[aprssig] APRS-IS Passcode alternative: SSL + Certificates, with no data encryption

Matti Aarnio oh2mqk at sral.fi
Sat Mar 29 15:47:52 EDT 2014

On Sat, Mar 29, 2014 at 04:22:14PM +0100, Andre wrote:
> op 29-03-14 09:10, Heikki Hannikainen schreef:
> >
> >* Yes, it can be used with UI-View32 - just run a client-side SSL
> >Proxy app such as 'stunnel' to make the SSL connection to the
> >server :)
> Is it limited to tcp or can it be used for udp as wel so we can use
> it for direct links between stations that want to bridge to a remote
> alternate frequentie using ax/udp? (mostly usefull for remote
> monitoring an event etc. on rf but can have other implementations
> as well)

As long as you stick to very old software and platforms, you can not
take new better protocols to good use.  Intro of such does not mean
you have to abandon old clients.  They can still be supported, but
to get full benefits the clients need to be revised too.

Reasons for AX/UDP are:
 * It is easy to send UDP datagrams of arbitrary record limited data
   (Up to about 1400 bytes, before fragmentation becomes necessary and
    things get complicated..)
 * TCP is not datagram protocol, and requires additional wrapper around
   packets, especially as it must be BINARY TRANSPARENT.
 * TCP does retransmission until rather long timeout, which causes
   unpredictable delivery delays  (Ok for most uses, bad for having
   APRS radio links behind them)
 * UDP does produce realiably low delivery latency because it does
   not do _any_ retransmission.

There are two ways to get reliable retransmission with control/indication
of outdated packets:

 1) Send them over TCP in wrappers with second (or centisecond or
    millisecond) timestamps; that requires network connected systems
    doing time synchronization - for example NTP

 2) Use SCTP protocol with explicitly controlled retransmission
    deadline per datagram, plus a wrapper for end-to-end time
    delay tracking, and other such possible aspects
    (Deliver it in 3.00 seconds, or indicate abandonement.)

Both need different protocol than just plain throwing TNC2 monitor
text lines over the links.  As a side-feature that would mean capability
of sending binary transparent data over the APRS-IS.

When introducing new protocol, one can get for free also things like
pre-parse rx-igated packet at the igate, and feeding canonical type
information, coordinates in radians, symbols, callsigns.  Now every
APRS-IS core server can avoid parsing the packet, and instead just
read pre-parsed information and process filters - very fast.
Support for older clients is done by entry server parsing the packet,
and sending it in pre-parsed form to others.
(Or by making a gateway software to which UIVIEW32 users connect
within their own machine.)

The old Mozilla proprietary protocol was called Secure Socket Layer
(SSL), and when it was reworked at IETF it got named Transport Layer
Security (TLS).

The TLS protocol has a cousin called DTLS which runs over UDP or SCTP.

It is still throwing up occasional spanners from the wood-word, and
implementations are being developed.  Both closed and open source.

Where you can run the SCTP?
 * Any modern Linux
 * Any modern BSD
 * Any modern Solaris

There both C and Java programmers can use it.

 * Cisco IOS based systems
 * Commercial 3rd-party stacks for Windows
 * OpenSource 3rd-party stacks for Windows (problems with Windows 8?)

For Windows you seem to be out of your luck.  But maybe Microsoft
will deliver it in next 10 years or so, they took lots of time for
delivering IPv6 too in the standard product...

I am interpreting some of the opinions stated at this email list as
"because windows users can not use it, it is not worth for anyone".
Actually most of the APRS-IS network servers run on top of UNIXes,
there are some rare Windows hold-outs there too.

> If it is limited to tcp it would leave PBQ32's ax/tcp implementation
> for this task or mess around with range filtering adjusting trottle
> settings and non intended use of is to rf gating.

AX/SCTP would be better, but SCTP not being available on Windows
not be available to many of you.

> 73 de Andre PE1RDW

73 de Matti, OH2MQK

More information about the aprssig mailing list