Hacker News new | ask | show | jobs
by supernetworks 1159 days ago
We designed SPR to address problems with wifi isolation. Every wifi device runs in an isolated subnet and individual VLAN. Mac spoofing is not possible since a device's MAC identity is combined with a device-specific PSK. You can check out the project here: https://www.supernetworks.org/

While we were not aware of these protocol flaws specifically, the project was inspired by fundamental weaknesses in secure wifi isolation. One of the attacks that's demonstrated in the scripts but not in the academic paper -- is that most routers will route UDP/IP packets between devices even when they are "isolated", so there are problems with most guest wifi networks even before mac stealer type attacks come into play.
2 comments
sargun 1159 days ago
So, a long time ago, I implemented a similar system on top of some enterprise access points -- broadcast storms were just killing our Wi-Fi. The problem was mDNS / bonjour didn't work in this setup, although there was a way to use a routable multicast address, we couldn't get printers working.

Eventually we hacked something up where the AP controller could do proxy ARP, and google cloud print.

Do yall have a better solution?

link
supernetworks 1159 days ago
Yes -- except for limited wireguard support, usability for multicast is mostly solved. SPR services mDNS and Zeroconf/SSDP with a udp proxy[1].

[1] https://github.com/spr-networks/super/blob/main/multicast_ud...

link
zamadatix 1159 days ago
In an enterprise setup you usually ALG those things and block BUM traffic except for things that register for a routed stream in which case you have the system convert multicast to unicast to that client (in transport, not destination). If those are not a checkbox on your gear of choice then you have to build it yourself as you did.

VLANs+Subnets play little role in the end on a Wi-Fi SSID. Clients get put in the same GTK and hear everything in the same BSSID. You don't want to go making BSSIDs per client either as that kills airtime. Most of the time you're better off with a flat wireless network with the above controls as it functions exactly the same as a divided network where you need the same controls anyways but now it's simpler. Different subnets per SSID (for when you need to support different authentication methods, not for when you need different services to co-exist) can make things simpler though.

link
tinus_hn 1158 days ago
This sounds like ‘we had problem with devices talking to each other so we blocked that, and then services that require devices to talk to each other didn’t work!’
link
Jackie4Chan 1159 days ago
How is SPR different from OpenWRT?
link