10 Aug
2021
10 Aug
'21
5:26 p.m.
Le 10/08/2021 à 20:26, R P via 44Net a écrit :
Why should we separate networks ?
Every simple firewall can block traffic with simple rule
The purpose is not only to allow/block traffic. The TAC proposal
describes two different user cases (called "Internet" and "Intranet")
that suit different needs all over the world. Some of us are already
using some similar schemes, but with different implementations all over
the world. This makes routing a headache, and there are many situations
where sysops don't know how to route traffic correctly. F/ex, in France,
most of D-Star or DMR stuff which have 44et addressing are in fact using
dual addressing, and have also a classic Internet IP, so that they can
be reached from Internet.
The separation into two subnets proposed by the TAC solves that, by
defining clear routing policy for each subnet :
- The "Internet" subnet is routed on public Internet via eBGP, and
packets are carried via Internet
- The "Intranet" subnet is not announced on Internet, but is only routed
internally (as European HamNet does with iBGP)
In your situation :
- If you want to be reachable from public Internet, you can choose the
"Internet" subnet, and set up your firewall rules according to your needs
- If you want to be on a completely closed network not reachable from
public Internet (such as Hamnet), then you can choose the "Intranet" subnet.
Here, we decided to use the best of both modes. We're using dual
addressing, and each site can have both Internet and Intranet addresses.
Any device just needs to be connected to the right Ethernet interface,
and it automatically gets the right IP, and the right routing /
firewalling policy.
The TAC proposal is a normalization of what some of us are already
doing, with 44.190 "Internet / no country", or with BGP announcement of
44.x subnet. It offers clear segmentation about the two modes, and
should help setting up routing policies by just having two big subnets.
Le 10/08/2021 à 20:26, R P via 44Net a écrit :
I (and all my country) sit on 44.138 which according
to the proposal would be not connected to the Internet
With the current proposal, and if you need your full IP range to be
reachable directly from public Internet, then yes, I think you'll have
to renumber to something in in 44.0. Anyway, I would answer to your
question by another question : Even with a good firewalling, do you
really need and/or want all your IP range, all your endpoints, all your
users to be exposed to public Internet ?
As said before, we choose to use both addressing, and we decide
individually for every application or device device. F/ex :
- D-Star, DMR, XLX -> Internet subnet
- Remote control of HF radio-club station -> Intranet subnet
Then, another option for you would be :
- Keep your current network in 44.138, but consider it as "Intranet",
"HamNet clone", and stop announcing it via BGP
- Get another subnet in 44.0 for "Internet" and announce it via BGP
- Choose individually what devices need to be reachable from public
Internet (they should not be the majority), and just migrate/renumber
those to 44.0
Or better suggestion :
Do dual addressing everywhere like we do :-) If things work well, we
(the TAC and all the sysops here) should be able to define clear routing
policies, build a backbone, define a common POP policy, and define
standard configuration for "Access" routers or endpoints to be
implemented on a wide range of low-cost platforms :-) Of course, this
would involve some work for everybody. But if we want to make 44net
access easier and gain users, it seems obvious we'll have to migrate the
current mess (there are not two user groups that do exactly the same
thing) to something a little bit more normalized and harmonized ofer the
world. Then, we all will have to change some things, HI :-)
73 de TK1BI