gluon-mesh-wireless-sae
This package adds support for SAE on 802.11s mesh connections.
Enabling this package will require all 802.11s mesh connections to be encrypted using the SAE key agreement scheme. The security of SAE relies upon the authentication through a shared secret.
In the context of public mesh networks a shared secret is an obvious oxymoron. Still, this functionality may provide an improvement over unencrypted mesh connections in that it protects against a passive attacker who did not observe the key agreement. In addition Management Frame Protection (802.11w) gets automatically enabled on wireless mesh interfaces to prevent protocol-level deauthentication attacks.
If wifi.mesh.sae is enabled, a shared secret will automatically be derived from the prefix6 variable. This is as secure as it gets for a public mesh network.
For private mesh networks wifi.mesh.sae_passphrase should be set to your shared secret.
site.conf
These settings apply to all 802.11s mesh interfaces on all radios.
- wifi.mesh.sae : optional
trueenables SAE on 802.11s mesh connectionsfalsedisables SAE on 802.11s mesh connectionsdefaults to
false
- wifi.mesh.sae_passphrase : optional
sets a shared secret used to authenticate any two mesh nodes, crucial for private mesh networks
should not be set, if the shared secret is shared with untrusted third parties, like in a publish mesh network
defaults to an autogenerated value derived from
prefix6
Example:
wifi = {
mesh = {
sae = true,
-- sae_passphrase = "<shared secret>",
},
},