[Dxspider-support] Secure node to node connection proposal

g4piq at btinternet.com g4piq at btinternet.com
Sun Feb 26 11:06:23 GMT 2023 

I run a cluster which is optimised to meet the needs of groups of contesters
who I'm in various teams with (GB7MRS). It's actually currently isolated (in
the traditional usage of set/isolate) from the rest of the network until I
get round to implementing a local spot and global spot option. 

I think the only way that Mikel's proposal would work would be to have a new
'clean' network - with the sorts of controls which Mikel suggests, and a
'dirty' network - that looks like we have today (and is probably actually
the existing network less those who leave to join the 'clean' one.) 

As a competitive contester - I want to receive the maximum number of spots
received with the minimum latency with an acceptable level of accuracy. I
would be happy to run a cluster with enforced registration and even
passwords to send spots and to connect to the clean network. But I would
also connect it to the 'dirty' network with an incoming hop count of 1 (I
assume that is supported) to ensure my users saw all spots, but none were
passed onto the rest of the clean network.

BTW - my sense is that the big source of trouble is from DXSummit - that
feels like the open gate which  needs addressing.

73

Andy, G4PIQ

-----Original Message-----
From: Dxspider-support <dxspider-support-bounces at tobit.co.uk> On Behalf Of
Iain Philipps via Dxspider-support
Sent: 26 February 2023 09:44
To: 'The DXSpider Support list' <dxspider-support at tobit.co.uk>
Cc: Iain Philipps <iain.philipps at 77hz.net>
Subject: Re: [Dxspider-support] Secure node to node connection proposal
Importance: High

This will be a GREAT way to shrink the cluster network.

There are a  SIGNIFICANT number of SysOps who don't have the time to manage
hundreds of users and passwords.

This is *AMATEUR RADIO* not online banking. I understand we need to do
something about the "spam", but alienating / disenfranchising SysOps is a
*VERY* bad plan.


73 de WR3D

-----Original Message-----
From: Dxspider-support <dxspider-support-bounces at tobit.co.uk> On Behalf Of
Mikel EA2CW via Dxspider-support
Sent: 26 February 2023 09:36
To: Keith Maton via Dxspider-support <dxspider-support at tobit.co.uk>
Cc: Mikel EA2CW <ea2cw at gautxori.com>
Subject: [Dxspider-support] Secure node to node connection proposal

After a lot of hours with some sysops already here, I have wrote down a
first proposal of the first -small- step we could take, rising a bit the
node 2 node connections. Again, this is only a basic document to start, not
an absolute and unique true.
I expect to have an good open discussion among all us to define and agree
the path to a better dx-cluster net.

NODE<>NODE SECURE CONNECTION CRITERIA:

1. Unregistered users can connect and view spots, they cannot upload any
info into the network.

2. Registered users can login, view and also upload spots, anns, etc.

3. All registered users must have a password. Registered users without
password would not be acceptable.

4. All nodes to which the node is connected must meet the same requirements.

5. The connection between nodes must be between registered nodes and with
password, that is:
     - set/spider [node]
     - set/reg <node>
     - set/password <node>
     - set/password <node> <password>.
     (The /spider/connect/<server> files must be modified so that the
password is used).

6. If possible, the connection between nodes should be made via ssh or other
secure mechanism. (Already testing a ssh tunneling protocol with
success)

7. The connection to the RBN servers is optional from each server, but the
received RBN spots will not be forwarded to other nodes.

After -I hope- achieving an agreement, I would want to start a net where all
the clusters connected meet the agreed conditions.
I ask you the sysops whom already meet them or with this aim, to contact me
and other partners in the same position for a -probably- slow but firm
evolution.


POSSIBLE NEXT STEPS IN THE FUTURE

* A protocol should be designed within the dx-cluster standard to share
hashed passwords between nodes, avoiding the need to register multiple times
the same user in different nodes and reducing the maintenance tasks of each
sysop. This information, i.e. (user:hash:origin_cluster) could be later be
broadcasted around the net and/or being also distributed via config files as
we already do, i.e. with bad IPs, and stored on each node.

* The connections of identified nodes / users to any node should be made
always using secured connections. No more telnet usr/pwd open transmissions
should be allowed.

* The secure connection system should be implemented as a part of the server
programs (as telnet is now) avoiding the added complexity of creating
tunnels between each pair of servers. This system could be used for secure
connection between nodes as well as for connection and identification of
users, who could continue to access in an insecure way -without the ability
to upload information to the network. It would keep the connection system of
the current client softwares unchanged.



Hope we can discuss all this among us, securing the future of an open, safe
and not hierarchically structured. This philosophy is IMHO the one that has
kept alive the dxcluster network during so many years/decades.

Thank you and 73 de Mikel EA2CW




--
ea2cw at gautxori.com
Bilbao, Bizkaia. IN83MG
http://radio.gautxori.com
http://qrz.com/db/ea2cw
https://t.me/EA2CW


_______________________________________________
Dxspider-support mailing list
Dxspider-support at tobit.co.uk
https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support


_______________________________________________
Dxspider-support mailing list
Dxspider-support at tobit.co.uk
https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support

More information about the Dxspider-support mailing list