they are being forced to choose between: a) receiving telephone calls, b) being connected to the Internet, c) ordering, installing, rewiring, securing, and budgeting an additional POTS line, or d) subscribing to "overkill-type" high-speed services just to send someone an email.
  
  Due to the sheer demographic penetration of POTS versus other newer high-speed and wireless technologies, ISPs might want to consider upgrading their modem pools to support the new standard (and market support for the new standard as the no-more-busy-signals-ever-again (and-we-mean-it-this-time) godsend it, well, is!). 'Nuf said.
  
  Greets.
3. Re:Dear God! by PurpleFloyd · 2003-06-07 12:22 · Score: 2, Insightful
  
  If you read my post all the way through, you would have noticed that I said that its use in DSL and cable modem connections is pointless (it provides little extra security, but wastes bandwidth and irritates end users). PPPoE is a good choice here because public wireless access can't authenticate based on physical links; there must be some way to ensure that a user's resources aren't being stolen. This is where PPP and RADIUS authentication come in handy, and this is what makes PPPoE a reasonable solution for wireless 802.11x.
  
  --
  
  That's it. I'm no longer part of Team Sanity.
I wouldn't worry by rice_web · 2003-06-07 08:42 · Score: 4, Insightful

Take a long time to look things over and ask: is the piracy worth the risk? If a few individuals use the service illegally, but you have a solid base of paying users, isn't that better than not entering the market at all and missing out on an opportunity or implementing a costly security feature that could mitigate any profit?

--
The Political Programmer
1. Re:I wouldn't worry by rice_web · 2003-06-07 08:44 · Score: 3, Interesting
  
  Granted, I realize that the software was free, but what about maintenance and updates..... it is still a costly measure. I, for example, do not expect a virus-protection program to keep intruders out (I'd have to be naive), and this program certainly can't be foul-proof.
  
  --
  The Political Programmer
2. Re:I wouldn't worry by gmack · 2003-06-07 08:56 · Score: 2, Insightful
  
  The piracy is *not* worth the risk. The last thing you need is some wardriver grabbing every available ip and starting a spam run. Just picture it.. thousands of complaints and no way at all to deal with them. I'd imagine that would get blacklisted pretty quickly. Or they could use your network to break into things without getting busted.. not fun either when the buck stops with you.
  
  Overall though I think 802.11 is the wrong tool for this job.. why use it when something like Moterola Canopy has a larger range *and* is more secure?
  
  Dump 802.11 and the pppoe link and problem solved.
  
  At least I hope so. I'm submitting a proposal for a rural network on monday.
3. Re:I wouldn't worry by glenstar · 2003-06-07 11:39 · Score: 2, Interesting
  
  Did you look at Proxim's Tsunami MP.11 line? They have some great features, such as provisioning directly from the base station, etc...
I thought... by confused+philosopher · 2003-06-07 08:42 · Score: 5, Funny

I thought we were supposed to make WiFi affordable by using empty Pringles cans and Floppy disks as the antennas rather than shelling out big bucks for custom made ones?

--
Why slashdot? Why not?
Solution by Anonymous Coward · 2003-06-07 08:42 · Score: 5, Informative

in a "normally" deployed wireless network it is very easy to spoof an IP or MAC address and hop on the network and get free bandwidth.

At my school anyone with a wifi card can get onto the network, but it just takes you to a web page where you have to put in a userid and password to access anything else on the network and the internet. They never ask for any information about your computer such as MAC address.
1. Re:Solution by rkohutek · 2003-06-07 08:46 · Score: 2, Interesting
  
  We thought about doing the walled-garden approach, but decided that it would piss of our customers to much to have to go through a portal page (login) that couldn't be automated (like ppp can be).
  
  randal
2. Re:Solution by WoofLu · 2003-06-07 09:04 · Score: 2, Insightful
  
  I had been looking to solutions like that one for a while, while I was reading the specs, it really seemed like the picture I had in my head (:
  
  anyway, the portal approach, when on an unknown network abroad can be a good thing, but on a daily basis, I'd just get crazy! So, merging the two ideas would just be great: PPPoE login for long-time customers, and ability to use the captive portal to register only for a couple of hours...
  
  Thanks for your contribution.. I hope to be using something alike sometime soon here in Luxembourg (that spot between France, Germany and Belgium (: ).
3. Re:Solution by isorox · 2003-06-07 11:09 · Score: 3, Informative
  
  Hmm, what about coverage though? Regulations in the EU are a lot stricter (max 100mW EIRP for example, the 'A' zone - america etc, can do 4W EIRP, so you can legally stick a 13dB antenna on a 100mW access point. In the EU, you cant. Theres also issues with deliberatly broadcasting outside. I want to push wireless 6 miles from town to my (future) home, but as
  
  1) Thats in Greece. I speak 27 words of greek, and I dont want to try and explain the technicalities of it if the greek radio agency come round
  2) I'm only 40 degrees off some massive radar military dishes. I dont want to explain the technicalities of it if the greek radio agency come round in a tank with machine guns
  
  (Maximum legal power / gain)
  
  Any links that are more specific on the legalities across Europe (which I would assume are the same) would be appreciated.
4. Re:Solution by rkohutek · 2003-06-07 11:37 · Score: 2, Informative
  
  We partner with a local HotSpot provider called Unwired Access (http://www.unwiredaccess.net) that does this, and this is how it works:
  
  The *nix machine by default denies all traffic and null routes everything, except for clients going to the login page. JoeSixPack fires up his machine, leases an IP from the *nix machine. He fires up his browser, and the *nix machine automatically forwards all HTTP requests to the local login-portal. JoeSixPack signs in, the *nix machine authenticates, then pokes holes in the firewall for that client and starts up timers and whatnot. As soon as JoeSixPack signs off, the *nix machine closes the firewall holes.
  
  You could use SSL forms and authentciation and such, but tying all that into RADIUS auth/accounting would require some custom programming, but this setup also has a lot of room for abuse as there is no per-packet encryption, no tunneling, nada.
  
  randal
Just a question: by lfourrier · 2003-06-07 09:05 · Score: 2, Flamebait

(In fact two)

1)What is the cost of providing the communication service, and
2)what is the cost of :
mettering, securing, financing, billing, authenticating, supporting, marketting, *ing of the communication service?

Once everybody understands that, community owned telcos can become a reality. (One can always dream).
1. Re:Just a question: by rkohutek · 2003-06-07 09:18 · Score: 5, Informative
  
  On our side, the actual tower itself is pretty cheap. We started out with a single T1, (we're waiting on our third one to go in next week), $350 install for that, $250 for a used cisco 2501 + dsu/csu, we already had the AP and antenna laying around. And our tower is $200/mo ... so, the physical setup was, in total, maybe $900? CPE is running us right around $150-200, depending on which model is required.
  
  The OSS backend, though, is what I usually spend my day maintaining. Mail servers, billing, customer management, all that stuff ... man. I spend probably 20 hours a week upgrading / tweaking / maintaining. I'm sure that to startup, you could do it all for free with OS stuff, but it would take a lot of work. A *LOT* of work. Especially making everything tie together -- that's the really hard part. So to answer your question ... that's the really, really expensive part.
  
  randal
Built to be vulnerable... by no_mayl · 2003-06-07 09:07 · Score: 2, Informative

This Article on Radius has a section on vulnerabilities.
And it does seem pretty weak against snooping during the authentication phase.
Somebody mentioned tunneling via SSL. Right on dude.
--
jpa
better for who? by SweetAndSourJesus · 2003-06-07 09:09 · Score: 2, Insightful

It may not be better for you, but it's certainly better for your ISP if you connect using PPPoE. IP space is getting pretty limited, and if they can service 10 customers with 4 IP addresses, all the better for them.

You don't honestly think they took your convenience into consideration when making the decision to use PPPoE, do you?

--

--
the strongest word is still the word "free"
Re:AirSnort the PPPoE authentication? by rkohutek · 2003-06-07 09:09 · Score: 3, Informative

We utilize CHAP primarily with PAP as a backup. CHAP offers end-to-end encryption of the authorization session, while PAP does not.

Cheers,
randal
Re:"Free" by rkz · 2003-06-07 09:36 · Score: 2, Funny

Sco wont sue you for drinking free beer!

--
There is no god
Re:AirSnort the PPPoE authentication? by miu · 2003-06-07 09:52 · Score: 2, Informative

Slightly OT, but CHAP is not encrypted, the password is never sent, just challenge/response. (If I give you this challenge what will you give me back, does it match what I computed the response should be for the password I have for you on record with the challenge I gave you.)
Also, the entire auth session is seldom encrypted, LCP takes place in the clear, as does RADIUS

--

[Set Cain on fire and steal his lute.]
pptp by akb · 2003-06-07 09:54 · Score: 2, Interesting

If they replace pppoe w/ pptp they have encryption of data with basically the same infrastructure. The client has shipped w/ every Windows version since '95 and there are free clients for every OS I can think of 'cept os9.
Re:Simpler way to make it cheaper... by RAMMS+EIN · 2003-06-07 10:34 · Score: 2, Insightful

``Is it wrong to take advantaeg of Stupid people ? George Bush does it, Bill Gates does it... why shouldn't we ?''
You've just said it.

--
Please correct me if I got my facts wrong.
McDonalds and Starbucks by Glonoinha · 2003-06-07 12:00 · Score: 3, Interesting

Umm Starbucks seems to be able to lock down its Wifi, and McDonalds seems to be able to lock down their wireless connection (get a free two hour connection with a Happy Meal, or something like that) ...

Here is a thought, stop at Starbucks, buy a hideously overpriced ice-coffee or something, let the caffeine stimulate your brain, and buy an hour or day or however they sell it worth of their 'net access. Whatever they do to keep you from freeloading ... that's what you do to keep folks from freeloading on your network.

Simple. Don't reinvent the wheel, leverage the gazillion dollars Starbucks and McDonalds paid consultants, particularly if they use the same method ... if they both do the same thing it means that two different sets of consultants at $225 an hour were able to convince two massive corporations to go with it.

--
Glonoinha the MebiByte Slayer
1. Re:McDonalds and Starbucks by swv3752 · 2003-06-07 13:02 · Score: 3, Informative
  
  They used a simpler solution: PPPoE.
  
  --
  Just a Tuna in the Sea of Life
Why not IPSEC? by po8 · 2003-06-07 12:28 · Score: 2, Interesting

The "obvious" answer would have been to use FreeS/WAN or similar to set up an IPSEC tunnel to your wired network and be done with it. Windows supports IPSEC as well, and it seems like it would solve most of your problems. Am I missing something?
1. Re:Why not IPSEC? by yhetti · 2003-06-07 17:32 · Score: 2, Insightful
  
  According to everything I've read, interop. between IPSwan and...well, basically anything else is shoddy at best. Trying to get Windows 2000 or XP to work with FreeSwan is not something a normal technician could do on a service call. Windows 95/98/ME is basically out the question. I may be wrong, but that's the impression I get.
slick by zogger · 2003-06-07 13:54 · Score: 2, Interesting

nice setup man, I bookmarked your html page. I like the cheap aspect of it. You also seemed to have gotten a deal on that T-1. Questions? what kind of range are you getting off that 90 foot tower, and is the tower itself on a hill much higher than your customers? Are the hills (and tress I guess)affecting coverage? Last, how many are you serving or do you think you can serve?

Rural broadband needs to be done, and waiting for some mythical perfect solution is that..waiting.And waiting. And waiting. It is teh suxors. Satellite internet is teh big bucks suxors.

It's a gimme none of the big guys are going to do it any time soon, so small mom and pops or co-ops wil have to be it, and I've been accumulating various web references and whatnot to see what's working. Yours is a nice simple *(relatively) description and write up, good job! I hope this gives some geeks some ideas on self employment, plus helping small communities, rather than sending out dozens of resumes for months and months to these big corporations. Work is work, and the rural areas are much cheaper to live in usually most places, much less crime, and other sorts of goodness, and MOST of them have zero broadband for sale.
no signal by zogger · 2003-06-07 14:37 · Score: 2, Interesting

Those mesh network things are a good idea too, I like them, the concept, however, you need people in reasonable proximity all the way to the fat pipes internet someplace. A lot of rural places you will wind up with areas that no one can reach the net with any sort of big bandwith. You'll be stuck running your whole network through some dialup modem, or someone eats the T-1. Around here they are close to one grand per month,last I looked anyway. I don't know many folks who would want to spend 100$ to 200$ to 300$ a month to have broadband. Or be happy with just a big local wan of 12 houses max or something spread out over many square miles. In suburbia around some big metro area, all across an area like that, swell, oodles of access points and enough people in it so it's a miniature full internet all by itself. Ya got your multi thousands of points in a mesh in some extended metro area, or 12 or 4 or something potential points. Example, my neighborhood, less than 10 houses all around for any distance, and several big hills/baby mountains seperating them. Maybe 1/3 of those people might be interested enough for broadband access, WAG on my part. So either way, still not happening, I just like seeing the solutions that ARE working someplace, because eventually someone is going to pull it off, or maybe uncle sugar will free up some spectrum or let more powerful transmitters be used OR SOMETHING. No one is in any hurry to run cable, fiber or anything else. MY idea was some sort of aimed point to point thingee relay that bolted to the existing telephone poles, then you only need them on the turns in the road. I haven't seen anything like that yet, some small doodad that bolts on and is wireless and real cheap and can be made easily self powered with a small solar panel perhaps. Fantasy device so far.

Coverage might suck too, whatever you use with radio waves, some folks on hilltops, some in the valleys, and the valleys won't even get new cell phones working right now, if you are driving and need to make a call you learn fast to STOP and pull over at the top of a hill, so I'm not sure any of the mesh stuff would work all that great, or even this other technique. I know my FRS radios are dismal if there's a hill in the way between the partys using them, and those have more wattage i believe than the other devices are allowed. heck, even non modded CBs suck. 2 meters work ok at high(er) wattages, that's about it. THAT'S the big problem, the low power that is allowed *by de law* and rough terrain. Unless every part of your mesh can afford a huge tower. If you can do that, go satellite, it's the same thousand dollars or more, and probably faster and you don't have to dork with it much. Let alone this lightning deal that exists.

aaaakkk