23 Apr
2014
23 Apr
'14
6:42 p.m.
Hello fellow radio/network geeks!
While trying as much as I can to not come off as condescending, I would
like to try and provide a little perspective so that we can hopefully clear
up some confusion and speak in mutually agreeable terms.
There seems to be many misconceptions by several people on this list who
may be seeing 44net as a single service or network where everyone needs to
be able to speak to each other and where all traffic sourced from it can be
trusted. Oh, and RADIO :)
The global internet isn't even one large network in that sense. It's
actually just a concept that allows many different individual autonomous
networks to coordinate and cooperate with each other while allowing them to
share traffic among their users. Those in control of things like
allocating IP space and DNS are only in that position because the majority
of networks recognize their authority.
Just like similar authorities on the internet, ARDC is just a registry that
provides chunks of the globally unique IP space to individual networks
which allows them to interoperate with each other or any other global
network without conflict (but does not mean that they *must* work with
other networks). In this case, they only agree to provide these services
to networks that support amateur radio in one form or another. It just so
happens that they also provide a service that coordinates IPIP tunnels so
these networks can send encapsulated traffic to each other without needing
to make their own peering arrangements with other networks on the internet
at large. Since most people are only used to the idea of the internet
being a "service" provided to them, it's easy to see why this can be
confused.
Those familiar with the HSMM projects may have noticed that they chose to
operate in the non-unique 10/8 space in order to support autoconfiguration.
However, once their project grew beyond those specific linksys models,
they started having conflicts. Even now, those HSMM networks that are up
and running can't communicate with users on other networks without
complicated NAT tables. It would be much better to take advantage of our
44/8 resources for those projects by assigning blocks to each mesh island.
That way they can start peering with other networks or other mesh islands
directly. When asked why having 44/8 is important, this is a perfect
example and there are many others.
When talking about technical solutions to problems we come across, it's
also important to consider that as hams, it's likely that our networks are
experimental and will therefore have a wide range of configurations that
could prohibit their ability to share traffic with some others. This
should absolutely be encouraged as long as what they do does not impact any
other network's ability to operate normally. Therefore, there is no
"right" or "wrong" way to configure your network as long as you get
your
expected result. Just keep in mind that following best-practices is the
best way to ensure compatibility. Ideally, those who operate the registry
will shift closer to this way of thinking and start supporting more
advanced users to do non-standard things (such as DNS or PTR delegation,
for example).
We also need to be careful about the terminology we use when referring to
security, in order to avoid mistaken assumptions. Source addresses can be
used in our case to provide a convenient filter against the majority of
incoming junk internet traffic. However, this must not be confused for
"authentication" or knowing *who* is sending you the packets. Make sure
you understand the risks when opening up a service on your network. If
you're trying to filter out most undesirables, source filtering can be
okay. However, if you need to know who you are talking to, you must use
another method. Also, myself and several others on this list may be in a
good position to help if you need assistance in this area.
Best regards,
-Cory NQ1E
Your friendly neighborhood radio hacker
24 Apr
24 Apr
1:24 a.m.
On 24.04.2014 01:42, Cory (NQ1E) wrote:
We also need to be careful about the terminology we
use when referring to
security, in order to avoid mistaken assumptions. Source addresses can be
used in our case to provide a convenient filter against the majority of
incoming junk internet traffic. However, this must not be confused for
"authentication" or knowing *who* is sending you the packets. Make sure
you understand the risks when opening up a service on your network. If
you're trying to filter out most undesirables, source filtering can be
okay. However, if you need to know who you are talking to, you must use
another method. Also, myself and several others on this list may be in a
good position to help if you need assistance in this area.
I don't need to know who I am talking to. I only need to know that I am
talking to a radio amateur. Since the net44 address space is provided
for radio amateurs *only* I offer radio services for people coming from
net44 IP addresses (e.g. I like the way
http://kb3vwg-010.ampr.org/tools/aprscode works)...
(Please don't start the "spoofing" discussion now. Services need
bidirectional communication to work...).
I think most of us were happily providing radio services on the IPIP
mesh in the "former days" before we started with BGP direct connected
gateways... So why should this have changed now? What is wrong thinking
to find radio amaterus behind source44 addresses?
73,
Jann
DG8NGN
--
Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany
Tel.: +49-911-696971, Mobile: +49-170-1045937, E-Mail: jann(a)gmx.de
Ham: DG8NGN / DB0VOX, http://www.qsl.net/dg8ngn
8:29 a.m.
+1
Michael
N6MEF
-----Original Message-----
From: 44net-bounces+n6mef=mefox.org(a)hamradio.ucsd.edu
[mailto:44net-bounces+n6mef=mefox.org@hamradio.ucsd.edu] On Behalf Of Jann
Traschewski
Sent: Wednesday, April 23, 2014 11:24 PM
To: 44net(a)hamradio.ucsd.edu
Subject: Re: [44net] What is 44net?
(Please trim inclusions from previous messages)
_______________________________________________
On 24.04.2014 01:42, Cory (NQ1E) wrote:
We also need to be careful about the terminology we
use when referring to
security, in order to avoid mistaken assumptions. Source addresses can be
used in our case to provide a convenient filter against the majority of
incoming junk internet traffic. However, this must not be confused for
"authentication" or knowing *who* is sending you the packets. Make sure
you understand the risks when opening up a service on your network. If
you're trying to filter out most undesirables, source filtering can be
okay. However, if you need to know who you are talking to, you must use
another method. Also, myself and several others on this list may be in a
good position to help if you need assistance in this area.
I don't need to know who I am talking to. I only need to know that I am
talking to a radio amateur. Since the net44 address space is provided
for radio amateurs *only* I offer radio services for people coming from
net44 IP addresses (e.g. I like the way
http://kb3vwg-010.ampr.org/tools/aprscode works)...
(Please don't start the "spoofing" discussion now. Services need
bidirectional communication to work...).
I think most of us were happily providing radio services on the IPIP
mesh in the "former days" before we started with BGP direct connected
gateways... So why should this have changed now? What is wrong thinking
to find radio amaterus behind source44 addresses?
73,
Jann
DG8NGN
--
Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany
Tel.: +49-911-696971, Mobile: +49-170-1045937, E-Mail: jann(a)gmx.de
Ham: DG8NGN / DB0VOX, http://www.qsl.net/dg8ngn
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
8:56 a.m.
Jann,
I believe Cory's point here is that you can (relatively safely) make the assumption
that someone coming from a 44-net IP is likely going to be someone in the amateur radio
community. However, that doesn't tell you who they are. This is the distinction I
believe Cory is trying to make that source IP is not authentication. If your goal is to
provide a service that relies on knowing you're talking with a specific person, then
you need to start looking at authentication methods, a number of which have been
discussed, such as usernames/passwords, certs, etc.
Nigel
K7NVH
On Apr 23, 2014, at 11:24 PM, Jann Traschewski <jann(a)gmx.de> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On 24.04.2014 01:42, Cory (NQ1E) wrote:
We also need to be careful about the terminology
we use when referring to
security, in order to avoid mistaken assumptions. Source addresses can be
used in our case to provide a convenient filter against the majority of
incoming junk internet traffic. However, this must not be confused for
"authentication" or knowing *who* is sending you the packets. Make sure
you understand the risks when opening up a service on your network. If
you're trying to filter out most undesirables, source filtering can be
okay. However, if you need to know who you are talking to, you must use
another method. Also, myself and several others on this list may be in a
good position to help if you need assistance in this area.
I don't need to know who I am talking to. I only need to know that I am
talking to a radio amateur. Since the net44 address space is provided
for radio amateurs *only* I offer radio services for people coming from
net44 IP addresses (e.g. I like the way
http://kb3vwg-010.ampr.org/tools/aprscode works)...
(Please don't start the "spoofing" discussion now. Services need
bidirectional communication to work...).
I think most of us were happily providing radio services on the IPIP
mesh in the "former days" before we started with BGP direct connected
gateways... So why should this have changed now? What is wrong thinking
to find radio amaterus behind source44 addresses?
73,
Jann
DG8NGN
--
Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany
Tel.: +49-911-696971, Mobile: +49-170-1045937, E-Mail: jann(a)gmx.de
Ham: DG8NGN / DB0VOX, http://www.qsl.net/dg8ngn
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
10:44 a.m.
On 24.04.2014 15:56, Nigel Vander Houwen wrote:
I believe Cory's point here is that you can
(relatively safely) make
the assumption that someone coming from a 44-net IP is likely going
to be someone in the amateur radio community. However, that doesn't
tell you who they are.
Yes, I fully agree on this.
This is the distinction I believe Cory is trying to
make that source
IP is not authentication. If your goal is to provide a service that
relies on knowing you're talking with a specific person, then you
need to start looking at authentication methods, a number of which
have been discussed, such as usernames/passwords, certs, etc.
True. In my case I need to check against radio amateurs, not single
identities.
However I could track down the source based on the 44net allocation.
E.g. dmr.db0myk.ampr.org resolves to 44.225.73.37 and the responsible
person for "db0myk" is Hans, DL5DI, according to our database from the
regulator. This is still no authentication but a very close assumption
that arriving IP packets from 44.225.73.37 are from Hans. If you have in
mind that my system is connected by IPIP mesh only and I block
encapsulated source44 packets from AMPRGW (which might be spoofed
somewhere on the internet) the assumption is even closer...
73,
Jann
--
Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany
Tel.: +49-911-696971, Mobile: +49-170-1045937, E-Mail: jann(a)gmx.de
Ham: DG8NGN / DB0VOX, http://www.qsl.net/dg8ngn
10:57 a.m.
On Thu, Apr 24, 2014 at 8:44 AM, Jann Traschewski <jann(a)gmx.de> wrote:
However I could track down the source based on the
44net allocation.
E.g. dmr.db0myk.ampr.org resolves to 44.225.73.37 and the responsible
person for "db0myk" is Hans, DL5DI, according to our database from the
regulator. This is still no authentication but a very close assumption
that arriving IP packets from 44.225.73.37 are from Hans.
Unfortunately, the law here doesn't work like that:
(b) For stations participating in a message forwarding system, the
control operator of the station originating a message is primarily
accountable for any violation of the rules in this part contained in
the message.
It says nothing about the control operator of the first internet
gateway; accountability is on the originating station. If Hans is
operating a gateway on local RF, we need to know the identity of the
local ham on RF, not the gateway operator. There are various ways to
accomplish this, many of which have been discussed on the list. For
example, emails can be authenticated with a PGP digital signature. The
equivalent layer 3 technology is IPsec(AH).
Tom KD7LXL
10:13 a.m.
On Wed, Apr 23, 2014 at 11:24 PM, Jann Traschewski <jann(a)gmx.de> wrote:
I don't need to know who I am talking to. I only
need to know that I am
talking to a radio amateur.
Jann,
I suspect the difference of opinion here comes from the local rules we
are bound to. Cory (and myself) need to know the identity, who, is
connecting to our network over the internet, because if we don't then
we can be liable for rule violations. Here's the associated section
from the FCC rules:
ยง 97.219 Message forwarding system
(d) For stations participating in a message forwarding system, the
control operator of the first forwarding station must:
(1) Authenticate the identity of the station from which it accepts
communications on behalf of the system; or
(2) Accept accountability for any violation of the rules in this part
contained in messages it retransmits to the system.
We have an RF network connected to 44net and don't want fines and our
licenses revoked if someone else from 44net forwards something against
the rules to our network. To protect ourselves, we have to know the
*identity* of the other 44net station sending the data.
Without this specific law, I can see how you would not care so much
about authentication. I think Cory's point was simply that source
filtering is not enough to determine identity. He happens to be a
professional in the information security field and was offering his
professional expertise to anyone who needs help with authentication.
Tom KD7LXL
10:21 a.m.
On 2014-04-24 17:13 , Tom Hayward wrote:
[..]
We have an RF network connected to 44net and don't
want fines and our
licenses revoked if someone else from 44net forwards something against
the rules to our network. To protect ourselves, we have to know the
*identity* of the other 44net station sending the data.
Layer 3 (IP) is not useful for hiding identity anyway. Though
source-prefix-filtering (and other BCP38/SAVE rules) must definitely be
adhered to.
If one wants to hide their identity, the only real effective way is to
use a mix network, eg Tor which works over 44net btw ;)
Greets,
Jeroen
11:44 a.m.
On 24.04.2014 17:13, Tom Hayward wrote:
I suspect the difference of opinion here comes from
the local rules we
are bound to.
That might be. What would be your ideal set of rules?
We have a lot of wishes pending for the next big change of local rules.
Smaller changes are even possible in shorter time periods.
Maybe we should think about how an ideal amateur radio world should look
like in terms of interconnecting networks.
I wonder whether the amateur radio community could agree on a common set
of rules so that we can talk to our regulators and look for solutions
how to implement...
Maybe the first step is harder than the second...
73,
Jann
DG8NGN
--
Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany
Tel.: +49-911-696971, Mobile: +49-170-1045937, E-Mail: jann(a)gmx.de
Ham: DG8NGN / DB0VOX, http://www.qsl.net/dg8ngn
11:52 a.m.
I don't believe the 'network' should try to police local regulations
at all. 44net is for Amateur Radio <full stop>
Local regulations must be dealt with locally and its the gateway
operator's responsibility to be compliant with local requirements.
IARU could propose things at WRC, but we are talking years of
discussion in technologies that can adapt and evolve in nano-seconds.
:)
________________________________
John D. Hays
K7VE
PO Box 1223, Edmonds, WA 98020-1223
On Thu, Apr 24, 2014 at 9:44 AM, Jann Traschewski <jann(a)gmx.de> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On 24.04.2014 17:13, Tom Hayward wrote:
I suspect the difference of opinion here comes
from the local rules we
are bound to.
That might be. What would be your ideal set of rules?
We have a lot of wishes pending for the next big change of local rules.
Smaller changes are even possible in shorter time periods.
Maybe we should think about how an ideal amateur radio world should look
like in terms of interconnecting networks.
I wonder whether the amateur radio community could agree on a common set
of rules so that we can talk to our regulators and look for solutions
how to implement...
Maybe the first step is harder than the second...
73,
Jann
DG8NGN
--
Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany
Tel.: +49-911-696971, Mobile: +49-170-1045937, E-Mail: jann(a)gmx.de
Ham: DG8NGN / DB0VOX, http://www.qsl.net/dg8ngn
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
1:22 p.m.
On 24.04.2014 18:52, K7VE - John wrote:
I don't believe the 'network' should try
to police local regulations
at all. 44net is for Amateur Radio <full stop>
That's not what I wanted to say.
Local regulations must be dealt with locally and its
the gateway
operator's responsibility to be compliant with local requirements.
Law is made by people. Would be nice to have similar regulations in
terms of interconnecting amateur radio worldwide.
IARU could propose things at WRC, but we are talking
years of
discussion in technologies that can adapt and evolve in nano-seconds.
:)
Good suggestion! I already plan to talk about IPv6 for Amateur Radio at
IARU Region 1 Meeting this year in Varna, Bulgaria. Maybe I can extend
the topic to interconnecting international amateur radio over public
networks.
73,
Jann
DG8NGN
--
Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany
Tel.: +49-911-696971, Mobile: +49-170-1045937, E-Mail: jann(a)gmx.de
Ham: DG8NGN / DB0VOX, http://www.qsl.net/dg8ngn
2:26 p.m.
Source IP is not authentication.... This *IS* yet another good reason that
we ought be peering with other 44net networks voluntarily rather than just
blindly loading an encap file that builds a mesh of tunnels to hosts and
networks unbeknownst to us which likely have varying policy and regulation
upon traffic. Rather than IPIP why not IPsec or PPP over GRE or something
similar setup on a voluntary basis. Then all this discussion becomes a
matter of who you peer with. as it is now I'm forced to accept traffic
from people and networks who I have no idea who are rather than actually
being actively involved in knowing my neighbors and actively, voluntarily
peering with them where peering means that when we commnicate we
authenticate.
Eric
AF6EP
On Thu, Apr 24, 2014 at 11:36 AM, Bill Vodall <wa7nwp(a)gmail.com> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
44net is for Amateur Radio <full stop>
One of the traditionally accepted practices here is that if the source
of an IP packet is on the 44 net - then it's a Radio Amateur.
Certainly not perfect but it has been 'good enough.' I hope we
don't lose that.
Bill, WA7NWP
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
7:44 p.m.
On Thu, 24 Apr 2014 12:26:15 -0700, Eric Fort <eric.fort(a)gmail.com>
wrote:
Source IP is not authentication....
Nor is authentication of originating station required under any rules.
All this fret and fuss over authentication seems rather pointless for
radio-facing interfaces. The originating station is responsible for
the content of the _radio_ communication. End of discussion. Whatever
happens on the network side is not within FCC jurisdiction nor is it
within IARU jurisdiction.
Now, if a relaying station wants to restrict access to a service then
that should be done through a login to that service. These protocols
are well-defined and well-established.
Start going down the road of the legal necessity of "authentication"
and you'll have the armchair lawyers prattling on about "encryption",
an essential component of authentication, being prohibited under the
rules. Catch-22.
FCC has stated that whatever isn't expressly prohibited is permitted.
I don't think there's a single case of FCC or any other amateur radio
regulatory authority fining an amateur operator for an infraction of
the rules without first sending a cease and desist letter first. I can
remember the bad old days of the Hollywood repeater being full of all
kinds of improper amateur radio conduct and it took a truck load of
complaints and letters to get FCC to finally assign an enforcement
team and it took YEARS for that case to be adjudicated.
When I was in college our club was cited for being 0.03kHz outside the
20 meter phone band on Field Day. The only think we had to do was
reply that measures were being taken to prevent a re-occurrence.
If you're going to be so worried about the legalities that you lose
sleep over it then tear down your antennas, throw your radios in the
trash and get a different hobby. I hear guns are big this year. :)
Stop fretting about content and just DO it.
25 Apr
25 Apr
2:56 a.m.
+1
On 24 Apr 2014 at 9:52 K7VE - John wrote:
Local regulations must be dealt with locally and its
the gateway
operator's responsibility to be compliant with local requirements.
**************** WARNING ****************
* The IEEE are outsourcing their email
* service to a data mining organisation.
*
* I value my privacy and that of my correspondents
* and will therefore be disabling my f.ohare(a)ieee.org
* email address as soon as practical.
*
* My new email address is oharef(a)fanden.com
* PLEASE CHANGE YOUR ADDRESS BOOK NOW
*****************************************
Frank O'Hare
The information contained in this e-mail is confidential and intended
only for the person to whom it is addressed. Other people may not
copy, use, disclose or distribute this information. If this message
has been sent to you in error, could you please e-mail the sender
and destroy the message. Thank you.
24 Apr
24 Apr
11:53 a.m.
On Thu, Apr 24, 2014 at 9:44 AM, Jann Traschewski <jann(a)gmx.de> wrote:
On 24.04.2014 17:13, Tom Hayward wrote:
One of the big problems with our rules regarding HF data (not directly
related to this mailing list) is that the rule is too closely tied to
a technology. There is a symbol rate limit, when I believe the intent
of the law was a bandwidth limit. If they had simply made it a
bandwidth limit we would be allowed to use modern digital modes with
greater symbol rates. Rules tied to a specific technology will not
remain relevant over time and should be avoided.
Tom KD7LXL
I suspect the difference of opinion here comes
from the local rules we
are bound to.
That might be. What would be your ideal set of rules?
We have a lot of wishes pending for the next big change of local rules.
Smaller changes are even possible in shorter time periods.
Maybe we should think about how an ideal amateur radio world should look
like in terms of interconnecting networks.
I wonder whether the amateur radio community could agree on a common set
of rules so that we can talk to our regulators and look for solutions
how to implement...
Maybe the first step is harder than the second...
2:02 p.m.
On 24.04.2014 18:53, Tom Hayward wrote:
One of the big problems with our rules regarding HF
data (not directly
related to this mailing list) is that the rule is too closely tied to
a technology. There is a symbol rate limit, when I believe the intent
of the law was a bandwidth limit. If they had simply made it a
bandwidth limit we would be allowed to use modern digital modes with
greater symbol rates. Rules tied to a specific technology will not
remain relevant over time and should be avoided.
Indeed... This is an unnecessary limiting factor.
Some limitations here came initially from the local amateur radio
community and now we are claiming to be limited :) We are limited to 15W
ERP for automatic stations... And we have a 10 MHz bandwidth limit for
Digital, but 20 MHz for ATV ?!? Changing the rules takes time. Since the
regulator can't just ignore the rules but even know it will change with
the new law, we found a solution (two side-by-side digital channels from
A to B with 10 MHz bandwidth each ;).
But I was *not* talking about rules which will only affect locally. I'm
moreover interested in similar rules in terms of interconnecting amateur
radio over public networks. E.g. I would like all countries to allow *at
least* the usage of the Internet as a transport medium:
A <-radio-> B <-internet-> C <-radio-> D
If the tunnel B to C is properly secured so that you can say it is a
transport medium only, I want local regulators to take B and C out of
responsibility for transmissions from A to D and vice versa (e.g. if a
pirate is active on A).
There are so many examples and *somebody* needs to write them out, make
nice diagrams and so on... Then we could start discussion :) But in my
opinion there is no need to hurry.
73,
Jann
DG8NGN
--
Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany
Tel.: +49-911-696971, Mobile: +49-170-1045937, E-Mail: jann(a)gmx.de
Ham: DG8NGN / DB0VOX, http://www.qsl.net/dg8ngn
3867
days inactive
3869
days old
17 comments
11 participants
participants (11)
-
Bill Vodall -
Cory (NQ1E) -
Eric Fort -
Frank OHare -
Geoff Joy -
Jann Traschewski -
Jeroen Massar -
K7VE - John -
Michael E Fox - N6MEF -
Nigel Vander Houwen -
Tom Hayward