v2 phone home optional?

Martin AA6E

Bear with me for a little worst-case thinking.  (Worst cases are sadly too common these days. Sorry, Texas.)

Apparently the Flex 6000 with v2 software always phones home to Flex.  It must advertise "I am radio <ID>, and I'm at IP <IP addr>."  That's at a minimum.  FRS tells us this is encrypted, but we don't know what information is exchanged or how often.

There seems to be no way to disable this "beacon" transmission, short of disconnecting or firewalling your radio network from your ISP, but it has no value to you if you are not intending to operate WAN remote.  Network hawks would say this is a privacy and security gap.

Question: Should the radio setup panel include an enable/disable option for remote communications? (at least WAN remote?)

Similar remarks apply to the LAN beacon and connection process, which trusts that everybody (everything) on your home LAN is friendly and responsible.  But that's for another day.

73 Martin AA6E

Jim Gilliam

Also curious if the WAN connection between the client and the radio is peer to peer after the connection is established or does all data always go through the server during the connection session?

Jim, K6QE

Ria

It is peer to peer. No way Flex is paying to proxy that much data. 

Brent Parker

I believe all traffic is peer to peer, after the connections, but I'd like that confirmed. (OK, Ria confirmed that while I way typing!)

If it is, it would be good to have the ability to just enter a static ip (or a ddns lookup) to go direct without the necessity to contact the FRS servers to establish the connection. Most of the time that would be over the internet "pipe". However it would also be good to go over a private mesh network, that doesn't have internet.

We've deploying AREDN mesh broadband in our community and it would be great to run that traffic over the mesh, without the internet. We would need the ability to inter a fixed IP from the client to the server, which is easily done.

Real case, we have HF at our Red Cross, and not a the EOC. However we have AREDN mesh in both and it would be great to have HF capabilities at the EOC from the Red Cross, in the eventuality of a storm.

This would be a significant EmComm strategy.

Jim Gilliam

Thank you. that should answer Martin's question.

Tim - W4TME

The communication to the SmartLink server is encrypted.  When the radio boots up, it registers with the SmartLink server and a keepalive (small packet) is sent every 30 seconds there after.

If you do not want your radio connected to the SmartLink server, do not associate it with a SmartLink account.

Ria

Peer to peer is in fact confirmed, as they've said. I've been using SmartLink since early Alpha and it has always worked this way. 

Regarding your 2nd question, you can also expose your radio over the WAN but it won't have any authentication. You can connect using SmartSDR for iOS directly to the IP. So it is possible. Right now though, SSDR for Windows and Maestro relies on discovery.

I would say use a VPN but with AREDN you run into encryption issues. I am not sure SmartLink would pass muster either as the radio commands are sent via TLS since it is going over the public Internet. 

Jim Gilliam

You are accomplishing the same thing using a VPN. Version 2 does not hamper your ability to do that.

Jim Gilliam

Speaking of radio registration, I have found when ever I reboot my router, the registration is lost and I have to recycle the radio to talk to the server. It would be nice if the radio "knew" there was a router reboot, it could automatically re-register.

Jim, K6QE

Ria

I have never seen that. Does your external IP change every time you reboot? 

Tim - W4TME

I have not seen that either.  Unless your uPnP tables are in memory, then you will have to reboot the radio for it to reopen the ports.

Jim Gilliam

No, the external IP stays at 66.215.90.175. This concerns me in that if a power outage should occur at a remote site, one might have to perform a local reboot. I will play with this and see if I can see the problem. I didn't notice it until the other day when we had a power outage and I had to re-register the radio. I am using an Asus router and, perhaps, that has something to do with it. Thanks for the feedback Tim and Ria.

Jim, K6QE

Ken - NM9P

I wonder if you do not have a reserved IP address set up for your rig.  If not, then the reboot of the router might be giving a different IP address to the rig itself, when then would require the rig to reconnect?  This would also mess up manual port forwarding, since the forwarding address would have changed....

I am a believer in assigning reserved IP addresses to as many devices as I can on my home system..... it also makes it easier to find my son't Kindle and laptop whenever I need to ground him from the internet for a period of time!

Jim Gilliam

I'll try reserving an I/P address for the Flex. I have been meaning to do that for a while and never got around to it. Thank you for the suggestion, Ken.

Jim, K6QE

Jim Gilliam

Ken....that worked! When I reboot the router, the radio immediately sees the Smartlink server. Thanks again.

Jim, k6QE

Ken - NM9P

That has become task #1 for any new internet-connected equipment at my house.  Unfortunately some older routers make it very hard, if not impossible, to set up reserved IP's.  And some of them only allow ten of them!  I'm probably up to 30 at home.

Especially any equipment that I need to "find" on the LAN or WAS - printers, NAS Drives, TV's, DVR's DVD players, X-Box, any computer running linking software like Smartlink, Echolink, etc. all get a reserved IP address so that I don't have to go hunt them down when something goes wrong....

Task #2 is to document my Reserved IP list!
It is almost as important as documenting my SmartCAT port assignments!

Ken - NM9P

Jim Gilliam

Martin...if you are still reading this, I am sorry if your original question got hijacked. It frequently happens one subject opens the gate for another subject. No intention was made to be a "star" on your problem. I hope you have been helped with the answers, however.

Jim, K6QE

Ted VE3TRQ

This may be beyond many to implement, but if you own a router that supports the open router software "dd-wrt" or "tomato", not only can you set as many (up to 100) reserved IP addresses (associated to device MAC addresses) as you wish, you can also assign them names and have them available by name by running a name server (dnsmasq) on the same open router firmware. On top of that, DynDNS is directly supported. Tomato allows all to be configured through its GUI. Google is your friend. Ted VE3TRQ

Ria

I have seen this a few times. Thanks Ken! 

Yes, it is always good to do a static IP assignment. Usually from your router is sufficient (static DHCP or DHCP reservation it is called usually). 

Ria

Marc Lalonde

"v2 software always phones home to Flex"

that may good thing if your radio got stolen , Flex got the IP ,and then authority may find location of your radio  ....

this a really good feature for remote station ;-)

it may nice to add feature that if radio is stolen it black listed and "bricked"

Martin AA6E

@Jim Gillian - Thanks for your concern.  Hijacking is part of (internet) life.

My original question/suggestion was simple:  Add some security granularity by letting the user disable remote pinging the Flex authentication/introduction servers when WAN remote is not desired.

This is a big complaint people have about Windows 10 - the "telemetry" you can't disable.

The security model for Flex remote, based on auth0.com, seems to be well thought out, but the question is only when, not if, it will be hacked.  Having some ability for the user to explicitly lock down their radio to specific SSDR clients (local or remote) by IP or some other tag (geo?) should help.

73 Martin AA6E