WAVEsec Clients

• FreeSWAN at IETF-57
• KAME/BSD
• OS/X
• Others

Base Station

• Checklist
• Router
• DNS server
• DHCP server
• IPsec server
• Appendix mode

Downloads

• Binaries
• Raw patches

What is WAVEsec?

WAVEsec is a way to secure wireless networks such as 802.11 (often called "wavelan" after the original Lucent cards). 802.11 networks have become very commonplace - few technical conferences are now without wireless networks.

Why WAVEsec?

With the freedom to be untethered comes a risk - any person with a laptop within half a kilometre of you may be able to eavesdrop on your traffic. The 802.11 specification comes with something called "WEP", which stands for "Wired Equivalent Privacy". It is pretty weak encryption that aims to make you as secure as you would be with a wire.

The WEP goal is pretty low - it promises to reduce the risk due to eavesdropping to the normal problems of eavesdropping on the Internet. And, WEP is almost always turned off - there are significant impacts on performance of many 802.11 cards and the benefits are pretty low. We know that we can do better using the IPsec technology, such as that produced by the FreeSWAN project.

WAVEsec: Securing Wireless Traffic

With WAVEsec, you encrypt all traffic from laptops to a gateway that is connected by wires to the rest of the Internet. Here's how it looks:

How does it work?

The novel thing about WAVEsec is how it arranges the trust required between the client notebook and the WAVEsec gateway: by exchanging public keys during DHCP address assignment. The client can therefore be completely configured just by plugging an 802.11 interface in.

Animated diagram of wavesec

The client provides its forward hostname and public key in a DHCP request. The DHCP server then inserts both into the DNS server for the reverse zone (the IP->hostname mapping) using Dynamic DNS update.

The DHCP server responds, giving the client needed information via three new DHCP options:

• a WAVEsec gateway address
• the gateway's mode (inline or appendix)
• the gateway's public key

This work builds the work done at the RIPE meeting in January 2002, and repeated at IETF#53 in Minneapolis. In Minneapolis, a WAVEsec base station was deployed in an alternate configuration called "appendix" mode, which is covered later.

The details

There are 5 logical systems involved in this configuration. They are:

• The Client system
• The WAVEsec Base Station
• The DHCP server
• The DNS server
• The Internet connected router

In many small networks, the three servers and the routing functions can be combined into a single machine. This can easily be a standard PC with a cable or DSL connection to the Internet and an 802.11 PCI card, as in this small office:

Requirements

DNS for the reverse zone must be under control of the organizers.

In our example, we assume that real IP addresses are available for the wireless network. This should be true for nearly all conferences, but may not be so for SOHOs. We will not describe the case where Network Address Translation is needed.

We describe WAVEsec for IPv4.

More information