You already proved yourself wrong in the answer to Ruben.
It does not matter how you layout your network, there is always the risk of bad people no
matter
how you do it. So everyone has to put a firewall close to their precious computers that
allows
outsiders to access only what they want them to access. You can partly use the source
address
for some of that validation, but that should only be used for noncritical access rules
like "are
they allowed to use my NTP and DNS server" and not critical rules like "are they
allowed to
operate my transmitter, or enter information in my system". For that, a separate
authentication
method is always required. It has been discussed before, it would be nice to have a
global
authorization system where you can validate that a user you have not registered locally is
a
valid radio amateur license holder, e.g. user VE2PF can be validated using some method
like
username/password, user certificate, etc. So people who forced their entry into the
network
still do not have that.
But there is no way that some split in the network address range is going to provide
anywhere
near that, it will just be snakeoil security and it requires only one unguarded network
entry
to allow bad people to access that entire network, even when it is an
"intranet".
Rob
On 8/11/21 12:50 AM, pete M via 44Net wrote:
Well as I said to Ruben this is wrong.
You may think you will fix the problem with such simple fix.
The networking world is not as "clean" as you think. Once someone advertise a
subnet in the 44.0/09 or 44.128/10 they would have access to your network. The thing is
that it is already happening and AMPR/ARDC are already monitoring such event but it take
times to find those rogue people, then AMPR need to contact the owner of the network that
provide the bgp route top the rogue guys. Those could be legit guys but are with the rogue
group and they could delay for days if not weeks the action needed to secure back YOUR
network. Do you want to leave the front door of your house to the public if you were made
promises that no one but the legit owner of the neighbourhood would have access to the
road in front of your house? Not the same security risk I think.
Pierre
VE2PF
________________________________________
De : 44Net <44net-bounces+petem001=hotmail.com(a)mailman.ampr.org> de la part de Rob
PE1CHL via 44Net <44net(a)mailman.ampr.org>
Envoyé : 10 août 2021 17:57
À : 44net(a)mailman.ampr.org
Cc : Rob PE1CHL
Objet : Re: [44net] A new era of IPv4 Allocations : Agree
I agree! That motivation to split the network is totally bogus.
Everyone in 44.0.0.0/9 and 44.128.0.0/10 can be "trusted" to be radio amateurs,
it does not matter if they
are on an isolated network or on a network connected to the internet.
How it is routed (over radio or over internet tunnels, using what routing protocol, and
what policy,
does not matter at all.
Of course on an isolated network you can have bad guys as well, so you will always have
to be
careful what you open up to others.
Rob
On 8/10/21 11:40 PM, Ruben ON3RVH via 44Net wrote:
Dual addressing means complicated policy based
routing.
The remaining 44net that we have today is ham only. Thus if one does not the internet to
reach his/her subnet, all they have to do is add a simple firewall rule allowing 44/8 and
44.128/10 and denying the rest. That is a lot easier than policy based routing or dual
addressing. That would allow fellow hams to reach the subnet, but not the rest of “the big
bad internet”
Ruben - ON3RVH
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net