[HamWAN PSDR] Newbie

Tue Mar 16 18:22:27 PDT 2021

For what it is worth, I did a couple Wireshark captures of Winlink Express
connecting to the CMS. The first capture I ran with no changes, and it used
port 8773. The trace shows a TLS negotiation, and then TLS packets for the
duration of the session, all unreadable. For the second trace, I had the
firewall block port 8773 outbound. That trace shows the connection being
established on port 8772, and is in plain text. I don't know telnet well
enough to know if that is the protocol, but it is easy enough to read the
data as the same stuff on the Winlink session monitor.

I do think the idea of installing an instance of RMS Relay on HamWAN at a
reliable location is a good near term solution that should require anything
fancy.

-Scott, NS7C

On Tue, Mar 16, 2021 at 12:15 PM Stephen Kangas <stephen at kangas.com> wrote:

> Scott, thanks, I find that info helpful to better understanding the
> Winlink stance.  Hmmm…too bad that Winlink.org is pushing SSL and phasing
> out “true” telnet at some point.  Makes me wonder if there are aware of the
> growing use of HamWAN for Winlink client connections, and if so they are
> purposely discounting/ignoring it.  We need an allowed/supported solution
> for that to keep our self-policing ham operations low risk of FCC
> crack-downs or harassment from the replacement OOs (forget what they are
> now called).
>
>
>
> I’m optimistic there’s a doable inexpensive solution, however temporary or
> long term, and I’m impressed with the postings I’m seeing on this here on
> this forum.  We’ve got the hams with needed skills & knowledge to come up
> with that.
>
>
>
> Stephen W9SK
>
>
>
>
>
> *From:* PSDR <psdr-bounces at hamwan.org> *On Behalf Of *Scott Currie
> *Sent:* Tuesday, March 16, 2021 7:58 AM
> *To:* Puget Sound Data Ring <psdr at hamwan.org>
> *Subject:* Re: [HamWAN PSDR] Newbie
>
>
>
> Here is my, probably incomplete, understanding of things. Originally,
> connections to the CMS from either clients (Winlink Express) or gateways
> (RMS Packet, RMS Trimode) were on port 8772 using telnet. About a year ago
> they introduced port 8773 which uses SSL. For the WDT products, this is now
> the preferred port and is tried first. If the connection fails, they will
> try port 8772, and today this will still work. At some point port 8772 will
> be turned off. Non-WDT clients and servers (BPQ, Pat, Outpost) can still
> use port 8772 today, but will need to switch to port 8773 eventually. I do
> not know what the traffic looks like on port 8773. They say it is still
> telnet, so I don't know if they are using SSL for authentication, and then
> switching to plain text, or if they are establishing an encrypted tunnel
> and then sending telnet through the tunnel. I'll have to trace it and see
> what is going on.
>
>
>
> Client and gateway connections to RMS Relay go over port 8772 using
> telnet, and this will not change. P2P telnet connections will continue to
> be unencrypted (the port default is 8772 but can be changed). RMS Relay
> connections to the CMS will be over port 8773 SSL.
>
>
>
> I'm not smart enough to interpret FCC rules to know if encrypted
> authentication is OK, as long as the actual traffic is plain text.
>
>
>
> -Scott, NS7C
>
>
>
> On Tue, Mar 16, 2021 at 6:32 AM Steve - WA7PTM <psdr-list at aberle.net>
> wrote:
>
> If we separate Winlink (the system) from Winlink Express (the client
> program), is a SSL connection also the case with the other six clients
> listed on the https://winlink.org/ClientSoftware page when used in
> telnet mode?
>
> Steve
>
>
> Scott Currie wrote on 3/15/21 10:06 PM:
> > Yeah, I discussed this with the WDT, and the issue with using HamWAN or
> > ARDEN. I had asked if we could force a non-SSL connection to the CMS.
> They
> > have been under pressure from AWS to switch to all SSL connections, so
> they
> > had to make the change. They did commit to leaving the client or gateway
> > connection to RMS Relay as non-SSL, so that is why we have suggested
> having
> > a regional instance of RMS Relay on HamWAN that the RMS Gateways and
> > clients could point to. Backend of the RMS Relay would then connect to
> the
> > CMS over SSL on a hardened Internet connection (like at a county EOC or
> the
> > State EOC), or even HF forwarding if the Internet is down.
> >
> > -Scott
> >
> > On Mon, Mar 15, 2021 at 9:41 PM Stephen Kangas <stephen at kangas.com>
> wrote:
> >
> >> Scott, thanks for that update, interesting.  “Telnet” is a misnomer in
> >> this WinLink instance, as that port 22 protocol is historically and
> >> normally unencrypted, and widely understood in the industry as such
> >> (whereas SSH is encrypted).   It looks like the email client is
> connecting
> >> locally to an RMS Relay in that mode, which then connects to the CMS on
> the
> >> internet.
> >>
> >>
> >>
> >> --Stephen W9SK
> >>
> >>
> >>
> >> *From:* PSDR <psdr-bounces at hamwan.org> *On Behalf Of *Scott Currie
> >> *Sent:* Monday, March 15, 2021 5:56 PM
> >> *To:* Puget Sound Data Ring <psdr at hamwan.org>
> >> *Subject:* Re: [HamWAN PSDR] Newbie
> >>
> >>
> >>
> >> This is not entirely true. Winlink does use TLS/SSL connections for some
> >> things. The normal telnet connection is now SSL (will fallback to
> non-SSL
> >> if the connection fails). Also, RMS Gateway to the CMS is now SSL.
> Telnet
> >> P2P and telnet to RMS Relay is not SSL. I believe updates are also SSL
> now.
> >>
> >>
> >>
> >> Winlink Express Link Test:
> >>
> >> Test started 2021/03/16 00:52 UTC
> >>
> >> Testing CMS telnet connection to cms.winlink.org through port 8772...
> >>    Successfully connected to a CMS through port 8772 in 253 Milliseconds
> >>
> >> Testing CMS SSL telnet connection to cms.winlink.org through port
> 8773...
> >>    Successfully connected to a CMS through port 8773 in 311 Milliseconds
> >>
> >> Testing API service access through port 443 to api.winlink.org...
> >>    Successfully performed API service to api.winlink.org through port
> 443
> >> in 756 Milliseconds
> >>
> >> Testing Autoupdate server access through port 443 to
> >> autoupdate2.winlink.org...
> >>    Successfully checked autoupdate server through port 443 in 439
> >> Milliseconds
> >>
> >> Testing connection to web site - www.winlink.org:443
> >>    Successfully connected to www.winlink.org through port 443 in 47
> >> Milliseconds
> >>
> >> Testing FTP connection to SFI site -
> >> ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt
> >>    Successfully connected to
> ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt
> >> through port 20/21 in 1522 Milliseconds
> >>
> >> Test completed successfully.
> >>
> >> -Scott, NS7C
> >>
> >>
> >>
> >> On Mon, Mar 15, 2021 at 5:45 PM Stephen Kangas <stephen at kangas.com>
> wrote:
> >>
> >> Phil, an example of the ham band traffic that Kenny mentioned is not
> >> permitted by the FCC is encrypted communications traffic…this means the
> >> majority of websites your visit today and many email hosters, since
> >> websites commonly use TLS/SSL encryption (indicated by “https” in front
> of
> >> the URL in your browser address bar) or encrypted settings in your email
> >> hoster & client.  Winlink does NOT use encryption, thus is legal, and is
> >> the primary application for my ARES team using HamWAN.  As Kenny points
> >> out, certain routers (not inexpensive home models) can be used to split
> >> that traffic appropriately, but it is not an easy setup unless you have
> a
> >> background in data networks or cybersecurity…so it’s far easier to
> either
> >> use HamWAN just for your dedicated ARES laptop use or switch a cable
> back
> >> and forth using one pipe at a time.
> >>
> >>
> >>
> >> FWIW, Stephen W9SK
> >>
> >>
> >>
> >>
> >>
> >> *From:* PSDR <psdr-bounces at hamwan.org> *On Behalf Of *Kenny Richards
> >> *Sent:* Monday, March 15, 2021 12:49 PM
> >> *To:* Puget Sound Data Ring <psdr at hamwan.org>
> >> *Subject:* Re: [HamWAN PSDR] Newbie
> >>
> >>
> >>
> >> Just want to add two things to what Carl said already.
> >>
> >>
> >>
> >> 1) Line of sight means you can actually 'see' the HamWAN node, or at
> least
> >> you can with something like a pair of binoculars.
> >>
> >>
> >>
> >> 2) Remember that HamWAN is not meant to be a replacement for your home
> >> internet. Be very conscious of what traffic you are putting over
> HamWAN. I
> >> don't recommend connecting it to your home network unless you are
> familiar
> >> enough with routing rules to limit what traffic goes out the HamWAN
> link.
> >>
> >>
> >>
> >> Good luck,
> >>
> >> Kenny, KU7M
> >>
> >>
> >>
> >>
> >>
> >> On Mon, Mar 15, 2021 at 12:40 PM <carl at n7kuw.com> wrote:
> >>
> >> Hi Phil,
> >>
> >> You can do all of the configuration while on the ground, but obviously
> you
> >> won’t have any signal. You don’t indicate what specific equipment you
> have,
> >> but if you have the mAnt30 dish and separate router/modem, make sure you
> >> have the antenna connected before powering it up.
> >>
> >>
> >>
> >> As to trees, they are an absolute show stopper. You must have clear,
> >> visual, line of sight to the HamWAN site you are shooting to. Hopefully
> you
> >> will have that, or can achieve that, from where you plan to mount the
> >> dish.  As to “just over them”, a microwave shot consists of the direct,
> >> pure line of sight, but also what is referred to as the Fresnel zone – a
> >> cigar shaped “balloon” around the pure line of sight.  Items in the
> Fresnel
> >> zone (including trees) can reduce the amount of signal you have, so you
> may
> >> not get optimum performance, but some.
> >>
> >>
> >>
> >> In your initial post you commented about how to balance between your
> >> regular internet and HamWAN for a Winlink node.  My suggestion would be
> to
> >> just leave it on one (whichever one) as the norm, and only switch to the
> >> other if the one goes down.  You can also acquire routers that include
> >> failover capability to automatically make that switch.  You can go more
> >> advanced with load sharing and such between multiple connections, but
> that
> >> requires much better understanding of internet routing, and for a
> winlink
> >> node basic failover will serve your purpose.
> >>
> >>
> >>
> >> Good luck, let us know how things turn out.
> >>
> >> Carl, N7KUW
> >>
> >>
> >>
> >> *From:* PSDR <psdr-bounces at hamwan.org> *On Behalf Of *Phil Cornell via
> >> PSDR
> >> *Sent:* Monday, March 15, 2021 12:11 PM
> >> *To:* psdr at hamwan.org
> >> *Subject:* [HamWAN PSDR] Newbie
> >>
> >>
> >>
> >> OK, I figured out my problem and I now have Winbox talking to the radio
> >> and reporting status.  I's not linking to anything since the antenna is
> >> still on the ground.  How much configuration can I do before mounting
> it on
> >> my roof.  The only question in my sight path may be some trees but I
> think
> >> I can aim just over them and get a signal.  My friend Bruce/WA7BAM will
> be
> >> helping with the antenna installation on Wed afternoon.  Making
> progress...
> >>
> >>
> >>
> >> *Phil Cornell  *
> >>
> >> *W7PLC *
> >>
> >> *SHARES NCS590*
> >>
> >> *Hybrid Gateway W7PLC*
> >>
> >> *TCARES  VP*
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> PSDR mailing list
> >> PSDR at hamwan.org
> >> http://mail.hamwan.net/mailman/listinfo/psdr
> >>
> >> _______________________________________________
> >> PSDR mailing list
> >> PSDR at hamwan.org
> >> http://mail.hamwan.net/mailman/listinfo/psdr
> >>
> >>
> >>
> >>
> >> --
> >>
> >> *-Scott*
> >> _______________________________________________
> >> PSDR mailing list
> >> PSDR at hamwan.org
> >> http://mail.hamwan.net/mailman/listinfo/psdr
> >>
> >
> >
> >
> > _______________________________________________
> > PSDR mailing list
> > PSDR at hamwan.org
> > http://mail.hamwan.net/mailman/listinfo/psdr
> >
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.net/mailman/listinfo/psdr
>
>
>
>
> --
>
> *-Scott*
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.net/mailman/listinfo/psdr
>

-- 
*-Scott*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20210316/2a381864/attachment.html>