Support public/private in 802.11 access points

Topic: 

Almost everybody has a WiFi (802.11) access point these days. Some leave them open by accident, some deliberately, some turn on encryption or other security. Being open can be nice to neighbours and wanderers, though it can also be abused, and if you have insecure machines on the local NAT, it's risky.

I propose pushing home NAT/WiFi boxes to, by default, work in both open and closed modes. They would support two NAT networks, independent of one another. One network would be for inside. Connecting machines on the inside network would need the WEP encryption key, or in lesser-security mode, be on the approved MAC list. Machines without the authentication would go on the external, open network.

The two networks might have two different SSIDs if the box can broadcast both of them, or it might be easier to have one broadcast SSID and one non-broadcast one.

Traffic for the external network would be given low priority, so that internal network use is never slowed by external use.

In other words, other than ISP complaints, there would be no reason not to do this. It would be good for giving access to visitors to the home or office, and also mean free wireless almost everywhere in the world.

Comments

A cheap way of doing most of this might be to use just one SSID, but have the whole network be 'insecure' and support some kind of VPN access to get to the inside network. With built in VPN in Mac OS X 10.3 and Windows XP (and even PPTP support in the Palm Tungsten C) this is not too tough to support on the client side. It'd also be more secure than WEP (like that's a difficult threshold).

You'd probably lose the prioritization, though.

"In other words, other than ISP complaints, there would be no reason not to do this. It would be good for giving access to visitors to the home or office, and also mean free wireless almost everywhere in the world."

I don't see why I would let strangers use my Internet connection, even when I don't need it.

Remember that for all the good uses that you may think of with an idea like that, there are many people who will think of bad uses.

Imagine a pervert using your AP and Internet connection to download his daily kiddie porn. Or the mafia member, or terrorist retrieving his instructions using your resources.

Without going to such extremes, consider the spammers. They are already using open wireless access points to connect to the Internet to send their junk email.

Chris has a point. In fact, it's a show-stopper. My ISP (Speakeasy) explicitly allows sharing, and I'd be happy to let others share my connection at low priority, but the liability to me in case they abuse it is just too great. Since I'm not in the habit of watching other people's Internet traffic, I'd first learn that somebody used my connection to send threats or child porn when the feds break down my door and cart my computers away.

This is also why I shut down my TOR node. Sadly, in today's shoot-first-and-ask-questions-later climate it's just too much of a risk.

And while someobody in France did get the knock on the door due to Tor, it was also quickly cleared up, and hopefully will not happen again.

There's tons and tons of free wireless out there for those who want to use it for illicit means. Except right now it will take away bandwidth from you when people do that. You won't stop the bad guys from getting on the net by refusing to run a box like I describe. You'll just stop good guys from knowing it's OK with you and knowing they won't be taking away any of your bandwidth.

It's really not possible to secure the net by securing the sources of connection. There's no such net where bad guys can't get on and send packets. We should not give up handy features trying to make the impossible.

good idea in theory, but in practice some people pay a premium for higher internet speeds and would be pretty miffed if a large portion of that was being siphoned off by a cheap neighbor.

Add new comment