11 Aug
2017
11 Aug
'17
1:17 p.m.
Hi there
The way we have always approached our network topology is to have the following
infrastructure on every exit node of the network - which is a node that also shares an ISP
uplink:
ISP router [LAN port] <eth> [WAN port] VPN router [LAN port] <eth> [WAN port]
LiMe router [LAN port] <eth> [WAN port] HOME router
And this instead is the infrastructure on every other [non-exit] LiMe node:
LiMe router [LAN port] <eth> [WAN port] HOME router
Of course the final part of the exit node config is the same as the non-exit node config
LiMe nodes that are not in a specific house or office [or those which are but their owner
doesn’t need a home network] don’t have a home router attached to them of course.
This way:
1] Every exit node uses the internet uplink without exposing its IP address, therefore
protecting the exit node owner for legal issues
2] Every LiMe node [exit or not] can have a Home network that is entirely private to them
but also has a reliable LiMe network uplink
3] The shared SSID is always reachable in every part of the network, but when the user is
home they can use their home SSID
The home network is only - I repeat - for those who request it.
In any event, since we’re talking about it, I must specify the way I see things related to
this topic [philosophical alert].
I strongly believe that this old-days assumption that the network is secure and that
devices can be vulnerable and are unsafe in public networks must come to an end. The
network is not secure, just like your neighbourhood’s roads aren’t [and if you think they
are right now, just wait until the city grows] and you, as a human, walking down them must
be able to handle foreigners and other “dangers" you encounter. Exactly like that,
devices must be able to protect themselves every day in every environment. The only way to
have a pseudo-secure digital lifestyle is to harden your device, employ device-specific
techniques to protect your traffic [always-on VPN at a system level, Tor for specific
applications], and understand that the future will make networks vaster and vaster every
day. As community networks rise, and persistent layers of multi-technology ever-present
connectivity become mainstream, towards the dream of the entire network, in all its
layers, being decentralised and - hopefully one day - distributed, every device will be
exposed to “THE INTERNET” itself [in the sense of all other devices around it] every
instant of every day, at home and also everywhere else.
Home networks are a temporary fix, but should not be treated as a long term substitution
for education on this topic and shifting this old and outdated frame of mind.
</ot> ;]
Nk
On 11 August 2017 at 12:11:44, Gio (gio(a)diveni.re) wrote:
On Wednesday, 9 August 2017 16:03:33 CEST Amuza wrote:
Hi,
Sometimes I explain what this community network thing is to someone in
my district. They likes the idea and they has an ISP router. Then I ask
them if they would like to share their Internet connection and they says
"yes, why not?". But then they asks if users in the community network
could have access to their private home network. I answer they could,
but it can be avoided in different ways -create different VLANs in the
ISP router, configure a firewall, closing ports in the computers...
Then they stops liking this community network thing.
It is frustrating, because many people do not share their Internet
connection because of this, and so we lose the resources we need.
Well it seems they have a curious idea of community... but i can understand it
in the current situation, with media talking of "hackers" all the time...
I was wondering if there would be a way that LiMe
could come
preconfigured in such a way that, when an Internet gateway is added, it
could only communicate to that ISP router, and no other host in that
private network. I mean to automatically create the proper firewall
rules so that the LiMe network could not access hosts in private networks.
That would not be real security, as that configuration could be removed
by any administrator in the community network, but we would be able to
start our answer saying "by default LiMe cannot enter into your private
network", and then explain what they could do to improve their security.
What do you think of it?
I believe it is easy to do but i won't do this by default, you could
eventually create a community profile (ask Pau for the correct naming) with
this enabled by default, but ATM is not on top of my priority stack
Have you found this obstacle?
What would you reply to that person?
Yeah, and I have answere that their computer are exposed to the internet
anyway, so give a little of trust to your neighbours could be the first step to
create a community
Is my proposal doable?
It is pretty easy I would say
If so, should I open a Github issue? Where? In
lime-packages?
It is not an issue, more a "feature" request I would say
Cheers!
_______________________________________________
lime-users mailing list
lime-users(a)lists.libremesh.org
https://lists.libremesh.org/mailman/listinfo/lime-users