9 Aug
2021
9 Aug
'21
6:44 a.m.
Dear Toussaint,
Am 09. Aug 2021, um 10:55:50 schrieb Toussaint OTTAVI via 44Net:
In theory, and in normal networks, you would be right. The difference
is however that in normal networks, you generally use firewalls to block
access to ressources. The problem we have at hand is slightly different:
We need to protect access to links.
At least in some jurisdictions, we must not route certain traffic via
an amateur radio link, so we face the dilemma of having a (possibly
preferable) route via the radio that is not available to that certain
traffic. Naturally, you'd block that traffic using a firewall route.
A route announcement generally is a promise to carry traffic to that
destination. Can you still honestly make this promise if your firewall
blocks that traffic? Or should you rather not announce that route ?
In the traditional (internet only) case it doesnt matter because a
a firewall would protect the resource no matter the path.
But in our case, your route announcement and subsequent packet dropping
would be wrong (needlessly preventing communication) if another route were
available that is not subject to the amateur radio link access restriction
(maybe there is no amateur radio link, or maybe its via a different
jurisdiction)
Somewhere deep down in that case lies the problem that the TAC proposal
was trying to solve, although that was not fully documented.
A related question, also burried deep down in that lane:
Your firewall rule would typically be filtering on
source/destination addresses.
It is, I think, not disputed that a part of the reason to get users onto
the 44 Net is that it identifies communiation partners as
duly licensed ham radio operators, hinting your firewall that amateur
radio frequency access may be allowed.
So, does initiation of a 44-to-44 communication also imply some form of
agreement/representation that the content of that communication is
suitable for the amateur radio air waves ?
Suppose I'd want to tell a non-politically-correct joke to another OM.
I can now choose if I wanted to take the VHF TRX to call him on the
local repeater, or I could call him on the landline phone.
How should this be handled ?
73s,
Mario, DL5MLO
--
Mario Lorenz Internet: <ml(a)vdazone.org>
I'd like
relatively right connectivity between my
BGP and intranet subnets, and possibly other BGP routed subnets, but no
connection (generally) to the wider Internet from my part of the intranet.
As I often say, don't confuse "routing" and "firewalling". Those
are two
separated topics, that should IMHO be handled separately :