<div dir="ltr">It's not just optimization. We have serious restrictions on what type of content can be moved over our RF links. Everyone who runs a device that transmits is responsible for its operation. Luckily there is precedent here since each node can be considered the same as a "digital packet repeater" in historical context. In those cases, the repeater operator is not held liable for illegal content relayed through them as long as they take "reasonable measures" to limit it and when discovered, stop it.<div>
<br></div><div style>While it's not preferable to get into the distributed firewall business, it may be necessary if this network carries traffic to or from the internet. If we had another "reasonable" way to make sure only licensed hams were able to originate content on the network, firewalls likely wouldn't be needed.</div>
<div style><br></div><div style>In a somewhat related issue, there is also precedent for hams using encrypted WiFi links with part 97 rules. Supposedly, it's only acceptable to encrypt when the purpose is not to hide the content of your message. This means that it's okay to run encryption as long you publish the decryption keys so that they could be found by the public (negating the point of using encryption in most cases).</div>
<div style><br></div><div style>The frequencies that we're allowed to use as licensed radio amateurs belong to the public and we're allowed to use them for the purposes of experimentation and communication with other amateurs. In order to assure the fair use of such a valuable resource, we have to follow strict rules that prevent commercial interests from taking over. That's why we're not allowed to conduct business on the air or communicate with the general public (broadcast). That's also why it's important that anything transmitted is not intentionally obfuscated from anyone else's ability to view it.</div>
<div style><br></div><div style>As a long-time computer engineer with a strong emphasis on security, the idea of having such an open network is very scary to me. However, it's also why I'm excited about the challenge. When most people think about security, they only think about secrecy (hiding your messages). However, security also includes authentication (making sure messages really come from the intended sender) and integrity (has this message been altered in transit). With those two aspects and a lot of help from public key cryptography, my hope is to contribute to making a network that is both open *and* secure.</div>
<div style><br></div><div style>I've already made some strides in this area for other ham-related projects of mine, and now I'm hoping to translate that to the needs of the overall network.</div><div style><br></div>
<div style><br></div><div style><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Feb 20, 2013 at 12:16 AM, Bart Kus <span dir="ltr"><<a href="mailto:me@bartk.us" target="_blank">me@bartk.us</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>It's just a little more efficient to
stop unwanted traffic early, before it takes up a bunch of
airtime. Just an optimization, which may not be worth the
complexity right up front. Your suggestion works too.<span class="HOEnZb"><font color="#888888"><br>
<br>
--Bart</font></span><div><div class="h5"><br>
<br>
On 2/19/2013 8:46 PM, Benjamin Krueger wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">Just saw this, "just needs to push an ACL update".
Why can't we just route all traffic and let the client nodes run
their own firewalls? We *really* don't want to be in the
distributed firewall business. :)</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Feb 13, 2013 at 4:04 PM, Bart
Kus <span dir="ltr"><<a href="mailto:me@bartk.us" target="_blank">me@bartk.us</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Global reachability is not in conflict with
autonomy. Achieving both simultaneously just requires
careful design of HamWAN network services. If the
HamWAN internet feed drops off, the routing, DNS and
other services need to continue working. The first word
in ASN is Autonomous after all. :)<br>
<br>
I consider NAT and Proxies as old crusty hacks from the
age of ISPs giving out just 1 IP/customer. It's time to
put these ideas to rest. IPv6 will do this on the
commercial internet in the coming years, and AMPRnet
will allow us to do it immediately here. For the cases
where communication is to be restricted due to user
preference, we can push filtering rules to firewalls at
the edges of the network, and at the HamWAN <->
user site interface. In short, firewalls: yes,
nat+gateways: no.<br>
<br>
If a user wants to make a service running on one of his
servers public, he just needs to push an ACL update to
HamWAN and it'll be opened up. No need to re-IP, update
DNS, change NICs, whatever else. And most importantly,
it makes everyone equal. Your subnet allocation has the
same powers as mine. There is no special ground to
fight over, such as space on a public subnet, or access
to some officially sanctioned gateway servers that are
allowed to do special things.<br>
<br>
If you want though, you can of course live in the world
of private IPs and NAT. Just configure your LAN router
that way.<br>
<br>
Complete freedom of configuration. This is the way the
internet should have evolved for geeks!<span><font color="#888888"><br>
<br>
--Bart</font></span>
<div>
<div><br>
<br>
<br>
On 2/13/2013 8:30 AM, Cory (NQ1E) wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">Unless I've misunderstood the point
of this network all together, there shouldn't be a
case where we want the entire network address
space to be reachable from the global internet.
It's much more likely that the network will
remain as autonomous as possible and any
connections to the internet will be for connecting
specific services through a gateway of some sort.
<div> <br>
</div>
<div>A subnet of at least /23 (typical minimum for
global BGP announcements) should be reserved for
the purpose of being globally routable in the
future, if/when HamWAN decides to peer with one
or more ISPs. An address in the /23 can be
given to each service gateway for connecting to
the internet.</div>
<div><br>
</div>
<div>The rest of the 44-net allocation can be
treated as private address space, except that
it's essentially guaranteed not to cause
conflicts with the user-level networks since
it's still globally unique.</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Feb 13, 2013 at
2:28 AM, Bart Kus <span dir="ltr"><<a href="mailto:me@bartk.us" target="_blank">me@bartk.us</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Clever ;)<br>
<br>
What if HamWAN switches ISPs? All that
IPv6 space would need to be given up. It
can't follow you AFAIK. Or the ISP may
charge whatever they feel like to let you
take it with you. Also bad.<br>
<br>
The fees for IPv6 are not as low as I had
hoped, but not as high as you think
either! There's a 25% discount in effect
for "extra-small" allocations (which are
still larger than the entire IPv4
internet). The cost looks to be
$937.50/yr. Not sure it's worth the cost,
given the IPv4 AMPRnet situation. We can
very likely just expand our AMPRnet
allocation if we out-grow the /20.<span><font color="#888888"><br>
<br>
--Bart</font></span>
<div>
<div><br>
<br>
<br>
On 2/13/2013 1:10 AM, Cory (NQ1E)
wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">Here's an IPv6
allocation for you ;)
<div><br>
</div>
<div>::ffff:<a href="http://44.24.240.0/116" target="_blank">44.24.240.0/116</a></div>
<div><br>
</div>
<div>With the obvious exception of
AMPRNet addresses for amateur
radio use, IP allocations should
come from an ISP. Obtaining a
direct allocation from ARIN would
cost around a couple grand per
year.</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Feb
13, 2013 at 12:46 AM, Bart Kus <span dir="ltr"><<a href="mailto:me@bartk.us" target="_blank">me@bartk.us</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Result:
APPROVED<br>
Your allocated subnet is: <a href="tel:44.24.240.0%20%2F%2020" value="+14424240020" target="_blank">44.24.240.0 /
20</a><br>
<br>
<a href="https://portal.ampr.org/networks.php?a=region&id=191" target="_blank">https://portal.ampr.org/networks.php?a=region&id=191</a><br>
<br>
HamWAN now has 4096 real
Internet IPs to play with. Next
up: we gotta crack the mystery
of getting IPv6 net space. Any
volunteers? :)<br>
<br>
What an incredibly productive
day,<br>
<br>
--Bart<br>
<br>
<br>
_______________________________________________<br>
PSDR mailing list<br>
<a href="mailto:PSDR@hamwan.org" target="_blank">PSDR@hamwan.org</a><br>
<a href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org" target="_blank">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
PSDR mailing list
<a href="mailto:PSDR@hamwan.org" target="_blank">PSDR@hamwan.org</a>
<a href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org" target="_blank">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
PSDR mailing list<br>
<a href="mailto:PSDR@hamwan.org" target="_blank">PSDR@hamwan.org</a><br>
<a href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org" target="_blank">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
PSDR mailing list
<a href="mailto:PSDR@hamwan.org" target="_blank">PSDR@hamwan.org</a>
<a href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org" target="_blank">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
PSDR mailing list<br>
<a href="mailto:PSDR@hamwan.org" target="_blank">PSDR@hamwan.org</a><br>
<a href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org" target="_blank">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">Benjamin<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
PSDR mailing list
<a href="mailto:PSDR@hamwan.org" target="_blank">PSDR@hamwan.org</a>
<a href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org" target="_blank">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
PSDR mailing list<br>
<a href="mailto:PSDR@hamwan.org">PSDR@hamwan.org</a><br>
<a href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org" target="_blank">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a><br>
<br></blockquote></div><br></div>