On Mon, Nov 11, 2013 at 2:21 AM, Mitar <mitar@tnode.com> wrote:
Hi!

> Bob is stalking Eve, and he has figured out her MAC address. He wants to
> follow her around the city or simply learn where she lives. Using the node
> map, which includes node IP addresses (or because he simply drove around
> the city and mapped them out himself) he knows the IP/MAC to physical
> location mapping of all nodes. A simple layer 2 or 3 traceroute will now
> tell him Eve's movements around town including her work location and home
> location. I am proposing that we disable the layer 2 traceroute
> functionality in batman-adv and block ICMP Time Exceeded messages such that
> traceroute is no longer possible, and such that it becomes much more
> difficult to find the physical location of a MAC address.

OK, and you believe this scenario warrants crimping the network?

Yes! Emphatically yes! This is an issue of people's safety. People will not reasonably expect that they are broadcasting their position to anyone who cares to listen when they use the mesh. Many people have enemies and stalkers. If we don't do anything about this issue then we are endangering people's personal safety. We can't just say "oh, people can't expect to keep their location private anymore".
 
I do not have a direct analogy here, but we used for some time a captive
portal which blocked all traffic until you clicked a button in the
browser. We got quite some reports of network not working from geeks who
first thing after they connected to network tried something non-HTTP and
then tried to ping and debug and nothing worked. Never tried to open
HTTP. Those were people not otherwise involved with the network. They
just assumed things should work. So what I am saying that I think should
always work as expected. Don't break things.

Sacrificing usability and/or personal safety for the many so a few techies won't have to deal with workarounds is completely unreasonable. The long-term solution to captive portals is a standard, implemented by all major operating systems, that allows communication with users that connect to your network without ugly hacks. I'm not sure what long-term solution for not leaking geo-location information is, but there probably is a non-ugly solution. We should work to create those solutions, but in the mean-time, it's more important that the network works for the majority of people than that it's technically beautiful.

 
BTW, I am not sure if normal traceroute does anything smart in Batman
network. So how much people will really know how to use Batman specific
tool?

True. You'd need to use a batman-specific tool, but that's security by obscurity territory and it only takes one person to make a "find anyone's location" web app for that to break.

--
Marc/Juul