According to this one guy a group of PhD's had stated that B.A.T.M.A.N protocol is the best Mesh router protocol out there. B.A.T.M.A.N protocol is the one used by Freifunk, which is Germanys mesh community and perhaps the largest in the world. What exactly do you mean with malicious mesh node? For what purpose would the malicious nodes exist? Standard nodes have max capacity and you could set a cap limit to output for standard nodes. Someone running a malicious node would forge the output to very high, right?
What B.A.T.M.A.N. does is has every participant periodically announce themselves, and then each peer that hears them repeats the announcement. Each node remembers the best source for a particular host they've heard of and sends traffic for it in that general direction.
The announcements have a hop count and a sequence number to prevent loops and repetitions of the announcements.
There is absolutely no security at all, except by totally limiting access to the media (e.g. by encrypting all packets and not making the network accessible to the public).
If someone with access to the network wants to impersonate another party and receive almost all of their traffic all they have to do is start generating announcements for them. They can selectively mitm, impersonate, or block access to any other party on the mesh.
If you are using some L3 IP security on top of the mesh (like a VPN) then they can't impersonate but they can trivially deny access.
So as they stand right now, these protocols do not work for public networks except to the extent that no one wants to bother attacking them. A lot of the time that is probably true --- but centralized ISPs are also secure so long as no one wants to bother attacking.
It looks like the Freifunk firmware is still actively maintained--
https://github.com/ffbsee/ffbsee-firmware/commits/master thanks-- thats the sort of thing I was looking for when I asked before. There was a lot of excitement about meshes around 2013-2015 and there are a lot of dead webpages now.
No security? The network is connected to the internet with NAT which goes through a gateway that has a VPN. Is that not security? There is no way to spy or track or identify a single user of the network. In addition you can also encrypt the wi-fi signal. Centralized ISP's are not secure. Centralized ISP's are the security breach themselves. The intelligence community gathers data through the centralized ISP's. They can now without any permission or warrant get your entire browsing history.
https://en.wikipedia.org/wiki/Network_address_translationI am involved with a big "mesh" network. The network is still live but has shrunk somewhat from it's top size. It's not a live mesh in that nodes are fixed in position and cannot move around but the network is somewhat resilient to nodes dying and routes around them.
The network used mainly Mikrotik and UBNT Wireless gear to form point to point links as well as sectors with clients. It was a complete private network operating in private address space with it's own internal DNS as well as routing. Did not provide direct access to the internet though some did tunnel internet access over it. Similar networks I am aware of use BGP routing though this network used OSPF routing (BATMAN sounds similar?). I suspect it was (or perhaps still is) one of the largest single area OSPF deployments. It had over 650 OSPF routers in one area!
I did not design this and was not a network expert by any means (still not, work in other fields, this was hobby) but learnt a few things along the way.
In terms of security this was not secure. Given private non-profit nature of the network we had participants join with poor network practices (e.g. no security, unpatched routers, windows machines, default passwords etc.) and when their PC/router got hacked/infected by viruses from internet that would scan the private network for targets. That was security problem one, which would be fine, but I introduced detection methods by centralising logs and listening for scans from inside the network and then null routed any host doing excessive scanning, login attempts on ssh ports etc. Was able to null route a host by doing that and announcing the route on OSPF. I was able to do it more effectively than anyone else because i had access to more infrastructure as I was involved in managing the network (as much as it could be managed). But in theory any participant could do it by announcing routes for a particular IP range. The most effective was announcing /32 as it would get the most priority on OSPF. If you had one OSPF router you could steal half someone's traffic in this way.
There was never any active abuse of this but lots of accidental routing issues and was easy to spot.
As an aside I changed bitcoin node code slightly so that would operate on this private network (changing the way it used private address space). I think it would not advertise private addresses and I changed that setting in the private network somehow. I lost interest as it was just two of us running bitcoin nodes on the network at the time.
This network covered some poor areas where people did not have internet at home and we did not provide internet access per say, but some of us which had more internet than we were using did setup proxies for use by participants for basic internet (think mail, education, news etc.). We could not just provide internet as we operated under licensing which prohibited to some degree, plus the bandwidth...
We did link up also with other such networks via tunnels over internet in other parts. Was also thinking of hooking up with others (freifunk, dn42, nyc mesh) but interest slowed down.