On 8/11/21 2:59 PM, pete M via 44Net wrote:
You really dont see the big picture and only look at local solution for your specific need and case.
What if a large group of ham make it possible to run a very large network of microwave links and you can connect to it from your home with a simple little radio from tp-link at 45$ US. Now you would like to connect to other ham. and you would like to have other ham to connect to your service you provide from that connection.
What if some local group does not believe in RF and wants to use two tin cans and a string? or a swarm of pigeons? Shouldn't we be able to support them? No.
There is always some minimal equipment list. However, with that setup it would still be possible to do it when the PoP provides routing of a subnet to a connected user (without BGP) and the two hams can agree to use part of that subnet together (e.g. each uses half the subnet). Then with a couple of static routes you can route everything the correct direction. Of course it is more work than with a capable router, but hey you can proudly announce on the local repeater you saved $10 (and donated that to the repeater group).
How to you propose to have your need fufill with firewalling? How do you propose to have no other traffic than ham stuff that connect to your services?
Firewalling in such cases is best done by network range. When the router can do it. If not, tough luck.
Will you manage login/password system to let only ham access some SDR receiver you provide? How many ham will you manage? do you have the coding skill to implement such things over other working software ? If not you, the other ham that would love to leave free accress to all ham? With your solution of firewalling they are left in the dirt.
The authentication system would be a service similar to LoTW certificates or Echolink authentication which are already in place. There would be some authority that checks applications by amateurs and provides them with the password or certificate, exactly like what LoTW and Echolink are already doing. There would be an authentication service (RADIUS server) in the backbone network, e.g. with redundancy using anycasting, where each service that requires autentication can validate the connecting user. Most software already in user has RADIUS authentication options or has plugin capability to allow using that. We use it internal to our network, e.g. to provide the user password validation required when connecting to a WiFi access point, or when setting up a PPPoE tunnel over the radio network. (in use to allow roaming users to connect to any access point and still get their fixed IP)
I see your next point comming. The ham that feed the links to the internet should firewall on their side. Ok , and how should they manage other hams that are not connected inside their RF network? make eception in the firewall rules? And what if someone on the internet spoof some IP adress? Cause it is easy to do so. We have seen this just the spring and there could still be some doing it right now undetected yet. And what about the LARGE firewall rules the rf link provider will need to create as each new user that want or dont want to be behind the big firewall?
Spoofing is an annoyance but often not really a security risk. Only with datagram protocols like UDP there is a risk. With TCP you cannot really setup a connection from a spoofed IP. Hijacked BGP ranges would be a possibility, but they can be blocked by using address lists managed by the IP coordinator who allows BGP announcements. (he can compare the issued BGP permits with the actual info received from BGP)
And remember, these issues are NOT solved at all with an intranet!! Even on an intranet, any bad guy can connect to it (easy when they have a license, but likely also when they don't) and start attacking systems. Worse, when trojan/worm software enters the network at some place, it will happily propagate through the network. And, the situation will probably be worst when there is a false sense of security among the participants ("we are on an intranet, we do not need to worry").
Modern firewall technology does not need a ne rule for every user. It can have rules that refer to address lists that contain multiple addresses or subnets that are to be in some category (e.g. blocked, firewalled, not firewalled, not existing) and a single rule tells the firewall what to do when addresses in that list are encountered. This is just standard technology available in Linux (ipset) and RouterOS (/ip firewall address-list). RouterOS even can populate such lists using DNS names, we use that e.g. to load lists of "valid addresses on the local subnet" or "trusted network admins" from a DNS server (with slaves for redundancy) so we do not need to modify the config of several routers when the contents of such a list changes.
Rob