Let me see if I can summarize to ensure we all agree on the problem.

"Because there is no strong validation of the license status of any connector to the APRS-IS, it is possible for a non-ham to make illegal RF transmissions through the APRS-IS."

As Steve pointed out, licensed hams can cause DoS attacks (although that technically could be considered a violation due to jamming on RF, that probably wouldn't hold up in court against the originator, but might be put against the TX-IGater). So authentication won't help there.

The US FCC regs specifically state that the first forwarding station is liable for illegal transmissions and ensuring the originator is legally allowed to send the data; subsequent stations are not liable, but are expected to stop forwarding the illegal transmissions once they become aware of them. Can't speak for other nations' regulations, but assuming something similar or more stringent would be safe.

So, we need a way for anybody Tx-IGating to confirm that the packet originator is licensed to transmit to RF, and/or the Igater is allowed to transmit third-party traffic on behalf of the originator. So they have to be able to confirm the originator's license status and/or country of origin (per international agreements regarding third-party traffic handling).

Due to the possibility of forging callsigns, every single packet routed through the APRS-IS would need to be identified with its origination point (client injecting into the APRS-IS) in a form that rogue APRS-IS servers couldn't forge. That doesn't fully help with Rx-Igated traffic (the original station using RF, but if they are transmitting illegally to get to the IGate, that's a separate issue anyway).

Due to the distributed nature of the APRS-IS, we would need a way to ensure all servers were compliant with enforcing origination ID's. So servers that didn't provide origination ID's in their sideways or upwards links to other APRS-IS servers would eventually have to be removed from the network.

So, we would need:

1. Strong and non-repudiable identification of the license status and country of origin of every APRS-IS client instance (not the authors, but the users).

2. Attaching that identification to each packet from that client passed through the APRS-IS.

3. Allowing the selective rejection of traffic from users found to be in violation (perhaps through blacklists and/or Certificate Revocation Lists).

Does that about sum it up?

Andrew Pavlin, KA2DDO

> From: steve-***@public.gmane.org
> Date: Sat, 29 Mar 2014 09:05:10 -0400
> To: aprssig-***@public.gmane.org
> Subject: Re: [aprssig] APRS-IS Passcode alternative: SSL + Certificates, with no data encryption
>
>
> On Mar 29, 2014, at 4:10 AM, Heikki Hannikainen <hessu-***@public.gmane.org> wrote:
> >
> > * The server at this point doesn't do anything else than that, but it could be improved to pass that knowledge onwards to other servers together with the packets, and then onwards to other clients. For that to be useful, the servers also need to authenticate with each other in a strong way (not just passcode). aprsc can do SSL between servers.
>
> This is where the problem I hit with the original APRS IS will bite. If you just have a small number of trusted servers a system like this where access is controlled at the entry points can work. But when you have a large number of server operators, and especially where the source code is available and can be modified by any one of those sysops, it becomes impossible to assure there are no weak links, accidental or intentional. Even in a system where all the servers are connected by SSL and all internet users are connected to the servers by SSL it is still possible for someone with a certificate to put any data on the APRS IS in an untraceable manner, and therefore impossible to block it.
>
> The way to solve this is to individually sign each packet in a way that allows tracing of the packet to an authenticator. Note that this does nothing to insure the data on the APRS IS is actually authentic, or to prevent a Denial of Service (DoS) attack; it is only a means to assign blame if bad data is found and then close the door to that particular certificate in the future.
>
> What I haven't heard is exactly what problem all this is aiming to solve. Is this a regulatory issue?
>
> In the US things are fine from the regulatory standpoint; there have been no problems yet the possibility exists there could be. To become a problem the FCC would have to capture a particular problem packet IGated by a specific station that violated its rules about profanity or commercial use, prove it came from a specific IGate operator (and since anyone in the LAN could have changed their call to the IGate operator call they need technical proof like T-hunting, not just the presence of the callsign in the packet), and issue a citation. This is a highly unlikely sequence of events.
>
> Are there countries that do not allow IGating from the present APRS IS but would if verification that every packet on the APRS IS was vouched for by someone with a LOTW certificate were assured? I'm no expert on international ham rules but I've never heard of anything like this, in all the examples I know countries either allow internet interconnection or don't.
>
> If not a regulatory issue, then is it is a general security issue? You don't want to wait until the horse is stolen to lock the door. Good sentiment, but we aren't locking something up with intrinsic value. Yes, I'd hate to see someone start a DoS attack on the APRS IS. If the SSL-based system prevented that, maybe it would be worth the effort. But it only prevents people that can't get ahold of a LOTW certificate from doing so. Few outside the ham community know about the APRS IS, and fewer care. Obviously none so far care enough to mount a DoS attack, since none have occurred with no barriers in place. Does eliminating the negligible threat of DoS from a non-ham make the effort worth it?
>
> Or is there some other reason I'm missing?
>
> It seems to me before we start discussing solutions there should be a clear consensus on the problem!
>
> Steve K4HG
> _______________________________________________
> aprssig mailing list
> aprssig-***@public.gmane.org
> http://www.tapr.org/mailman/listinfo/aprssig

Hi Steve,

* Steve Dimse <steve-***@public.gmane.org> [2014-03-29 14:05]:
> What I haven't heard is exactly what problem all this is aiming to
> solve. Is this a regulatory issue?

Actually, there is a basic problem: providing amateur radio services
over the Internet (besides of APRS, we have Echolink and HamNet as the
contenders, plus of course the LotW project; online logins to your radio
club etc. are possible future use cases).

Currently, all of these are solving the problem by different means, but
all of them require significant manual work. The manual passcode issuing
service we run on aprsdroid.org alone is approaching 20k total
applications, most of which have to be manually checked, and with a
large subset requiring additional communication with the applicants.

If you see no problems with providing a fully automatic,
no-checks-performed, passcode generator like the ones in the original
post, I will be the first one to cease all this tedious work and make
the passcode generation faster and easier for my users, at the cost of
allowing everybody onto APRS-IS.

However, if you consider the other groups doing amateur radio over IP,
we are here at the starting point of a great opportunity to reduce the
total amount of work (maybe by delegating certificate issuing to radio
clubs or regulators like the FCC), and to provide a common mechanism for
Internet-enabled amateur radio services.

73 de Georg DO1GL
--
APRSdroid - Open Source APRS Client for Android | http://aprsdroid.org/m
https://play.google.com/store/apps/details?id=org.aprsdroid.app | @APRSdroid

On Sat, Mar 29, 2014 at 04:22:14PM +0100, Andre wrote:
> op 29-03-14 09:10, Heikki Hannikainen schreef:
> >
> >* Yes, it can be used with UI-View32 - just run a client-side SSL
> >Proxy app such as 'stunnel' to make the SSL connection to the
> >server :)
>
> Is it limited to tcp or can it be used for udp as wel so we can use
> it for direct links between stations that want to bridge to a remote
> alternate frequentie using ax/udp? (mostly usefull for remote
> monitoring an event etc. on rf but can have other implementations
> as well)

As long as you stick to very old software and platforms, you can not
take new better protocols to good use. Intro of such does not mean
you have to abandon old clients. They can still be supported, but
to get full benefits the clients need to be revised too.

Reasons for AX/UDP are:
* It is easy to send UDP datagrams of arbitrary record limited data
(Up to about 1400 bytes, before fragmentation becomes necessary and
things get complicated..)
* TCP is not datagram protocol, and requires additional wrapper around
packets, especially as it must be BINARY TRANSPARENT.
* TCP does retransmission until rather long timeout, which causes
unpredictable delivery delays (Ok for most uses, bad for having
APRS radio links behind them)
* UDP does produce realiably low delivery latency because it does
not do _any_ retransmission.

There are two ways to get reliable retransmission with control/indication
of outdated packets:

1) Send them over TCP in wrappers with second (or centisecond or
millisecond) timestamps; that requires network connected systems
doing time synchronization - for example NTP

2) Use SCTP protocol with explicitly controlled retransmission
deadline per datagram, plus a wrapper for end-to-end time
delay tracking, and other such possible aspects
(Deliver it in 3.00 seconds, or indicate abandonement.)

Both need different protocol than just plain throwing TNC2 monitor
text lines over the links. As a side-feature that would mean capability
of sending binary transparent data over the APRS-IS.

When introducing new protocol, one can get for free also things like
pre-parse rx-igated packet at the igate, and feeding canonical type
information, coordinates in radians, symbols, callsigns. Now every
APRS-IS core server can avoid parsing the packet, and instead just
read pre-parsed information and process filters - very fast.
Support for older clients is done by entry server parsing the packet,
and sending it in pre-parsed form to others.
(Or by making a gateway software to which UIVIEW32 users connect
within their own machine.)


The old Mozilla proprietary protocol was called Secure Socket Layer
(SSL), and when it was reworked at IETF it got named Transport Layer
Security (TLS).

The TLS protocol has a cousin called DTLS which runs over UDP or SCTP.
http://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security

It is still throwing up occasional spanners from the wood-word, and
implementations are being developed. Both closed and open source.


Where you can run the SCTP?
* Any modern Linux
* Any modern BSD
* Any modern Solaris

There both C and Java programmers can use it.

Additionally:
* Cisco IOS based systems
* Commercial 3rd-party stacks for Windows
* OpenSource 3rd-party stacks for Windows (problems with Windows 8?)

For Windows you seem to be out of your luck. But maybe Microsoft
will deliver it in next 10 years or so, they took lots of time for
delivering IPv6 too in the standard product...


I am interpreting some of the opinions stated at this email list as
"because windows users can not use it, it is not worth for anyone".
Actually most of the APRS-IS network servers run on top of UNIXes,
there are some rare Windows hold-outs there too.


> If it is limited to tcp it would leave PBQ32's ax/tcp implementation
> for this task or mess around with range filtering adjusting trottle
> settings and non intended use of is to rf gating.

AX/SCTP would be better, but SCTP not being available on Windows
not be available to many of you.


> 73 de Andre PE1RDW

73 de Matti, OH2MQK