TCP/IP Subscriber Configuration Information

This page contains the information that subscriber network managers will need to plan and configure their connection to the SCCo ARES/RACES network. The configuration model is analgous to a commercial ISP connection with static addresses. But more flexibility is provided to allow for each agency's unique networking needs.

This configuration page assumes basic TCP/IP knowledge such as subnetting and static routing. Connectivity to the SCCo ARES/RACES network is best managed by someone with TCP/IP knowledge. If you need help, consult our TCP/IP user group.

SCCo ARES/RACES Network Addresses

The following network address ranges are reserved for the SCCo ARES/RACES Data Network. If you are using private IP address space within your local network, be sure to use addresses other than the ones below.

• SCCo ARES/RACES Core Network
  • 10.240.0.0/12 (mask 255.240.0.0)
    • Includes 10.240.0.0 - 10.255.255.255
    • Used for the SCCo ARES/RACES core network, including the servers that you will use (packet, email, DNS, etc.)
    • The SCCo ARES/RACES network team has management control of all devices in this range
  • 44.4.50.0/26 (mask 255.255.255.192)
    • Includes 44.4.50.0 - 44.4.50 63
    • Used for SCCo AMPRnet connectivity
    • The SCCo ARES/RACES network team has management control of all devices in this range
• SCCo ARES/RACES Access and Subscriber Networks
  • 10.232.0.0/13 (mask 255.248.0.0)
    • Includes: 10.232.0.0 - 10.239.255.255
    • Used for handoff networks between the SCCo ARES/RACES network and subscribers
    • Subscribers have management control of one or more devices in this range
    • You can easily identify other SCCo ARES/RACES network subscribers (such as users from other cities) by these source addresses. This lets you configure your firewall to either allow or deny users from other subscriber sites from accessing servers on your network.

Subscriber Networks

• Diagram: Local TCP/IP Addressing
• Exclusive /24 address space for each subscriber
  • Each subscriber will have exclusive use of a /24 IP address space (254 addresses; mask = 255.255.255.0) from the "Access and Subcriber Networks" range of addresses listed above.
    • For purposes of this documentation, we'll refer to the address space as a.b.c.0/24 (network a.b.c.0, mask 255.255.255.0).
• /28 handoff subnet
  • Within the subscriber's address space, the last /28 subnet, a.b.c.240/28 (mask = 255.255.255.240), will be used for a handoff subnet. The address assignments are as follows:
• a.b.c.240: Network number (no hosts allowed)
• a.b.c.241: Subscriber's gateway/firewall
• a.b.c.242-247: Subscriber hosts - statically assigned addresses
• a.b.c.248-251: Subscriber hosts - dynamically assigned by DHCP
• a.b.c.252-253: Reserved for SCCo ARES/RACES testing/diagnostics
• a.b.c.254: SCCo ARES/RACES gateway
• a.b.c.255: Broadcast address (no hosts allowed)
• This arrangement has several advantages
  • Consistent addressing for gateways. When a disaster strikes and documentation is hard to reach, consistent, simple rules are easier to follow.
  • Six static addresses for appliances, servers, or source/destination NATing
  • Four dynamically assigned addresses makes it easy to hook up a few devices for initial connectivity or testing/diagnostics
  • Although inadvisable for security reasions, the six static addresses and four dynamic addresses can be used for simple configurations where the subscriber has no other firewall or networks to attach.
• The remaining 239 addresses (a.b.c.1-239) in the /24 address space are available for use by the subscriber for further subnetting.
• Network ingress filtering
  • The SCCo ARES/RACES network will drop all inbound traffic (from subscribers) if the source address is not within the subscriber's assigned address space. This is commonly called "network ingress filtering" and is used to prevent IP address spoofing. It is documented in RFC 2827, BCP 38.
  • This means that subscribers with larger networks that use addresses other than their assigned /24 address space will need to NAT (Network Address Translation) their other addresses into one or more addresses in their assigned /24 address range. The /24 address space provides plenty of space for NATing.

Subscribers are STRONGLY encouraged to install their own firewall between their network and the SCCo ARES/RACES network. While we endevour to maintain high security within the SCCo ARES/RACES network, configuration mistakes and software bugs can occur. And new types of threats will always emerge in the future. Subcribers should take charge of their own security by installing and managing their own firewall (see the next section).

That said, subscribers that choose to place hosts directly on the handoff subnet can either configure them statically or use DHCP provided by the SCCo ARES/RACES gateway.

Static Configuration

• IP Address:
  • Choose a unique address in the range of: a.b.c.{242-247}, where a.b.c.0 is the subscriber's assigned IP address space.
• Network Mask:
  • 255.255.255.240
• Default gateway:
  • If you have no other network attached
    • Set a default gateway or route:
      • Destination: 0.0.0.0/0 (address 0.0.0.0, mask 0.0.0.0)
      • Next Hop Gateway: a.b.c.254
      • Metric: 1 (or whatever you choose)
  • If you DO have other network(s) attached
    • Consult your team's network administrator for how to configure your device
• DNS Servers:
  • You need to use the internal DNS servers provided in order to reach our internal hostnames. They also resolve external, Internet hostnames.
  • The closest/best DNS servers to use depends on where you connect to the network. A primary and secondary DNS server will be provided to your team's primary network contact along with other details specific to your connection.

DHCP Configuration

• IP address:
  • Automatically assigned in the range of: a.b.c.{248-251}
• Network Mask:
  • Automatically assigned: 255.255.255.240
• Default gateway:
  • Automatically assigned: a.b.c.254, where a.b.c.0/24 is the subscriber's assigned IP address space.
• DNS Servers:
  • Automatically assigned as the closest/best choices for your connection

Subscriber firewall configurations vary, depending on the firewall vendor and the subscriber's specific network configuration requirements. The following general configuration will work for most subscribers and can be adjusted as needed.

Interfaces:

• Handoff Subnet (interface facing the SCCo ARES/RACES network)
  • IP address: a.b.c.241
  • Network Mask: 255.255.255.240
  • Default gateway: see "Routing" discussion below
• Other Interfaces
  • Consult your primary network contact

Routing:

The IP address of the SCCo ARES/RACES network gateway will be the last address in each subscriber network: a.b.c.254. How routes and default gateways are configured depends on whether or not the subscriber's network connects to other networks.

• If the subscriber has no other network connection
  • Configure a default route/gateway:
    • Destination: 0.0.0.0/0 (mask 0.0.0.0)
    • Next Hop Gateway: a.b.c.254
    • Metric: 1 (or whatever fits the subscriber's routing scheme)
• If the subscriber has other network connections (such as a city network which may or may not also connect to the Internet)
  • Configure routes to the SCCo ARES/RACES core network
    • Destination: See SCCo ARES/RACES Core Network address ranges above
    • Next Hop Gateway: a.b.c.254
    • Metric: 1 (or whatever fits the subscriber's routing scheme)
  • Configure a route to the SCCo ARES/RACES Access and Subscriber Networks
    • Destination: See SCCo ARES/RACES Access and Subscriber Network address range above
    • Next Hop Gateway: a.b.c.254
    • Metric: 1 (or whatever fits the subscriber's routing scheme)
  • If the SCCo ARES/RACES network will be used as a path to the Internet, configure a default route
    • Destination: 0.0.0.0/0 (mask 0.0.0.0)
    • Next Hop Gateway: a.b.c.254
    • Metric: Depends on the subscriber's routing scheme. Consult the subscriber's network administrator.
  • Distribute these routes to other routers in the subscriber network using the subscriber's chosen internal routing protocol

 

Domain Name System (DNS):

• The subscriber firewall is typically configured with a primary and secondary DNS server.
• The firewall may then act as a local DNS proxy or a caching server for your local LANs. Or, it may pass along the primary and secondary DNS addresses as part of the information distributed by DHCP.
• The subscriber primary network contact will be provided the best/closest DNS servers to use for resolving hostnames within the SCCo ARES/RACES network and the Internet.

 

Network Address Translation (NAT):

All traffic entering the SCCo ARES/RACES network will be filtered to ensure that the source IP address is within the subscriber's assigned IP address range (a.b.c.0/24 = 255 addresses). If the subscriber network uses only addresses from its assigned address range , then nothing more has to be done. But if the subscriber connects its own city-wide network, and if that network uses different addresses, and if hosts on that network need to communicate with the SCCo ARES/RACES network, then NAT must be used so that the source addresses on all packets entering the SCCo ARES/RACES network are from within the subscriber's assigned IP address range. Two NAT methods that can be used for such a situation are either Masquerade NAT (with optional Destination NAT) or Source and Destination NAT.

• Masquerade NAT
  • This is the most commonly used solution and it is available on even the most simple consumer firewalls.
  • The firewall sets the source address of all traffic exiting the firewall (heading into the SCCo ARES/RACES network) to the same IP address as the firewall's external address (the firewall's interface on the handoff subnet). The firewall keeps track of the different traffic streams and reverses the process for responses coming back.
  • Destination NAT
    • Subscribers may wish to make services within their networks available to other subscribers. For example, the subscriber may have a file server or web server or VoIP server that they wish to share with users from other cities connected to the SCCo ARES/RACES network. If so, Destination NAT can be configured on the subscriber firewall to map IP addresses and/or UDP/TCP port numbers to specific hosts.
• Source and Destination NAT
  • This method is a bit more complicated to set up and may not be available on cheaper consumer firewalls. But it makes use of your services easier for users outside your network. The advantage is that users can access specific hosts using unique IP addresses.
  • Source NAT (for traffic from the subscriber network to the SCCo Network).
    • The subscriber configures firewall rules to convert the source address of specific hosts to unique IP address in the handoff subnet.
  • Destination NAT (for traffic from the SCCo Network to the subscriber network).
    • The subscriber configures firewall rules to convert specific destination address in the handoff subnet to the actual address of specific hosts in the subscriber's network.

The subscriber must NOT use NAT (or any other means) to allow traffic from other cities/agencies or the Internet to reach the SCCo ARES/RACES network.

 

Traffic Filtering

The SCCo ARES/RACES network will drop all attempts to make a new connection from the external, commercial Internet to subscriber nets. (Replies to sessions initiated from subscribers to the Internet are allowed.) This prevents a large percentage of attacks. But each subscriber is responsible for its own network security. In a similar manner, subscribers should filter inbound traffic to their network to protect against intrusion. The following general recommendations are provided as a framework to help network management get started. Each subscriber should consult with someone that is knowledgeable about network security and firewall configuration. (Note: the order of the rules below is important.)

• Configure a default policy of "drop" for all traffic into your network from the handoff network interface
  • Anything you don't specifically allow will be dropped
• Allow "established" connections
  • These are replies coming from sessions initiated outbound by your users
• If you wish to allow addresses in the SCCo ARES/RACES core network to initiate connections to addresses in your network (such as to help you with diagnostics and troubleshooting):
  • Allow "new" connections from source addresses in the SCCo ARES/RACES core network range listed above
  • You may also wish to filter the destination address to restrict those connections to specific hosts on your network
  • You may also wish to filter the destination UDP/TCP port to restrict those connections to certain allowed protocols.
• If you wish to allow other subscribers to the SCCo ARES/RACES county network to access services on your network:
  • Allow "new" connections from source addresses in the SCCo ARES/RACES Access and Subscriber Networks address range listed above
  • You may want to also filter the destination address to restrict those connections to specific hosts on your network
  • You may also wish to filter the destination UDP/TCP port to restrict certain to certain allowed protocols
• To test your filters, you can use the handoff subnet (see above) to test from outside your firewall. You can also ask others on the TCP/IP user group list to try to connect to your server(s)

 

Anti-X, IPS

• Anti-SPAM, Anti-virus, anti-malware, anti-... and other intrusion prevention mechanisms should be enabled, if they are available features in your firewall
• This is important whether or not you enable inbound connections to your network.
• Other than the Internet itself, the biggest security threat is from the various personal PCs that individuals may bring from home and plug into their city's ARES/RACES network and from users click on dangerous links. Better firewalls have advanced features to block malicious activity on the fly.

If you wish to have specific hostnames published in the SCCo ARES/RACES network domain name service (DNS) servers ...

Firewall

• Subscribers are STRONGLY encouraged to install their own firewall between their network and the SCCo ARES/RACES network.
• Even a basic consumer or small business firewall will provide sufficient protection for most situations
• Of course, those with more advanced city-wide networks may need more advanced features found in business-class firewalls
• Always ask permission from your city's IT department before installing or turning on the wireless function in your firewall (if it has one). You will be creating an additional penetration threat and you may interfere with their installed systems.
• More information about firewalls can be found here

 

Ethernet Switch

• In most cases, the connection to the SCCo ARES/RACES network will be a single Ethernet jack. Except for UHF connections, you'll probably want more than one computer connected to the network. And you'll probably want to connect a network-shared printer and possibly other peripherals.
• For most installations, a small 8-16 port desktop Ethernet switch will be ideal.
• Select a switch that uses passive cooling for the least power consumption in case you have to run on batteries for a while.

Power

• The TCP/IP radio, firewall, Ethernet switch and any other associated network equipment needs to be supported by an uninteruptable power source, just like your voice and packet radios. Otherwise, it the network equipment be down when everything else is down and it will not provide a viable emergency communications capability.

Physical Security

• Subscribers should carefully control both login access and physically access to the above network equipment to prevent both human error and malicious attacks.
• Conspicuously label all connections so it's clear which network they apply to.
• Unsuspecting EOC/DOC users should be prevented from plugging into the wrong Ethernet jack by mistake.
• And potentially malicious actors should be prevented from accessing our network.

Diagrams

Standards and Best Practices

Tools

User Group