50 lines
1.6 KiB
ReStructuredText
50 lines
1.6 KiB
ReStructuredText
gluon-mesh-wireless-sae
|
|
=======================
|
|
|
|
This package adds support for SAE on 802.11s mesh connections.
|
|
|
|
Enabling this package will require all 802.11s mesh connections
|
|
to be encrypted using the SAE key agreement scheme. The security
|
|
of SAE relies upon the authentication through a shared secret.
|
|
|
|
In the context of public mesh networks a shared secret is an
|
|
obvious oxymoron. Still, this functionality may provide an improvement
|
|
over unencrypted mesh connections in that it protects against a
|
|
passive attacker who did not observe the key agreement. In addition
|
|
Management Frame Protection (802.11w) gets automatically enabled on
|
|
wireless mesh interfaces to prevent protocol-level deauthentication attacks.
|
|
|
|
If `wifi.mesh.sae` is enabled, a shared secret will automatically be
|
|
derived from the `prefix6` variable. This is as secure as it gets
|
|
for a public mesh network.
|
|
|
|
For *private* mesh networks `wifi.mesh.sae_passphrase` should be
|
|
set to your shared secret.
|
|
|
|
site.conf
|
|
---------
|
|
These settings apply to all 802.11s mesh interfaces on all radios.
|
|
|
|
wifi.mesh.sae \: optional
|
|
- ``true`` enables SAE on 802.11s mesh connections
|
|
- ``false`` disables SAE on 802.11s mesh connections
|
|
- defaults to ``false``
|
|
|
|
wifi.mesh.sae_passphrase \: optional
|
|
- sets a shared secret used to authenticate any two mesh nodes,
|
|
crucial for private mesh networks
|
|
- should not be set, if the shared secret is shared with untrusted
|
|
third parties, like in a publish mesh network
|
|
- defaults to an autogenerated value derived from ``prefix6``
|
|
|
|
|
|
Example::
|
|
|
|
wifi = {
|
|
mesh = {
|
|
sae = true,
|
|
-- sae_passphrase = "<shared secret>",
|
|
},
|
|
},
|
|
|