[Dxspider-support] Secure node to node connection proposal

Mikel EA2CW ea2cw at gautxori.com
Sun Feb 26 09:36:12 GMT 2023 

After a lot of hours with some sysops already here, I have wrote down a 
first proposal of the first -small- step we could take, rising a bit the 
node 2 node connections. Again, this is only a basic document to start, 
not an absolute and unique true.
I expect to have an good open discussion among all us to define and 
agree the path to a better dx-cluster net.

NODE<>NODE SECURE CONNECTION CRITERIA:

1. Unregistered users can connect and view spots, they cannot upload any 
info into the network.

2. Registered users can login, view and also upload spots, anns, etc.

3. All registered users must have a password. Registered users without 
password would not be acceptable.

4. All nodes to which the node is connected must meet the same requirements.

5. The connection between nodes must be between registered nodes and 
with password, that is:
     - set/spider [node]
     - set/reg <node>
     - set/password <node>
     - set/password <node> <password>.
     (The /spider/connect/<server> files must be modified so that the 
password is used).

6. If possible, the connection between nodes should be made via ssh or 
other secure mechanism. (Already testing a ssh tunneling protocol with 
success)

7. The connection to the RBN servers is optional from each server, but 
the received RBN spots will not be forwarded to other nodes.

After -I hope- achieving an agreement, I would want to start a net where 
all the clusters connected meet the agreed conditions.
I ask you the sysops whom already meet them or with this aim, to contact 
me and other partners in the same position for a -probably- slow but 
firm evolution.


POSSIBLE NEXT STEPS IN THE FUTURE

* A protocol should be designed within the dx-cluster standard to share 
hashed passwords between nodes, avoiding the need to register multiple 
times the same user in different nodes and reducing the maintenance 
tasks of each sysop. This information, i.e. (user:hash:origin_cluster) 
could be later be broadcasted around the net and/or being also 
distributed via config files as we already do, i.e. with bad IPs, and 
stored on each node.

* The connections of identified nodes / users to any node should be made 
always using secured connections. No more telnet usr/pwd open 
transmissions should be allowed.

* The secure connection system should be implemented as a part of the 
server programs (as telnet is now) avoiding the added complexity of 
creating tunnels between each pair of servers. This system could be used 
for secure connection between nodes as well as for connection and 
identification of users, who could continue to access in an insecure way 
-without the ability to upload information to the network. It would keep 
the connection system of the current client softwares unchanged.



Hope we can discuss all this among us, securing the future of an open, 
safe and not hierarchically structured. This philosophy is IMHO the one 
that has kept alive the dxcluster network during so many years/decades.

Thank you and 73 de Mikel EA2CW




-- 
ea2cw at gautxori.com
Bilbao, Bizkaia. IN83MG
http://radio.gautxori.com
http://qrz.com/db/ea2cw
https://t.me/EA2CW

More information about the Dxspider-support mailing list