KB8PMY
/
FreeDMR
mirror of http://gitlab.hacknix.net/hacknix/FreeDMR.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c2c7e654cb'
${ noResults }
FreeDMR/docs/freedmr-2/09-security-model.md

2.9 KiB
Raw Blame History

Security Model

Core principle: FreeDMR may sign/authenticate traffic and control messages. FreeDMR should not encrypt amateur-radio or mesh traffic by default.

The security model is authenticity, integrity, membership validation, and local policy, not secrecy. Amateur radio is public, and users may provide IP backhaul over amateur-radio links where encryption rules matter.

Mesh Authentication

Preferred direction:

  • PKI-backed FBP peer admission through Bridge Control / BCXX.
  • Signed server/sysop identity.
  • Bind server ID, authorized sub-IDs, public key, validity, and features where useful.
  • Bind authenticated identity to observed endpoint/IP.
  • If endpoint changes, peer must re-authenticate.
  • Expensive signature/cert validation is control-plane work.
  • Packet-plane uses cached authenticated session state.
  • Soft renewal should avoid interrupting in-flight voice when safe.
  • Hard stop on revocation, explicit failure, endpoint mismatch outside policy, grace expiry, or local policy.

Identity and Listing

Signed identity proves membership/identity, not mandatory carriage. Public listing is separate from mesh identity.

Local sysops may choose whether to carry or vouch for traffic. A valid signed key does not override local policy.

Vouching sysop accountability is part of FreeDMR's social trust model. A sysop allowing problematic traffic onto the mesh may see other peers stop peering with them.

One verification of a key may cover the server ID and authorized sub-IDs for that sysop/server deployment.

Distributed Key Gossip Option

Signed membership documents may be gossiped over bounded/rate-limited BCXX.

Peers validate signatures and build local key tables. Revocation, expiry, serials, and replay protection are required.

Key gossip cannot create trust by mere repetition. The packet path must use cached key/policy state.

This supports autonomous routing decisions for packets that originated from a server even when that source server is not directly connected.

Analogue and Digital Bridge Policy

Analogue ROIP bridges may connect as HBP clients. Permitted does not mean automatically valuable.

Analogue bridges can be operationally sensitive because mixed or continuous analogue audio is a poor fit for DMR one-source-at-a-time stream behaviour. They may hold a TG open, play tones, or prevent digital users from breaking in until a carrier/timer drops.

Analogue bridges should be subject to local policy, listing expectations, and peer accountability.

YSF/NXDN and other AMBE-family networks are often a better technical match than analogue or unlike-codec transcoding, because they can avoid lossy audio translation.

Open Questions

  • X.509 certificates versus simpler Ed25519 signed membership documents.
  • Exact revocation and renewal distribution process.
  • Default grace period for soft re-authentication.
  • How much key gossip should be enabled by default.

Powered by TurnKey Linux.