Hello fellow radio/network geeks!
While trying as much as I can to not come off as condescending, I would like to try and provide a little perspective so that we can hopefully clear up some confusion and speak in mutually agreeable terms.
There seems to be many misconceptions by several people on this list who may be seeing 44net as a single service or network where everyone needs to be able to speak to each other and where all traffic sourced from it can be trusted. Oh, and RADIO :)
The global internet isn't even one large network in that sense. It's actually just a concept that allows many different individual autonomous networks to coordinate and cooperate with each other while allowing them to share traffic among their users. Those in control of things like allocating IP space and DNS are only in that position because the majority of networks recognize their authority.
Just like similar authorities on the internet, ARDC is just a registry that provides chunks of the globally unique IP space to individual networks which allows them to interoperate with each other or any other global network without conflict (but does not mean that they *must* work with other networks). In this case, they only agree to provide these services to networks that support amateur radio in one form or another. It just so happens that they also provide a service that coordinates IPIP tunnels so these networks can send encapsulated traffic to each other without needing to make their own peering arrangements with other networks on the internet at large. Since most people are only used to the idea of the internet being a "service" provided to them, it's easy to see why this can be confused.
Those familiar with the HSMM projects may have noticed that they chose to operate in the non-unique 10/8 space in order to support autoconfiguration. However, once their project grew beyond those specific linksys models, they started having conflicts. Even now, those HSMM networks that are up and running can't communicate with users on other networks without complicated NAT tables. It would be much better to take advantage of our 44/8 resources for those projects by assigning blocks to each mesh island. That way they can start peering with other networks or other mesh islands directly. When asked why having 44/8 is important, this is a perfect example and there are many others.
When talking about technical solutions to problems we come across, it's also important to consider that as hams, it's likely that our networks are experimental and will therefore have a wide range of configurations that could prohibit their ability to share traffic with some others. This should absolutely be encouraged as long as what they do does not impact any other network's ability to operate normally. Therefore, there is no "right" or "wrong" way to configure your network as long as you get your expected result. Just keep in mind that following best-practices is the best way to ensure compatibility. Ideally, those who operate the registry will shift closer to this way of thinking and start supporting more advanced users to do non-standard things (such as DNS or PTR delegation, for example).
We also need to be careful about the terminology we use when referring to security, in order to avoid mistaken assumptions. Source addresses can be used in our case to provide a convenient filter against the majority of incoming junk internet traffic. However, this must not be confused for "authentication" or knowing *who* is sending you the packets. Make sure you understand the risks when opening up a service on your network. If you're trying to filter out most undesirables, source filtering can be okay. However, if you need to know who you are talking to, you must use another method. Also, myself and several others on this list may be in a good position to help if you need assistance in this area.
Best regards,
-Cory NQ1E Your friendly neighborhood radio hacker
On 24.04.2014 01:42, Cory (NQ1E) wrote:
We also need to be careful about the terminology we use when referring to security, in order to avoid mistaken assumptions. Source addresses can be used in our case to provide a convenient filter against the majority of incoming junk internet traffic. However, this must not be confused for "authentication" or knowing *who* is sending you the packets. Make sure you understand the risks when opening up a service on your network. If you're trying to filter out most undesirables, source filtering can be okay. However, if you need to know who you are talking to, you must use another method. Also, myself and several others on this list may be in a good position to help if you need assistance in this area.
I don't need to know who I am talking to. I only need to know that I am talking to a radio amateur. Since the net44 address space is provided for radio amateurs *only* I offer radio services for people coming from net44 IP addresses (e.g. I like the way http://kb3vwg-010.ampr.org/tools/aprscode works)...
(Please don't start the "spoofing" discussion now. Services need bidirectional communication to work...).
I think most of us were happily providing radio services on the IPIP mesh in the "former days" before we started with BGP direct connected gateways... So why should this have changed now? What is wrong thinking to find radio amaterus behind source44 addresses?
73, Jann DG8NGN
+1
Michael N6MEF
-----Original Message----- From: 44net-bounces+n6mef=mefox.org@hamradio.ucsd.edu [mailto:44net-bounces+n6mef=mefox.org@hamradio.ucsd.edu] On Behalf Of Jann Traschewski Sent: Wednesday, April 23, 2014 11:24 PM To: 44net@hamradio.ucsd.edu Subject: Re: [44net] What is 44net?
(Please trim inclusions from previous messages) _______________________________________________ On 24.04.2014 01:42, Cory (NQ1E) wrote:
We also need to be careful about the terminology we use when referring to security, in order to avoid mistaken assumptions. Source addresses can be used in our case to provide a convenient filter against the majority of incoming junk internet traffic. However, this must not be confused for "authentication" or knowing *who* is sending you the packets. Make sure you understand the risks when opening up a service on your network. If you're trying to filter out most undesirables, source filtering can be okay. However, if you need to know who you are talking to, you must use another method. Also, myself and several others on this list may be in a good position to help if you need assistance in this area.
I don't need to know who I am talking to. I only need to know that I am talking to a radio amateur. Since the net44 address space is provided for radio amateurs *only* I offer radio services for people coming from net44 IP addresses (e.g. I like the way http://kb3vwg-010.ampr.org/tools/aprscode works)...
(Please don't start the "spoofing" discussion now. Services need bidirectional communication to work...).
I think most of us were happily providing radio services on the IPIP mesh in the "former days" before we started with BGP direct connected gateways... So why should this have changed now? What is wrong thinking to find radio amaterus behind source44 addresses?
73, Jann DG8NGN
Jann,
I believe Cory's point here is that you can (relatively safely) make the assumption that someone coming from a 44-net IP is likely going to be someone in the amateur radio community. However, that doesn't tell you who they are. This is the distinction I believe Cory is trying to make that source IP is not authentication. If your goal is to provide a service that relies on knowing you're talking with a specific person, then you need to start looking at authentication methods, a number of which have been discussed, such as usernames/passwords, certs, etc.
Nigel K7NVH
On Apr 23, 2014, at 11:24 PM, Jann Traschewski jann@gmx.de wrote:
(Please trim inclusions from previous messages) _______________________________________________ On 24.04.2014 01:42, Cory (NQ1E) wrote:
We also need to be careful about the terminology we use when referring to security, in order to avoid mistaken assumptions. Source addresses can be used in our case to provide a convenient filter against the majority of incoming junk internet traffic. However, this must not be confused for "authentication" or knowing *who* is sending you the packets. Make sure you understand the risks when opening up a service on your network. If you're trying to filter out most undesirables, source filtering can be okay. However, if you need to know who you are talking to, you must use another method. Also, myself and several others on this list may be in a good position to help if you need assistance in this area.
I don't need to know who I am talking to. I only need to know that I am talking to a radio amateur. Since the net44 address space is provided for radio amateurs *only* I offer radio services for people coming from net44 IP addresses (e.g. I like the way http://kb3vwg-010.ampr.org/tools/aprscode works)...
(Please don't start the "spoofing" discussion now. Services need bidirectional communication to work...).
I think most of us were happily providing radio services on the IPIP mesh in the "former days" before we started with BGP direct connected gateways... So why should this have changed now? What is wrong thinking to find radio amaterus behind source44 addresses?
73, Jann DG8NGN
-- Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany Tel.: +49-911-696971, Mobile: +49-170-1045937, E-Mail: jann@gmx.de Ham: DG8NGN / DB0VOX, http://www.qsl.net/dg8ngn _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On 24.04.2014 15:56, Nigel Vander Houwen wrote:
I believe Cory's point here is that you can (relatively safely) make the assumption that someone coming from a 44-net IP is likely going to be someone in the amateur radio community. However, that doesn't tell you who they are.
Yes, I fully agree on this.
This is the distinction I believe Cory is trying to make that source IP is not authentication. If your goal is to provide a service that relies on knowing you're talking with a specific person, then you need to start looking at authentication methods, a number of which have been discussed, such as usernames/passwords, certs, etc.
True. In my case I need to check against radio amateurs, not single identities.
However I could track down the source based on the 44net allocation. E.g. dmr.db0myk.ampr.org resolves to 44.225.73.37 and the responsible person for "db0myk" is Hans, DL5DI, according to our database from the regulator. This is still no authentication but a very close assumption that arriving IP packets from 44.225.73.37 are from Hans. If you have in mind that my system is connected by IPIP mesh only and I block encapsulated source44 packets from AMPRGW (which might be spoofed somewhere on the internet) the assumption is even closer...
73, Jann
On Thu, Apr 24, 2014 at 8:44 AM, Jann Traschewski jann@gmx.de wrote:
However I could track down the source based on the 44net allocation. E.g. dmr.db0myk.ampr.org resolves to 44.225.73.37 and the responsible person for "db0myk" is Hans, DL5DI, according to our database from the regulator. This is still no authentication but a very close assumption that arriving IP packets from 44.225.73.37 are from Hans.
Unfortunately, the law here doesn't work like that: (b) For stations participating in a message forwarding system, the control operator of the station originating a message is primarily accountable for any violation of the rules in this part contained in the message.
It says nothing about the control operator of the first internet gateway; accountability is on the originating station. If Hans is operating a gateway on local RF, we need to know the identity of the local ham on RF, not the gateway operator. There are various ways to accomplish this, many of which have been discussed on the list. For example, emails can be authenticated with a PGP digital signature. The equivalent layer 3 technology is IPsec(AH).
Tom KD7LXL
On Wed, Apr 23, 2014 at 11:24 PM, Jann Traschewski jann@gmx.de wrote:
I don't need to know who I am talking to. I only need to know that I am talking to a radio amateur.
Jann,
I suspect the difference of opinion here comes from the local rules we are bound to. Cory (and myself) need to know the identity, who, is connecting to our network over the internet, because if we don't then we can be liable for rule violations. Here's the associated section from the FCC rules:
ยง 97.219 Message forwarding system (d) For stations participating in a message forwarding system, the control operator of the first forwarding station must: (1) Authenticate the identity of the station from which it accepts communications on behalf of the system; or (2) Accept accountability for any violation of the rules in this part contained in messages it retransmits to the system.
We have an RF network connected to 44net and don't want fines and our licenses revoked if someone else from 44net forwards something against the rules to our network. To protect ourselves, we have to know the *identity* of the other 44net station sending the data.
Without this specific law, I can see how you would not care so much about authentication. I think Cory's point was simply that source filtering is not enough to determine identity. He happens to be a professional in the information security field and was offering his professional expertise to anyone who needs help with authentication.
Tom KD7LXL
On 2014-04-24 17:13 , Tom Hayward wrote: [..]
We have an RF network connected to 44net and don't want fines and our licenses revoked if someone else from 44net forwards something against the rules to our network. To protect ourselves, we have to know the *identity* of the other 44net station sending the data.
Layer 3 (IP) is not useful for hiding identity anyway. Though source-prefix-filtering (and other BCP38/SAVE rules) must definitely be adhered to.
If one wants to hide their identity, the only real effective way is to use a mix network, eg Tor which works over 44net btw ;)
Greets, Jeroen
On 24.04.2014 17:13, Tom Hayward wrote:
I suspect the difference of opinion here comes from the local rules we are bound to.
That might be. What would be your ideal set of rules?
We have a lot of wishes pending for the next big change of local rules. Smaller changes are even possible in shorter time periods.
Maybe we should think about how an ideal amateur radio world should look like in terms of interconnecting networks.
I wonder whether the amateur radio community could agree on a common set of rules so that we can talk to our regulators and look for solutions how to implement...
Maybe the first step is harder than the second...
73, Jann DG8NGN
I don't believe the 'network' should try to police local regulations at all. 44net is for Amateur Radio <full stop>
Local regulations must be dealt with locally and its the gateway operator's responsibility to be compliant with local requirements.
IARU could propose things at WRC, but we are talking years of discussion in technologies that can adapt and evolve in nano-seconds. :)
________________________________ John D. Hays K7VE PO Box 1223, Edmonds, WA 98020-1223
On Thu, Apr 24, 2014 at 9:44 AM, Jann Traschewski jann@gmx.de wrote:
(Please trim inclusions from previous messages) _______________________________________________ On 24.04.2014 17:13, Tom Hayward wrote:
I suspect the difference of opinion here comes from the local rules we are bound to.
That might be. What would be your ideal set of rules?
We have a lot of wishes pending for the next big change of local rules. Smaller changes are even possible in shorter time periods.
Maybe we should think about how an ideal amateur radio world should look like in terms of interconnecting networks.
I wonder whether the amateur radio community could agree on a common set of rules so that we can talk to our regulators and look for solutions how to implement...
Maybe the first step is harder than the second...
73, Jann DG8NGN
-- Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany Tel.: +49-911-696971, Mobile: +49-170-1045937, E-Mail: jann@gmx.de Ham: DG8NGN / DB0VOX, http://www.qsl.net/dg8ngn _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On 24.04.2014 18:52, K7VE - John wrote:
I don't believe the 'network' should try to police local regulations at all. 44net is for Amateur Radio <full stop>
That's not what I wanted to say.
Local regulations must be dealt with locally and its the gateway operator's responsibility to be compliant with local requirements.
Law is made by people. Would be nice to have similar regulations in terms of interconnecting amateur radio worldwide.
IARU could propose things at WRC, but we are talking years of discussion in technologies that can adapt and evolve in nano-seconds. :)
Good suggestion! I already plan to talk about IPv6 for Amateur Radio at IARU Region 1 Meeting this year in Varna, Bulgaria. Maybe I can extend the topic to interconnecting international amateur radio over public networks.
73, Jann DG8NGN
On Thu, Apr 24, 2014 at 11:22 AM, Jann Traschewski jann@gmx.de wrote:
(Please trim inclusions from previous messages)
Law is made by people.
Obviously you aren't familiar with the US where we have the best laws corporations and oligarchs can buy. :)
Source IP is not authentication.... This *IS* yet another good reason that we ought be peering with other 44net networks voluntarily rather than just blindly loading an encap file that builds a mesh of tunnels to hosts and networks unbeknownst to us which likely have varying policy and regulation upon traffic. Rather than IPIP why not IPsec or PPP over GRE or something similar setup on a voluntary basis. Then all this discussion becomes a matter of who you peer with. as it is now I'm forced to accept traffic from people and networks who I have no idea who are rather than actually being actively involved in knowing my neighbors and actively, voluntarily peering with them where peering means that when we commnicate we authenticate.
Eric AF6EP
On Thu, Apr 24, 2014 at 11:36 AM, Bill Vodall wa7nwp@gmail.com wrote:
(Please trim inclusions from previous messages) _______________________________________________
44net is for Amateur Radio <full stop>
One of the traditionally accepted practices here is that if the source of an IP packet is on the 44 net - then it's a Radio Amateur. Certainly not perfect but it has been 'good enough.' I hope we don't lose that.
Bill, WA7NWP _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On Thu, 24 Apr 2014 12:26:15 -0700, Eric Fort eric.fort@gmail.com wrote:
Source IP is not authentication....
Nor is authentication of originating station required under any rules. All this fret and fuss over authentication seems rather pointless for radio-facing interfaces. The originating station is responsible for the content of the _radio_ communication. End of discussion. Whatever happens on the network side is not within FCC jurisdiction nor is it within IARU jurisdiction.
Now, if a relaying station wants to restrict access to a service then that should be done through a login to that service. These protocols are well-defined and well-established.
Start going down the road of the legal necessity of "authentication" and you'll have the armchair lawyers prattling on about "encryption", an essential component of authentication, being prohibited under the rules. Catch-22.
FCC has stated that whatever isn't expressly prohibited is permitted.
I don't think there's a single case of FCC or any other amateur radio regulatory authority fining an amateur operator for an infraction of the rules without first sending a cease and desist letter first. I can remember the bad old days of the Hollywood repeater being full of all kinds of improper amateur radio conduct and it took a truck load of complaints and letters to get FCC to finally assign an enforcement team and it took YEARS for that case to be adjudicated.
When I was in college our club was cited for being 0.03kHz outside the 20 meter phone band on Field Day. The only think we had to do was reply that measures were being taken to prevent a re-occurrence.
If you're going to be so worried about the legalities that you lose sleep over it then tear down your antennas, throw your radios in the trash and get a different hobby. I hear guns are big this year. :)
Stop fretting about content and just DO it.
+1
On 24 Apr 2014 at 9:52 K7VE - John wrote:
Local regulations must be dealt with locally and its the gateway operator's responsibility to be compliant with local requirements.
**************** WARNING **************** * The IEEE are outsourcing their email * service to a data mining organisation. * * I value my privacy and that of my correspondents * and will therefore be disabling my f.ohare@ieee.org * email address as soon as practical. * * My new email address is oharef@fanden.com * PLEASE CHANGE YOUR ADDRESS BOOK NOW *****************************************
Frank O'Hare
The information contained in this e-mail is confidential and intended only for the person to whom it is addressed. Other people may not copy, use, disclose or distribute this information. If this message has been sent to you in error, could you please e-mail the sender and destroy the message. Thank you.
On Thu, Apr 24, 2014 at 9:44 AM, Jann Traschewski jann@gmx.de wrote:
On 24.04.2014 17:13, Tom Hayward wrote:
I suspect the difference of opinion here comes from the local rules we are bound to.
That might be. What would be your ideal set of rules?
We have a lot of wishes pending for the next big change of local rules. Smaller changes are even possible in shorter time periods.
Maybe we should think about how an ideal amateur radio world should look like in terms of interconnecting networks.
I wonder whether the amateur radio community could agree on a common set of rules so that we can talk to our regulators and look for solutions how to implement...
Maybe the first step is harder than the second...
One of the big problems with our rules regarding HF data (not directly related to this mailing list) is that the rule is too closely tied to a technology. There is a symbol rate limit, when I believe the intent of the law was a bandwidth limit. If they had simply made it a bandwidth limit we would be allowed to use modern digital modes with greater symbol rates. Rules tied to a specific technology will not remain relevant over time and should be avoided.
Tom KD7LXL
On 24.04.2014 18:53, Tom Hayward wrote:
One of the big problems with our rules regarding HF data (not directly related to this mailing list) is that the rule is too closely tied to a technology. There is a symbol rate limit, when I believe the intent of the law was a bandwidth limit. If they had simply made it a bandwidth limit we would be allowed to use modern digital modes with greater symbol rates. Rules tied to a specific technology will not remain relevant over time and should be avoided.
Indeed... This is an unnecessary limiting factor.
Some limitations here came initially from the local amateur radio community and now we are claiming to be limited :) We are limited to 15W ERP for automatic stations... And we have a 10 MHz bandwidth limit for Digital, but 20 MHz for ATV ?!? Changing the rules takes time. Since the regulator can't just ignore the rules but even know it will change with the new law, we found a solution (two side-by-side digital channels from A to B with 10 MHz bandwidth each ;).
But I was *not* talking about rules which will only affect locally. I'm moreover interested in similar rules in terms of interconnecting amateur radio over public networks. E.g. I would like all countries to allow *at least* the usage of the Internet as a transport medium:
A <-radio-> B <-internet-> C <-radio-> D
If the tunnel B to C is properly secured so that you can say it is a transport medium only, I want local regulators to take B and C out of responsibility for transmissions from A to D and vice versa (e.g. if a pirate is active on A).
There are so many examples and *somebody* needs to write them out, make nice diagrams and so on... Then we could start discussion :) But in my opinion there is no need to hurry.
73, Jann DG8NGN
-
Bill Vodall -
Cory (NQ1E) -
Eric Fort -
Frank OHare -
Geoff Joy -
Jann Traschewski -
Jeroen Massar -
K7VE - John -
Michael E Fox - N6MEF -
Nigel Vander Houwen -
Tom Hayward