User Tools

Site Tools


projects:hswan

This is an old revision of the document!


hswan

q3k's pipedream of an intra-Hackerspace (and not only) alternate IP network, based on point-to-point links and BGP. Currently centered around the Warsaw Hackerspace.

Technology

  • Secure links over the public internet or private links
  • BGP with 32-bit AS names
    • RFC1918 10/8 allowed
    • might allow longer IPv4 prefixes than /24
    • need to find a crypto system for allowing ASses and prefixes to be announced - right now, we are as secure as the Internet is (not much)

Number Assignement

Currently, there is one assignment authority, and that is the Warsaw Hackerspace. For assignment, please contact bofh@hackerspace.pl.

ASN

We use the 32-bit private ASN numbering scheme, as defined by RFC6996. Each system that is part of the WAN must have an AS number assigned.

ASN OrgName PoC Physical presence
4242424242 Warsaw Hackerspace bofh@hackerspace.pl Warsaw, Długa 44/50
4250000001 q3knet q3k@q3k.org Frankfurt, Warsaw
4250000002 Hackerspace Krakow noc@hackerspace-krk.pl Cracow, Radziwiłłowska 20/2
4250000003 Dragon Sector noc@drgns.pl n/a (Internet)
4250000004 Nibylandia ar@bash.org.pl Warsaw, ul. Bacha
4250000005 _lambdarail_ lquawl@hackerspace.pl Warsaw, ul. Bacha
4250000006 pidpawel abuse@pidpawel.eu It's complicated
4250000007 buka enki@fsck.pl Warsaw
4250000008 dfgg dfgg@hackerspace.pl Bydgoszcz

IPv4 Addresses

We use the 24-bit RFC1918 pool. When we run out, we'll figure out what to do. Bear in mind, a location can use IPv4 outside this pool (or overlapping), but they will need to be NATted.

Prefix OrgName NetName
10.8.0.0/14 Warsaw Hackerspace hswawnet01
10.12.0.0/16 Hakerspace Krakow hskrknet01
10.13.0.0/16 Dragon Sector dsnet01
10.23.0.0/16 pidpawel pidnet01
10.24.0.0/16 Nibylandia nbland01
10.25.0.0/16 _lamdarail_ lbrail01
10.78.0.0/24 q3knet q3knet01
10.78.1.0/24 q3knet q3knet02
10.78.2.0/24 q3knet q3knet03
10.99.0.0/24 buka bukalan

IPv6 Addresses

We need to figure this out soon.

Security Implications

Since we base off the technology stack of the Internet, security is mostly by trust. This means that, if you join hswan, you should take precautions by securing your local network. Remember to:

  • Make sure to only expose services that you would feel comfortable with being directly on the Internet, so
    • Statefully firewall off access to your guests' machines (laptops, phones…)
    • Keep your network device management interfaces away from the WAN completely
  • Filter incoming BGP prefixes against injection of your own address space and 0/0
  • Not really rely on the confidentiality of a link to another site (use end-to-end encryption)
  • Whitelist, not blacklist everything

With these precautions in place you should be able to experience the fun of having a world-wide Hackerspace WAN without putting your network in danger

How to join

  • Get an ASN and IPv4 network assigned
  • Find a party to peer with
    • If interested in a physical link, find one with a physical presence nearby
    • If interested in a virtual link, find whomever you can trust and who will trust you
  • Establish connectivity, notify Warsaw Hackerspace ops.

How to give someone access

  • Please notify Warsaw Hackerspace ops that you will be setting up a link with third parties
  • Make sure to only give access to parties that you can trust
  • Allowing propagation of hijacked prefixes and ASN announcements are ground for automatic termination of connectivity

Compared to ChaosVPN

q3k does not really enjoy the idea of being locked into one piece of software. Everything speaks BGP, and the physical link choice is left for the peers to decide (OpenVPN/IPSec/ATM/MPLS/CAT6/Fiber/Radio…).

Also, hswan is more fun and less secure.

hswan @ hswaw

You are free to use the following services:

If you are @HSWAW, you are in HSWAN! Your laptop is statefully firewalled (only outgoing connections are allowed), don't worry. Additionally, if you host anything in our Lab, it will be accessible to people from the WAN.

projects/hswan.1437061230.txt.gz · Last modified: 2015/07/16 15:40 by dfgg

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki