12 Aug
2021
12 Aug
'21
11:43 a.m.
On 8/12/21 12:38 PM, Tony Langdon via 44Net wrote:
There is one aspect that might be a potential issue, and that is where
the 44net IP is on amateur links. Open access to the Internet could be
problematic, from a legal point of view. I know our authorities are
very conservative in this area, and in fact, it took a while to get
Winlink approved for use here, that was a long running saga. They're
fine with using the Internet as a carrier for amateur traffic (e.g. RoIP
networks like IRLP, Echolink, etc), or the IPIP tunnels, but not so keen
where non amateur traffic could enter the amateur frequencies. This
implies there will need to be some fairly straightforward firewall
options available. I could easily use iptables, but others might need
something more user friendly. I would have 3 classes of IP in my networks:
1. Public, BGP routed (direct connection). Basically my existing
44.190 allocation is a prime example of this. These IPs are to provide
Internet facing services.
2. Backbone routed IPs on LAN (or local wifi). These are mainly for
intranet use, but not being on air, connection to Internet hosts is
tolerated. For example, these addresses would be a good place to run an
IRLP or Echolink node.
3. Radio based IPs. Here, I would be very selective what to allow by
default - other Intranet addresses, possibly at least some of the public
BGP routed 44net space. Individual hosts on radio may even have cause
to communicate with specific Internet IP addresses (e.g. the end point
for some other amateur link), on a case by case basis. Or I may allow
specific ports/protocols only to the general Internet (e.g. Echolink,
IRLP, etc).
In our network we have a firewall at the internet connection that
allows all OUTgoing traffic and replies to it, but by default blocks
any INcoming connections from internet unless the destination
(44.137.x.x) address is on a list of addresses that allows connections
from internet.
So we can have full internet connectivity without the constant
portscanning and other unwanted traffic incoming from internet,
and we know that most internet traffic is at least initiated by a
radio amateur. We only pass traffic for registered IP addresses,
for which a responsible callsign is known in the DNS.
Such a firewall is only feasible when there is a single connection
point for the internet gateway of a subnet, or at least a single router
where all traffic passes through. That should be considered when
deciding between "advertise the entire AMPRnet everywhere" or
"advertise local subnets where they are used".
Of course we sometimes get indications that amateur devices are
used for inappropriate purposes (like sharing of copyrighted material)
but it usually turns out to be "a mistake" and it ends when the
user is warned. We keep a "netflow" log of a couple of months
to handle disputes.
Rob