[aprssig] aprsis DOS in Poland, observation

Nick VA3NNW tapr at noseynick.com
Mon Sep 7 14:50:15 EDT 2020 

Scott Miller wrote:
> Please have mercy on us embedded implementers! PKI support would be 
> fine, as long as there's some other solution available for devices 
> that don't have the resources for asymmetric cryptography. A 
> pre-shared key, maybe, with any required crypto functions based on 
> something with low computational requirements like XXTEA.

THIS. My guess is a fair solution would be something like:

Connect with today's 4-to-5-digit passcode and you can connect but get 
your uplink rate-limited to something that's probably perfectly 
reasonable for embedded implementers, probably even "normal" RF igates, 
but won't allow you to paint poland with profanity

Connect with Mutual TLS (LotW cert *OR* similar "proof you are a ham" 
from other national / international licensing bodies PLEASE) and you get 
a whole lot more uplink bandwidth, much more suitable for running 
high-bandwidth igates or popular APRS services. You probably COULD paint 
poland, or at least draw a few scribbles on it, but would be a great way 
to get your cert revoked / added to the "deny" list until you can get it 
replaced. On the assumption that some hams DO get hacked, but also 
recognising that some idiots CAN surprisingly get a ham license... Maybe 
a "3 strikes and you're out" rule or something?

Connect with Mutual TLS (cert from / signed by "the backbone people" 
when you offered to host a backbone node) and you get all the uplink 
bandwidth you could can eat, FAR too much for RF, could definitely paint 
poland, BUT you'd get yourself banned from the backbone until your 
clearly-hacked cert can be replaced.

PROBABLY no reason to limit DOWNLINK bandwidth? You can / will obviously 
use filtered downlink (or no downlink) for embedded applications and/or 
RF igates, and I'm not (yet) aware of any way it can be (ab)used for DoS 
except possibly DoSing your own downlink?

I have somewhat assumed TCP above. UDP? "Discuss". Mutual DTLS?

HTTP and some of the other submission protocols? "Discuss"

OK, how about RF? Safe to assume you're already rate-limited enough 
and/or DF-able enough?

73, Nick VA3NNW

-- 
"Nosey" Nick Waterman, VA3NNW/G7RZQ, K2 #5209.
use Std::Disclaimer;    sig at noseynick.net
Xerox does it again and again and again and ...

More information about the aprssig mailing list