[Dxspider-support] Secure node to node connection proposal

Sun Feb 26 10:41:18 GMT 2023

Hi Mikel, hi all!

Only a question about your point #5: why register the nodes ? As far as 
I remember, registration process involves only the users, not the nodes...
Has Dirk changes something into the Spider's code that I'm missing now ?

On my node, starting from 2002, the users registration (with password 
for registered _*users*_) is mandatory, but from that time I've never 
registered a node, only registered users... and all seems working good here.

73 Luigi IK5ZUK

Il 26/02/2023 10:36, Mikel EA2CW via Dxspider-support ha scritto:
> After a lot of hours with some sysops already here, I have wrote down 
> a first proposal of the first -small- step we could take, rising a bit 
> the node 2 node connections. Again, this is only a basic document to 
> start, not an absolute and unique true.
> I expect to have an good open discussion among all us to define and 
> agree the path to a better dx-cluster net.
>
> NODE<>NODE SECURE CONNECTION CRITERIA:
>
> 1. Unregistered users can connect and view spots, they cannot upload 
> any info into the network.
>
> 2. Registered users can login, view and also upload spots, anns, etc.
>
> 3. All registered users must have a password. Registered users without 
> password would not be acceptable.
>
> 4. All nodes to which the node is connected must meet the same 
> requirements.
>
> 5. The connection between nodes must be between registered nodes and 
> with password, that is:
>     - set/spider [node]
>     - set/reg <node>
>     - set/password <node>
>     - set/password <node> <password>.
>     (The /spider/connect/<server> files must be modified so that the 
> password is used).
>
> 6. If possible, the connection between nodes should be made via ssh or 
> other secure mechanism. (Already testing a ssh tunneling protocol with 
> success)
>
> 7. The connection to the RBN servers is optional from each server, but 
> the received RBN spots will not be forwarded to other nodes.
>
> After -I hope- achieving an agreement, I would want to start a net 
> where all the clusters connected meet the agreed conditions.
> I ask you the sysops whom already meet them or with this aim, to 
> contact me and other partners in the same position for a -probably- 
> slow but firm evolution.
>
>
> POSSIBLE NEXT STEPS IN THE FUTURE
>
> * A protocol should be designed within the dx-cluster standard to 
> share hashed passwords between nodes, avoiding the need to register 
> multiple times the same user in different nodes and reducing the 
> maintenance tasks of each sysop. This information, i.e. 
> (user:hash:origin_cluster) could be later be broadcasted around the 
> net and/or being also distributed via config files as we already do, 
> i.e. with bad IPs, and stored on each node.
>
> * The connections of identified nodes / users to any node should be 
> made always using secured connections. No more telnet usr/pwd open 
> transmissions should be allowed.
>
> * The secure connection system should be implemented as a part of the 
> server programs (as telnet is now) avoiding the added complexity of 
> creating tunnels between each pair of servers. This system could be 
> used for secure connection between nodes as well as for connection and 
> identification of users, who could continue to access in an insecure 
> way -without the ability to upload information to the network. It 
> would keep the connection system of the current client softwares 
> unchanged.
>
>
>
> Hope we can discuss all this among us, securing the future of an open, 
> safe and not hierarchically structured. This philosophy is IMHO the 
> one that has kept alive the dxcluster network during so many 
> years/decades.
>
> Thank you and 73 de Mikel EA2CW
>
>
>
>