Dear Toussaint,
Am 09. Aug 2021, um 10:55:50 schrieb Toussaint OTTAVI via 44Net:
I'd like relatively right connectivity between my BGP and intranet subnets, and possibly other BGP routed subnets, but no connection (generally) to the wider Internet from my part of the intranet.
As I often say, don't confuse "routing" and "firewalling". Those are two separated topics, that should IMHO be handled separately :
In theory, and in normal networks, you would be right. The difference is however that in normal networks, you generally use firewalls to block access to ressources. The problem we have at hand is slightly different: We need to protect access to links.
At least in some jurisdictions, we must not route certain traffic via an amateur radio link, so we face the dilemma of having a (possibly preferable) route via the radio that is not available to that certain traffic. Naturally, you'd block that traffic using a firewall route.
A route announcement generally is a promise to carry traffic to that destination. Can you still honestly make this promise if your firewall blocks that traffic? Or should you rather not announce that route ? In the traditional (internet only) case it doesnt matter because a a firewall would protect the resource no matter the path.
But in our case, your route announcement and subsequent packet dropping would be wrong (needlessly preventing communication) if another route were available that is not subject to the amateur radio link access restriction (maybe there is no amateur radio link, or maybe its via a different jurisdiction)
Somewhere deep down in that case lies the problem that the TAC proposal was trying to solve, although that was not fully documented.
A related question, also burried deep down in that lane: Your firewall rule would typically be filtering on source/destination addresses.
It is, I think, not disputed that a part of the reason to get users onto the 44 Net is that it identifies communiation partners as duly licensed ham radio operators, hinting your firewall that amateur radio frequency access may be allowed.
So, does initiation of a 44-to-44 communication also imply some form of agreement/representation that the content of that communication is suitable for the amateur radio air waves ?
Suppose I'd want to tell a non-politically-correct joke to another OM. I can now choose if I wanted to take the VHF TRX to call him on the local repeater, or I could call him on the landline phone.
How should this be handled ?
73s,
Mario, DL5MLO