I hate to be the bearer of bad news, but that is it not true.
We have seen group of people getting some BGP announce of parts of the 44net with out
being autorized to do so and they did this by having access to a bgp server and making the
route seem legaly done. And those hacker could have had access to the whole 44 net ham
space with your solution. Ok, the people that want that the whole internet can reach them
are not bothered at all by that situation, after all they already are dealing with such
rogue situation. But the one that DONT want anything but ham traffic either be by choice
or by laws are really bothered by such situation.So, no that easy solution is just a small
bandage over la large bleading wound and it can lead to some ham to loose their licence if
the data sent by the rogue reach the airwaves.
Pierre
VE2PF
________________________________________
De : 44Net <44net-bounces+petem001=hotmail.com(a)mailman.ampr.org> de la part de Ruben
ON3RVH via 44Net <44net(a)mailman.ampr.org>
Envoyé : 10 août 2021 17:40
À : 44Net general discussion
Cc : Ruben ON3RVH
Objet : Re: [44net] A new era of IPv4 Allocations : Agree
Dual addressing means complicated policy based routing.
The remaining 44net that we have today is ham only. Thus if one does not the internet to
reach his/her subnet, all they have to do is add a simple firewall rule allowing 44/8 and
44.128/10 and denying the rest. That is a lot easier than policy based routing or dual
addressing. That would allow fellow hams to reach the subnet, but not the rest of “the big
bad internet”
Ruben - ON3RVH
On 10 Aug 2021, at 23:30, Toussaint OTTAVI via 44Net
<44net(a)mailman.ampr.org> wrote:
Le 10/08/2021 à 20:26, R P via 44Net a écrit :
Why should we separate networks ?
Every simple firewall can block traffic with simple rule
The purpose is not only to allow/block traffic. The TAC proposal describes two different
user cases (called "Internet" and "Intranet") that suit different
needs all over the world. Some of us are already using some similar schemes, but with
different implementations all over the world. This makes routing a headache, and there are
many situations where sysops don't know how to route traffic correctly. F/ex, in
France, most of D-Star or DMR stuff which have 44et addressing are in fact using dual
addressing, and have also a classic Internet IP, so that they can be reached from
Internet.
The separation into two subnets proposed by the TAC solves that, by defining clear
routing policy for each subnet :
- The "Internet" subnet is routed on public Internet via eBGP, and packets are
carried via Internet
- The "Intranet" subnet is not announced on Internet, but is only routed
internally (as European HamNet does with iBGP)
In your situation :
- If you want to be reachable from public Internet, you can choose the
"Internet" subnet, and set up your firewall rules according to your needs
- If you want to be on a completely closed network not reachable from public Internet
(such as Hamnet), then you can choose the "Intranet" subnet.
Here, we decided to use the best of both modes. We're using dual addressing, and each
site can have both Internet and Intranet addresses. Any device just needs to be connected
to the right Ethernet interface, and it automatically gets the right IP, and the right
routing / firewalling policy.
The TAC proposal is a normalization of what some of us are already doing, with 44.190
"Internet / no country", or with BGP announcement of 44.x subnet. It offers
clear segmentation about the two modes, and should help setting up routing policies by
just having two big subnets.
Le 10/08/2021 à 20:26, R P via 44Net a écrit :
I (and all my country) sit on 44.138 which according to the proposal would be not
connected to the Internet
With the current proposal, and if you need your full IP range to be reachable directly
from public Internet, then yes, I think you'll have to renumber to something in in
44.0. Anyway, I would answer to your question by another question : Even with a good
firewalling, do you really need and/or want all your IP range, all your endpoints, all
your users to be exposed to public Internet ?
As said before, we choose to use both addressing, and we decide individually for every
application or device device. F/ex :
- D-Star, DMR, XLX -> Internet subnet
- Remote control of HF radio-club station -> Intranet subnet
Then, another option for you would be :
- Keep your current network in 44.138, but consider it as "Intranet",
"HamNet clone", and stop announcing it via BGP
- Get another subnet in 44.0 for "Internet" and announce it via BGP
- Choose individually what devices need to be reachable from public Internet (they should
not be the majority), and just migrate/renumber those to 44.0
Or better suggestion :
Do dual addressing everywhere like we do :-) If things work well, we (the TAC and all the
sysops here) should be able to define clear routing policies, build a backbone, define a
common POP policy, and define standard configuration for "Access" routers or
endpoints to be implemented on a wide range of low-cost platforms :-) Of course, this
would involve some work for everybody. But if we want to make 44net access easier and gain
users, it seems obvious we'll have to migrate the current mess (there are not two user
groups that do exactly the same thing) to something a little bit more normalized and
harmonized ofer the world. Then, we all will have to change some things, HI :-)
73 de TK1BI
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org