hswan

Status: Dead and archived for posterity. It might come dead for a v2. Ask q3k.

q3k's pipedream of an intra-Hackerspace (and not only) alternate IP network, based on point-to-point links and BGP. Currently centered around the Warsaw Hackerspace.

Technology

Secure links over the public internet or private links
BGP with 32-bit AS names
- RFC1918 10/8 allowed
- might allow longer IPv4 prefixes than /24
- need to find a crypto system for allowing ASses and prefixes to be announced - right now, we are as secure as the Internet is (not much)

Number Assignement

Currently, there is one assignment authority, and that is the Warsaw Hackerspace. For assignment, please contact bofh@hackerspace.pl.

ASN

We use the 32-bit private ASN numbering scheme, as defined by RFC6996. Each system that is part of the WAN must have an AS number assigned.

ASN	OrgName	PoC	Physical presence	Willing to peer physically?
4242424242	Warsaw Hackerspace	bofh@hackerspace.pl	Warsaw, ul. Wolność 2A	Yes. Radio within LoS
4250000001	q3knet	q3k@q3k.org	Garching, Bayern, Germany	Maybe? Freifunk MUC?
4250000002	Hackerspace Krakow	noc@hackerspace-krk.pl	Cracow, Zacisze 5/P1	Probably ;)
4250000003	Dragon Sector	noc@drgns.pl	n/a (Internet)	No.
4250000004	Nibylandia	ar@bash.org.pl	Warsaw, ul. ?
4250000005	_lambdarail_	lquawl@hackerspace.pl	Warsaw, ul. Jaktorowska
4250000006	pidpawel	abuse@pidpawel.eu	Kraków, Ruczaj	Yes.
4242422001	buka	enki@fsck.pl	Warsaw
4250000008	dfgg	dfgg@hackerspace.pl	Bydgoszcz	Currently no.
4250000009	archnet	on demand via q3k@hspl	Warsaw
4250000010	hskrk-mciancia		Kraków
4250000011	aquila	mlen@mlen.pl	Jelenia Góra
4250000012	googlecloud	q3k@q3k.org	THE CLOUD
4250000013	tog	admin@tog.ie	Blackpitts, Dublin	Yes.
4250000014	hskrk-wiktor	wiktor@hackerspace-krk.pl	Kraków, ul. Kluzeka	sure, will try mesh soon
4250000015	tkd	tomek@hackerspace.pl	Kallang Road, Singapore	No.
4250000016	hskrk-alwaro	alwaronx@gmail.com	Kraków
4250000017	finitestate.solutions	fss@finitestate.solutions	Warsaw, ul. Wolność 2A	Yes.
4250000018	hsldz	lodz@lists.hackerspace.pl	Łódź
4250000019	hswro	wiktor@hackerspace-krk.pl	Wrocław	yup
4250000020	hskrk-zagura

IPv4 Addresses

We use the 24-bit RFC1918 pool. When we run out, we'll figure out what to do. Bear in mind, a location can use IPv4 outside this pool (or overlapping), but they will need to be NATted.

Prefix	OrgName	NetName
10.8.0.0/14	Warsaw Hackerspace	hswawnet01
10.12.0.0/16	Hakerspace Krakow	hskrknet01
10.13.0.0/16	Dragon Sector	dsnet01
10.14.0.0/16	hsldz	hsldz01
10.21.0.0/16	dfgg	hurrdurr01
10.23.0.0/16	pidpawel	pidnet01
10.24.10.0/24	Nibylandia	nbland01
10.24.20.0/24	Nibylandia	nbland02
10.24.250.0/24	Nibylandia	nbland03
10.25.0.0/16	_lamdarail_	lbrail01
10.26.0.0/16	archnet	archnet01
10.30.0.0/24	googlecloud	googlecloud-euwest1
10.30.1.0/24	googlecloud	googlecloud-uscentral1
10.42.0.0/16	hskrk	hskrk-members
10.42.0.0/20	hskrk-wiktor	hskrk-wiktor
10.42.16.0/20	hskrk-mciancia	hskrk-mciancia
10.42.32.0/20	hskrk-alwaro	hskrk-alwaro
10.42.48.0/20	hskrk-zagura	hskrk-zagura
10.44.0.0/16	hswro	hswro01
10.48.0.0/16	tog	tog01
10.50.0.0/24	tkd	xibalba
10.78.0.0/24	q3knet	q3knet01
10.78.1.0/24	q3knet	q3knet02
10.78.2.0/24	q3knet	q3knet03
10.99.0.0/24	BUKA	BUKA-HSWAN-NET
10.100.0.0/23	aquila	aquila01
10.110.0.0/16	finitestate.solutions	fss00
172.20.171.64/26	BUKA	BUKA-DN42-NET

IPv6 Addresses

We need to figure this out soon.

Security Implications

Since we base off the technology stack of the Internet, security is mostly by trust. This means that, if you join hswan, you should take precautions by securing your local network. Remember to:

Make sure to only expose services that you would feel comfortable with being directly on the Internet, so
- Statefully firewall off access to your guests' machines (laptops, phones…)
- Keep your network device management interfaces away from the WAN completely
Filter incoming BGP prefixes against injection of your own address space and 0/0
Not really rely on the confidentiality of a link to another site (use end-to-end encryption)
Whitelist, not blacklist everything

With these precautions in place you should be able to experience the fun of having a world-wide Hackerspace WAN without putting your network in danger

How to join

Get an ASN and IPv4 network assigned
Find a party to peer with
- If interested in a physical link, find one with a physical presence nearby
- If interested in a virtual link, find whomever you can trust and who will trust you
Establish connectivity, notify Warsaw Hackerspace ops.

How to give someone access

Please notify Warsaw Hackerspace ops that you will be setting up a link with third parties
Make sure to only give access to parties that you can trust
Allowing propagation of hijacked prefixes and ASN announcements are ground for automatic termination of connectivity

Compared to ChaosVPN

q3k does not really enjoy the idea of being locked into one piece of software. Everything speaks BGP, and the physical link choice is left for the peers to decide (OpenVPN/IPSec/ATM/MPLS/CAT6/Fiber/Radio…).

Also, hswan is more fun and less secure.

Compared to dn42

Same concept - hswan was conjured up before q3k was aware of dn42.

hswan is also compatible with the HSWAW address space and has more blocks available… for now.

hswan @ hswaw

You are free to use the following services:

DNS for waw.hackerspace.pl: 10.8.1.2
~~NAS (for access talk to our BOsFH): 10.8.1.24~~
~~Our private cloud / virtualization service (register an account with our BOsFH first)~~
~~A Minecraft server managed by elia: 10.11.1.24~~

If you are @HSWAW, you are in HSWAN! Your laptop is statefully firewalled (only outgoing connections are allowed), don't worry. Additionally, if you host anything in our Lab, it will be accessible to people from the WAN.

Table of Contents