WAVESEC is a way to secure wireless networks such as 802.11 (often called "wavelan" after the original Lucent cards). 802.11 networks have become very common place - few technical conferences are now without wireless networks.
With the freedom to be untethered comes a risk - any person with a laptop within half a kilometer of you may be able to eavesdrop on your traffic. The 802.11 specification comes with something called "WEP", which stands for "Wired Equivalent Privacy". It is pretty weak encryption that attempts to make one as secure as one would be with a wire.
The WEP goal is pretty low - it promises to reduce the risk due to eavesdropping to the normal problems of eavesdropping on the Internet. Yet, WEP is almost always turned off - there are significant impacts on performance of many 802.11 cards and the benefits are pretty low. We know that we can do better using the IPsec technology, such as that produced by the FreeSWAN project.
The idea is to encrypt all traffic from laptops to a gateway that is connected by wires to the rest of the Internet.
![[diagram of inline layout]](inline.png)
The novel thing about WAVEsec is that how it arranges to the trust required between the client notebook and the WAVESEC gateway. The exchange of public keys is done during address assignment by the DHCP protocol. The client provides its forward hostname and its public key in the DHCP request. The DHCP server then inserts both into the DNS server for the reverse zone (the IP->hostname mapping) using Dynamic DNS update.
The DHCP server informs the client of the existence of a WAVESEC gateway via three new options: a WAVESEC gateway address, the WAVESEC public key, and the mode (inline or appendix) in which to contact the WAVESEC gateway. The client can therefore be completely configured just by plugging an 802.11 interface in.
This work builds the work done at the RIPE meeting in January 2002, and repeated at IETF#53 in Minneapolis. In Minneapolis, a WAVESEC server was deployed in an alternate configuration called "appendix" mode, which is covered later.
The details
There are 5 logical systems involved in this configuration. They are:
- The Client system
- The The WAVEsec server
- The The DHCP server
- The The DNS server
- The The Internet connected router
In many small networks, the three servers and the routing functions can be combined into a single machine. This can easily be a standard PC with a cable or DSL connection to the Internet and an 802.11 PCI card:
![[Small office configuration]](soho.png)
It is assumed that real IP adddresses are available for the wireless connection. This should be true for nearly all conferences. This may not be SOHOs. We will not describe the case where Network Address Translation is needed.
It is also assumed that DNS for the reverse zone is under control of the organizers.