
                      XROUTER INTERIM DOCUMENTATION
                      =============================

			 TCP/IP Access Control
			 ---------------------

		  This revision dated: 17th July 2002



Purpose Of This Document
~~~~~~~~~~~~~~~~~~~~~~~~
"Interim" documentation is that which hasn't yet been incorporated into
the sysop manual.  It is intended to provide easily-accessible and
printable guidance for the configuration and use of new and possibly
experimental features, and is not guaranteed to be complete, accurate,
or permanent.  As development proceeds and feedback is received, the
software and this documentation may be modified.  When the development
cycle is complete, the information herein will be incorporated into the
sysop manual, and this document will be discontinued soon afterwards.

  ====================================================================


		       TCP/IP Access Control
		       =====================

Prior to version 174b, Xrouter contained only rudimentary security,
intended to prevent callers who accessed the router via an Internet
connection from downlinking on Amateur Radio frequencies.

However, the security measures were not functioning correctly, due to
a typo in the program.  It would have been simple to fix, but it had
only ever been intended as a temporary measure and was limited in
scope.

The problem is that some of the users who access via the internet may
be genuine Radio Amateurs, who may legitimately downlink on radio
frequencies, while other users may not. And different countries may
have different rules governing the interconnection of radio and
non-radio networks.

After considering the widely differing access requirements a new
system was implemented.  This uses a new file ACCESS.SYS which
specifies the login requirements appropriate to the caller's IP
address.

The entries in ACCESS.SYS are of the form:

	<subnet>[/bits] <access_flags>

	e.g. "44.0.0.0/8 1"

The <subnet> and [bits] parameters defines a range of IP addresses from
whom Telnet connects will be accepted, and <access_flags> defines the
login requirements for that subnet.

The [bits] parameter specifies how many bits, from left to right,
of the source address should be matched against the corresponding
<subnet> address.  For example, 44.131.0.0/16 will test the incoming
IP address against the left-most 16 bits of 44.131.0.0, i.e. it will
match any source address beginning with 44.131. And 0.0.0.0/0 will
match any IP address, which is useful for specifying the default.
The chosen match will be the one with the highest [bits] value.
If [bits] is not specified, it defaults to 32, i.e. an exact match
is required.

The <access_flags> parameter is the sum of these flag values.

	1	Valid callsigns only
	2	Password required

A value of 0 means any "callsign" longer than 1 character will be
accepted, and no password is required.  In this context, "callsign"
could be a user name.  This is a zero security option, for use only
for the sysop's convenience on physically secure subnets.

A value of 1 requires the user to enter a valid amateur radio
callsign, i.e. a string containing alphanumeric characters in the
correct format, but no password is required.  This is a low security
configuration with minimal inconvenience, and is suitable for use
within amateur radio subnets which are not connected to the Internet.
This configuration is recommended for callers who have 44.x.x.x
source address, as they must have entered the network via radio,
or via a password-protected gateway.

A value of 2 will cause Xrouter to accept any "username" longer than
one character, providing a valid password is given.  This is a
medium security configuration, suitable for use on private wire
subnets where amateur radio callsigns are not used.

A value of 3 requires both a valid amateur radio callsign and a
matching password to be supplied. This configuration is recommended
for use at the Internet-to-Amprnet interface, i.e. for all source IP
addresses other than 44.x.x.x

Failure to meet the access requirements results in immediate
disconnection.

If passwords are required, they should be located in file USERPASS.SYS,
using the same format as file PASSWORD.SYS.  PASSWORD.SYS is used for
sysop logins, Rlogin and FTP.  USERPASS.SYS is used for telnet (port 23)
logins.

If ACCESS.SYS is not present, or no entry matches the caller's source
address, the default action is to require a valid callsign only.


Note:	This is a prototype access control method, and may be subject
	to change if the need arises.  I will probably add other flags
	to control access to other services such as the APRS server.


Example ACCESS.SYS file:
~~~~~~~~~~~~~~~~~~~~~~~~
# File: 	ACCESS.SYS
# Purpose:	Xrouter access control for incoming Telnet port 23
#		connections.
#		Defines access control flags for given source IP address.
#
# Fields: <subnet>[/len] <flags>
#
# Flags - add together (default=1):
#
#	1	Valid callsign required.
#	2	Password required.
#
#
# Subnet/bits		Flags
# =============================
  0.0.0.0/0		3
  44.0.0.0/8		1
  192.168.0.0/16	0
#

Example USERPASS.SYS file:
~~~~~~~~~~~~~~~~~~~~~~~~~~
; USERPASS.SYS for Xrouter
;
; This file contains passwords for Telnet and Modem logins.
;
; Fields are: <callsign> <password>
; Callsigns should not include SSID
;
G8PZT amazon
G7CXZ drvxcdfre
;
