You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
57 lines
2.9 KiB
57 lines
2.9 KiB
# Security Model
|
|
|
|
Core principle: FreeDMR may sign/authenticate traffic and control messages. FreeDMR should not encrypt amateur-radio or mesh traffic by default.
|
|
|
|
The security model is authenticity, integrity, membership validation, and local policy, not secrecy. Amateur radio is public, and users may provide IP backhaul over amateur-radio links where encryption rules matter.
|
|
|
|
## Mesh Authentication
|
|
|
|
Preferred direction:
|
|
|
|
- PKI-backed FBP peer admission through Bridge Control / BCXX.
|
|
- Signed server/sysop identity.
|
|
- Bind server ID, authorized sub-IDs, public key, validity, and features where useful.
|
|
- Bind authenticated identity to observed endpoint/IP.
|
|
- If endpoint changes, peer must re-authenticate.
|
|
- Expensive signature/cert validation is control-plane work.
|
|
- Packet-plane uses cached authenticated session state.
|
|
- Soft renewal should avoid interrupting in-flight voice when safe.
|
|
- Hard stop on revocation, explicit failure, endpoint mismatch outside policy, grace expiry, or local policy.
|
|
|
|
## Identity and Listing
|
|
|
|
Signed identity proves membership/identity, not mandatory carriage. Public listing is separate from mesh identity.
|
|
|
|
Local sysops may choose whether to carry or vouch for traffic. A valid signed key does not override local policy.
|
|
|
|
Vouching sysop accountability is part of FreeDMR's social trust model. A sysop allowing problematic traffic onto the mesh may see other peers stop peering with them.
|
|
|
|
One verification of a key may cover the server ID and authorized sub-IDs for that sysop/server deployment.
|
|
|
|
## Distributed Key Gossip Option
|
|
|
|
Signed membership documents may be gossiped over bounded/rate-limited BCXX.
|
|
|
|
Peers validate signatures and build local key tables. Revocation, expiry, serials, and replay protection are required.
|
|
|
|
Key gossip cannot create trust by mere repetition. The packet path must use cached key/policy state.
|
|
|
|
This supports autonomous routing decisions for packets that originated from a server even when that source server is not directly connected.
|
|
|
|
## Analogue and Digital Bridge Policy
|
|
|
|
Analogue ROIP bridges may connect as HBP clients. Permitted does not mean automatically valuable.
|
|
|
|
Analogue bridges can be operationally sensitive because mixed or continuous analogue audio is a poor fit for DMR one-source-at-a-time stream behaviour. They may hold a TG open, play tones, or prevent digital users from breaking in until a carrier/timer drops.
|
|
|
|
Analogue bridges should be subject to local policy, listing expectations, and peer accountability.
|
|
|
|
YSF/NXDN and other AMBE-family networks are often a better technical match than analogue or unlike-codec transcoding, because they can avoid lossy audio translation.
|
|
|
|
## Open Questions
|
|
|
|
- X.509 certificates versus simpler Ed25519 signed membership documents.
|
|
- Exact revocation and renewal distribution process.
|
|
- Default grace period for soft re-authentication.
|
|
- How much key gossip should be enabled by default.
|