Le 16/02/2021 à 10:45, Rob PE1CHL via 44Net a écrit :
Well, I don't think network level security is usable for that. Right now, half the users do not even make their reverse-DNS working, so you cannot tell whom the incoming connects are coming from.
I was not talking about mapping every ham callsign with an IP address, which seems pretty un-doable to me, as we are mostly using subnets and not individual addresses...
As we already talked about, a certificate is probably the best way to use at application level (Echolink), where the user must be identified by its callsign. For that, a Certification Authority managed by ARDC is probably a good idea :-)
Anyway, there are situations, at lower layers, where it may be useful to be able to grant/deny access based on source address, where we need to ensure the user is a ham, but without necessarily knowing its exact callsign.
One of the things in my ToDo list is a "Content Manager" on our public web server, that would display a catalog of all the resources available on the internal network : - Users coming from Internet would see only the "public" things (WEB, APRS, XLX, meteo...) - Users coming from 44Net would be able to access other services such as Nagios monitoring, Netbox IPAM, NAS file server, dashboards of repeaters, ...
But we can be even more granular. We could offer direct access to some specific resource such as a radio-club remote rig only for the active (paid) members, repeater dashboard in read/write for local users and in read-only for other 44net users, SSH management restricted to local IP ranges, etc...
Voice repeater systems such as XLX, D-Star, DMR, Asterisk could also use basic source filtering on 44Net, which would avoid full exposure to "the wild Internet", which is a huge security concern, because all systems currently connected to Internet do not necessarily have full upgrade and patch management, etc...
All that without having to implement a full certificate management, just with a few basic firewall rules at the gateway.
73 de TK1BI