On 8/12/21 12:38 PM, Tony Langdon via 44Net wrote:
There is one aspect that might be a potential issue, and that is where the 44net IP is on amateur links. Open access to the Internet could be problematic, from a legal point of view. I know our authorities are very conservative in this area, and in fact, it took a while to get Winlink approved for use here, that was a long running saga. They're fine with using the Internet as a carrier for amateur traffic (e.g. RoIP networks like IRLP, Echolink, etc), or the IPIP tunnels, but not so keen where non amateur traffic could enter the amateur frequencies. This implies there will need to be some fairly straightforward firewall options available. I could easily use iptables, but others might need something more user friendly. I would have 3 classes of IP in my networks:
1. Public, BGP routed (direct connection). Basically my existing 44.190 allocation is a prime example of this. These IPs are to provide Internet facing services.
2. Backbone routed IPs on LAN (or local wifi). These are mainly for intranet use, but not being on air, connection to Internet hosts is tolerated. For example, these addresses would be a good place to run an IRLP or Echolink node.
3. Radio based IPs. Here, I would be very selective what to allow by default - other Intranet addresses, possibly at least some of the public BGP routed 44net space. Individual hosts on radio may even have cause to communicate with specific Internet IP addresses (e.g. the end point for some other amateur link), on a case by case basis. Or I may allow specific ports/protocols only to the general Internet (e.g. Echolink, IRLP, etc).
In our network we have a firewall at the internet connection that allows all OUTgoing traffic and replies to it, but by default blocks any INcoming connections from internet unless the destination (44.137.x.x) address is on a list of addresses that allows connections from internet. So we can have full internet connectivity without the constant portscanning and other unwanted traffic incoming from internet, and we know that most internet traffic is at least initiated by a radio amateur. We only pass traffic for registered IP addresses, for which a responsible callsign is known in the DNS.
Such a firewall is only feasible when there is a single connection point for the internet gateway of a subnet, or at least a single router where all traffic passes through. That should be considered when deciding between "advertise the entire AMPRnet everywhere" or "advertise local subnets where they are used".
Of course we sometimes get indications that amateur devices are used for inappropriate purposes (like sharing of copyrighted material) but it usually turns out to be "a mistake" and it ends when the user is warned. We keep a "netflow" log of a couple of months to handle disputes.
Rob