What happen on the 44net network is decided by the 44 network. If people want to use the internet as specified in the protocol they have all the other network accessibles. But if we want to discriminate what the other network have access to or have other priviledge then the "local" 44 net traffic have is our decision.
Téléchargez Outlook pour Androidhttps://aka.ms/ghei36
________________________________ From: 44Net 44net-bounces+petem001=hotmail.com@mailman.ampr.org on behalf of Cliff Sojourner via 44Net 44net@mailman.ampr.org Sent: Tuesday, February 16, 2021 8:02:23 AM To: 44Net general discussion 44net@mailman.ampr.org Cc: Cliff Sojourner cls@employees.org Subject: Re: [44net] ASN # and Network Service Provider (NSP)
User authentication and user authorization belong in application layer, there is no place for those in any network layer.
Please refer to Internet model, layers 1 through 4..
Cliff K6CLS CM87
On February 16, 2021 2:29:33 AM PST, Toussaint OTTAVI via 44Net 44net@mailman.ampr.org wrote:
Le 16/02/2021 à 10:45, Rob PE1CHL via 44Net a écrit :
Well, I don't think network level security is usable for that. Right
now, half the users do not even make their reverse-DNS working, so you cannot tell whom the incoming connects are coming from.
I was not talking about mapping every ham callsign with an IP address, which seems pretty un-doable to me, as we are mostly using subnets and not individual addresses...
As we already talked about, a certificate is probably the best way to use at application level (Echolink), where the user must be identified by its callsign. For that, a Certification Authority managed by ARDC is
probably a good idea :-)
Anyway, there are situations, at lower layers, where it may be useful to be able to grant/deny access based on source address, where we need to ensure the user is a ham, but without necessarily knowing its exact callsign.
One of the things in my ToDo list is a "Content Manager" on our public web server, that would display a catalog of all the resources available
on the internal network :
- Users coming from Internet would see only the "public" things (WEB,
APRS, XLX, meteo...)
- Users coming from 44Net would be able to access other services such
as Nagios monitoring, Netbox IPAM, NAS file server, dashboards of repeaters, ...
But we can be even more granular. We could offer direct access to some specific resource such as a radio-club remote rig only for the active (paid) members, repeater dashboard in read/write for local users and in
read-only for other 44net users, SSH management restricted to local IP ranges, etc...
Voice repeater systems such as XLX, D-Star, DMR, Asterisk could also use basic source filtering on 44Net, which would avoid full exposure to "the wild Internet", which is a huge security concern, because all systems currently connected to Internet do not necessarily have full upgrade and patch management, etc...
All that without having to implement a full certificate management, just with a few basic firewall rules at the gateway.
73 de TK1BI
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net