11 Aug
2021
11 Aug
'21
10:25 a.m.
On 8/11/21 2:59 PM, pete M via 44Net wrote:
You really dont see the big picture and only look at
local solution for your specific need and case.
What if a large group of ham make it possible to run a very large network of microwave
links and you can connect to it from your home with a simple little radio from tp-link at
45$ US. Now you would like to connect to other ham. and you would like to have other ham
to connect to your service you provide from that connection.
What if some local
group does not believe in RF and wants to use two tin cans and a string? or a swarm of
pigeons?
Shouldn't we be able to support them? No.
There is always some minimal equipment list. However, with that setup it would still be
possible to do it when the PoP provides routing of a subnet to a connected user (without
BGP) and the two hams can agree to use part of that subnet together (e.g. each uses half
the subnet).
Then with a couple of static routes you can route everything the correct direction.
Of course it is more work than with a capable router, but hey you can proudly announce on
the local repeater you saved $10 (and donated that to the repeater group).
How to you propose to have your need fufill with firewalling?
How do you propose to have no other traffic than ham stuff that connect to your services?
Firewalling in such cases is best done by network range. When the router can do
it. If not, tough luck.
Will you manage login/password system to let only ham
access some SDR receiver you provide? How many ham will you manage? do you have the coding
skill to implement such things over other working software ? If not you, the other ham
that would love to leave free accress to all ham? With your solution of firewalling they
are left in the dirt.
The authentication system would be a service similar to LoTW
certificates or Echolink authentication which are already in place.
There would be some authority that checks applications by amateurs and provides them with
the password or certificate, exactly like what LoTW and Echolink are already doing.
There would be an authentication service (RADIUS server) in the backbone network, e.g.
with redundancy using anycasting, where each service that requires autentication can
validate the connecting user.
Most software already in user has RADIUS authentication options or has plugin capability
to allow using that.
We use it internal to our network, e.g. to provide the user password validation required
when connecting to a WiFi access point, or when setting up a PPPoE tunnel over the radio
network.
(in use to allow roaming users to connect to any access point and still get their fixed
IP)
I see your next point comming. The ham that feed the links to the internet should
firewall on their side. Ok , and how should they manage other hams that are not connected
inside their RF network? make eception in the firewall rules? And what if someone on the
internet spoof some IP adress? Cause it is easy to do so. We have seen this just the
spring and there could still be some doing it right now undetected yet. And what about
the LARGE firewall rules the rf link provider will need to create as each new user that
want or dont want to be behind the big firewall?
Spoofing is an annoyance but
often not really a security risk. Only with datagram protocols like UDP there is a risk.
With TCP you cannot really setup a connection from a spoofed IP.
Hijacked BGP ranges would be a possibility, but they can be blocked by using address lists
managed by the IP coordinator who allows BGP announcements.
(he can compare the issued BGP permits with the actual info received from BGP)
And remember, these issues are NOT solved at all with an intranet!! Even on an intranet,
any bad guy can connect to it (easy when they have a license, but likely also when they
don't) and start attacking systems. Worse, when trojan/worm software enters the
network at some place, it will happily propagate through the network.
And, the situation will probably be worst when there is a false sense of security among
the participants ("we are on an intranet, we do not need to worry").
Modern firewall technology does not need a ne rule for every user. It can have rules that
refer to address lists that contain multiple addresses or subnets that are to be in some
category (e.g. blocked, firewalled, not firewalled, not existing) and a single rule tells
the firewall what to do when addresses in that list are encountered.
This is just standard technology available in Linux (ipset) and RouterOS (/ip firewall
address-list). RouterOS even can populate such lists using DNS names, we use that e.g. to
load lists of "valid addresses on the local subnet" or "trusted network
admins" from a DNS server (with slaves for redundancy) so we do not need to modify
the config of several routers when the contents of such a list changes.
Rob