I've read a little on here mentioning WPA but nothing stating whether it works yet... this is what stops me migrating to openwrt .. everything else I use currently (dropbear, iptables) seems to be supported anyway....  Is there some specific reason why nas doesn't run?

There are some compatibility issues with our updated version of uClibc and nas. WEP works quite nicely though.

if you want to run the linksys nas binary on openwrt you could try putting a copy of the linksys libraries somewhere and using LD_LIBRARY_PATH or LD_PRELOAD to force the use of those libs with the nas binary.  (just a suggestion; i haven't tried it as i have nothing that can be a WPA client without paying money for linuxant)

I believe WEP is more than enough. WEP/WPA imo is just for preventing casual sniffing. I always run VPN(ipsec etc.) on top of both wired/wireless if the communication is sensitive.

In fact, I would just leave the wireless part naked if I can find a way to run ipsec on the router and use it instead.

I tested to start NAS tool with LD_LIBRARY_PATH on OpenWRT.
As you can read in my thread "WPA with NAS trying started" I had no much luck so far.
I'm really waiting for feedback from Linksys OpenSource group.

They should hand out nas.c or at least a more compatible binary.

Already it seems they have no much interest.

Someone told me it might be just normal that they answer after 4-8 weeks

Pity.  I'd rather go plaintext than use WEP (all of the complexity and none of the security..!  I cracked the key in our company in 4 hours - I was lucky though I expect.).

I can't see the point in using a VPN *and* WPA, unless you're aware of some cryptographic weakness in AES...

   I'll stick to sveasoft for now then.

I see two problem with wireless :

1. being piggybacked. This can be controlled by the router if I use VPN on top of that(such as wavesec)

2. being tapped, again this is supposed to be not a problem if everything going on are encapsulated by ipsec.

The reason why I prefer VPN is that I think it is a unified approach to protect data. WPA cannot protect wired communication which I also don't trust for sensitive stuff.

Recently i've read about WPA and WEP.

If i'm not wrong WEP is a 40-bit crypto algorithm, no matter how long keys are, security is weak.

WPA is AES based crypto, using 128, 192 or 256 bit algorithm, communication's security is stronger.

Regards

Xavier Sanz

You are wrong.  What's commonly known as "40-bit" WEP is actually 64-bit, with a 40-bit static "key" and 24-bit IV which is combined to produce a 64-bit key.  However, due to a weakness in how the RC4 is implemented, it is "trivial" to crack WEP, and not that much harder (about 2x as long) to crack 128-bit WEP (104-bit static "key", 24-bit IV).

Since the 24-bit IV field is transmitted as cleartext in the 802.11 header,  WPA tries to overcome this limitation by using the 24-bit IV as a hash instead, which supposedly makes it much harder to crack (this is the TKIP component of WPA).  It also uses a MIC to prevent packet tampering which was possible on WEP-encrypted packet (Michael).  Additionally, by using AES 128-bit/256-bit encryption, certain weakeness of the RC4 implmentation is addressed.

I think WEP is still useful not for crypto, but to avoid casual foreign clients to hook from our APs an 'steal' radio bandwidth, as it prevents WiFi adapters to establish connections if they have not the keys.

I heard some stuff about a 128-bit WEP key being easier to crack since it generates more traffic. The important factor when cracking WEP is the amount of traffic and the number of packets containing "important" information. But, I could be wrong, I haven't really put this to any sort of test.

Is anybody of the OpenWRT-developer working on WPA-implementation in OpenWRT for WRT54G and WRT54GS?? I´m not sure,but I think that the new release of the LinkSys-Firmware supports that feature (802.11i).

I don´t want implement a wireless router without wpa - it´s more secure than WEP!

hmikux

Current CVS (as of this posting) works with WPA. For this to work, you need to install "nas" binary from linksys firmware (located at buildroot/build_mpsel/WRT54GS/release/src/router/mipsel-uclibc/install/nas/usr/sbin/nas) into, say, /usr/sbin on the router. Then, configure nvram variables as required. Below is an example configuration for AES configuration:

wl0_wpa_psk=<key-passphrase>
wl0_wpa_gtk_rekey=<rekey-interval>
security_mode=psk
wl0_crypto=aes
wl0_wep=aes

Replace <key-passphrase> and <rekey-interval> with appropriate values. If you want to use tkip, set

wl0_wep=tkip

Apparently for tkip, wl0_crypto variable is not used.

Then start "nas" as

/usr/sbin/nas /tmp/nas.conf /tmp/nas.pid lan

Note that nas.conf and nas.pid are created by nas. If everything works, you can then create a script in /etc/init.d that starts nas at boot time.

About WEP.  You can In fact get the key.  Take a look at "airsnort" (http://airsnort.shmoo.com/).  After you get the key, you can connect to the wirless network.

Even if you "permit by MAC" (ie, only allow the "MACs" that you trust), you can "clone" a MAC, and still go in.

And yes, the weakness is in the RC4 algorithm itself (well, more preciselly in the Key Scheduling Alorithm).  Just look here: http://www.drizzle.com/%7Eaboba/IEEE/rc4_ksaproc.pdf

Yes, you can get the WEP key given enough "weak" packets, what you fail to mention is that on a typical home network this may mean several days worth of sniffing to get enough packets.

Well, you only need about 100MB of data (how much do you donwload/upload from your computer?).  In a typical work day, I download about 40Mb, and upload about 10Mb.  That, when I don't use any p2p client, when I use those, I can download up to 1024Mb a day and upload about 400Mb.

It will depend on the kind of use you give to the network.  Say, if you play network games in the WLAN, open files from other computers, print documents to shared printers, and so on, it would not take too long.

I think WEP is only good to make the network slower.  If you will use WEP, better not use anything at all (just hide the SSID), it will be faster, and almost as secure.

I would use a VPN.  I haven't tested WPA (but will, someday).

If I try to run nas, it reports "Bus error". Anyone else had this problem ?

Thanx y'all

extra info: WRT is running Nico's firmware 02062004.

hi Adze

that's way too old, what features are you currently using in this firmware ?
most heave been incorporated in the latest CVS firmware...

--
Nico

Hi Nico,

I use: dropbear, pppd, pptp, ip, dhcp-fwd, base-sytem, tc, sched-mod, ipt_layer7, ipt_tos, net-snmp, ipv6, and probably somethings i forgot. All of those ipkg came from your site! (You are my hero ). I was planning on upgrading my box, but it runs rock-solid, does everything i want (so far...) and it takes upto a day to get everything working again, cause i have a very custom setup, mostly done with nvram settings...

What firmware do you currently use/recommend (somehow compiling my own firmware most of the times failes)? Maybe you could create an ip6tables.ipkg and or an su.ipkg, that would really make me happy.

Thank you all, for making the OpenWRT community!

Great news that WPA works in cvs. Anyone know if nas supports 802.11i fully yet? Specifically I'm interested in ad hoc mode, as I have some plans for an network using OLSR for routing and 802.11i for security.

I know I could use IPSEC, but that requires support and configuration from the clients, and kills throughput. WPA is included in recent OS updates, and it can use the hardware AES built in to the Broadcom radios (I assume that's why Linksys don't distribute the source, Broadcom don't like giving out code to access their hardware) so it should perform much, much better.

Hmm.... How much throughput does IPSEC cost?
It's certainly a much more flexible and available solution to me since there's not WPA/AES for the centrino wlan card for Linux.

still waiting for my wrt54gs

I saw someone post throughput numbers with and without IPSEC a few months back. Without they were getting around 30mbps, with it was more like 3mbps. However I haven't run my own tests, so take that with a grain of salt.

Maybe it's these:
http://lists.openswan.org/pipermail/use … 01389.html

Hmm.. Right now I'm doing fine with a 10Mbit/s hub, and my ISP connections is not even hear those speeds. So I guess it's not that bad. But sure... more horsepower in the WRT54G would never hurt.

Yep, that looks like the post I was thinking of. And you're right, it's certainly not going to kill you if you just want to share internet access. Still, reducing your throughput by an order of magnitude isn't a great deal if you plan to use your wireless network for other stuff.

Yes... it is. :?

If I read the AES papers correct, the Twofish algorithm should be a little bit faster than AES (Rijndael). Also, it uses only RISC-type operations, so running it on a MIPS should not make it slower.