You really dont see the big picture and only look at local solution for your specific need
and case.
What if a large group of ham make it possible to run a very large network of microwave
links and you can connect to it from your home with a simple little radio from tp-link at
45$ US. Now you would like to connect to other ham. and you would like to have other ham
to connect to your service you provide from that connection.
How to you propose to have your need fufill with firewalling?
How do you propose to have no other traffic than ham stuff that connect to your services?
Will you manage login/password system to let only ham access some SDR receiver you
provide? How many ham will you manage? do you have the coding skill to implement such
things over other working software ? If not you, the other ham that would love to leave
free accress to all ham? With your solution of firewalling they are left in the dirt.
I see your next point comming. The ham that feed the links to the internet should firewall
on their side. Ok , and how should they manage other hams that are not connected inside
their RF network? make eception in the firewall rules? And what if someone on the internet
spoof some IP adress? Cause it is easy to do so. We have seen this just the spring and
there could still be some doing it right now undetected yet. And what about the LARGE
firewall rules the rf link provider will need to create as each new user that want or dont
want to be behind the big firewall?
Pierre
VE2PF
________________________________________
De : 44Net <44net-bounces+petem001=hotmail.com(a)mailman.ampr.org> de la part de Rob
PE1CHL via 44Net <44net(a)mailman.ampr.org>
Envoyé : 11 août 2021 04:28
À : 44net(a)mailman.ampr.org
Cc : Rob PE1CHL
Objet : Re: [44net] A new era of IPv4 Allocations : Agree
You already proved yourself wrong in the answer to Ruben.
It does not matter how you layout your network, there is always the risk of bad people no
matter
how you do it. So everyone has to put a firewall close to their precious computers that
allows
outsiders to access only what they want them to access. You can partly use the source
address
for some of that validation, but that should only be used for noncritical access rules
like "are
they allowed to use my NTP and DNS server" and not critical rules like "are they
allowed to
operate my transmitter, or enter information in my system". For that, a separate
authentication
method is always required. It has been discussed before, it would be nice to have a
global
authorization system where you can validate that a user you have not registered locally is
a
valid radio amateur license holder, e.g. user VE2PF can be validated using some method
like
username/password, user certificate, etc. So people who forced their entry into the
network
still do not have that.
But there is no way that some split in the network address range is going to provide
anywhere
near that, it will just be snakeoil security and it requires only one unguarded network
entry
to allow bad people to access that entire network, even when it is an
"intranet".
Rob
On 8/11/21 12:50 AM, pete M via 44Net wrote:
Well as I said to Ruben this is wrong.
You may think you will fix the problem with such simple fix.
The networking world is not as "clean" as you think. Once someone advertise a
subnet in the 44.0/09 or 44.128/10 they would have access to your network. The thing is
that it is already happening and AMPR/ARDC are already monitoring such event but it take
times to find those rogue people, then AMPR need to contact the owner of the network that
provide the bgp route top the rogue guys. Those could be legit guys but are with the rogue
group and they could delay for days if not weeks the action needed to secure back YOUR
network. Do you want to leave the front door of your house to the public if you were made
promises that no one but the legit owner of the neighbourhood would have access to the
road in front of your house? Not the same security risk I think.
Pierre
VE2PF
________________________________________
De : 44Net <44net-bounces+petem001=hotmail.com(a)mailman.ampr.org> de la part de Rob
PE1CHL via 44Net <44net(a)mailman.ampr.org>
Envoyé : 10 août 2021 17:57
À : 44net(a)mailman.ampr.org
Cc : Rob PE1CHL
Objet : Re: [44net] A new era of IPv4 Allocations : Agree
I agree! That motivation to split the network is totally bogus.
Everyone in 44.0.0.0/9 and 44.128.0.0/10 can be "trusted" to be radio amateurs,
it does not matter if they
are on an isolated network or on a network connected to the internet.
How it is routed (over radio or over internet tunnels, using what routing protocol, and
what policy,
does not matter at all.
Of course on an isolated network you can have bad guys as well, so you will always have
to be
careful what you open up to others.
Rob
On 8/10/21 11:40 PM, Ruben ON3RVH via 44Net wrote:
Dual addressing means complicated policy based
routing.
The remaining 44net that we have today is ham only. Thus if one does not the internet to
reach his/her subnet, all they have to do is add a simple firewall rule allowing 44/8 and
44.128/10 and denying the rest. That is a lot easier than policy based routing or dual
addressing. That would allow fellow hams to reach the subnet, but not the rest of “the big
bad internet”
Ruben - ON3RVH
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net