<sect1 id="configurations-ppp-intro">

    <title>Introduction</title>

    <para>

        This chapter describes how to configure a small Internet

        Service Provider (ISP) accesable through the telephone line.

        In this chapter, the computer holding the ISP is named the

        <quote>server</quote> and the computer that want to make use

        of such services is named the <quote>client</quote>. We assume

        that both server and client computers have been installed with

        &TC;; (release 5.5).

    </para>

    <para>

        In this configuration, both client and server computers use

        modems to transmit data in form of sound through the telephone

        lines system. The dial-up connection described in this chapter

        could be a choise when the only communication medium you have

        access to is the telephone lines system.

    </para>

    <para>

        This configuration emerged from the need of sharing

        information with my friends in a country where Internet access

        is limitted to statal organizations and controlled therein

        with an increasing crazy-obsession. However, in this

        environment, the telephone lines system provides an

        alternative platform to interchange information in a

        point-to-point fashion. It can be used to create small social

        groups that can share ideas safetly (e.g., by using encrypted

        point-to-point connections). To be more specific, the goal of

        this work would be to provide public access to an ISP where

        people can express themselves freely and develop their

        personal projects (e.g., through mailing list).

    </para>

    <para>

        Even this configuration tries to reduce the lack of

        communication, there are limitations around it that we cannot

        take off, yet. The following list shows what these limitations

        are:

    </para>

    <itemizedlist>

    <listitem>

    <para>

        Only one connection (of 15 minutes) is possible at a time.

    </para>

    </listitem>

    <listitem>

    <para>

        More than 3 consecutive connections from the same phone number

        in a time range of 60 minutes means that that number is

        attacking the ISP to provoke a <quote>Denying of

        Service</quote> (DoS) attacks. In such cases, the phone number

        originating the phone call will be denyed from realizing

        further phone calls onto the ISP in the next 15 minutes. If

        after 15 mintes, 3 new consecutive connections are detected

        from the same phone number than before, the delay time will be

        duplicated on each consecutive interval (e.g., 15*1 for the

        first time, 15*2 for the second time, 15*3 for the third time,

        and so on).

    </para>

    <note>

    <para>

        In order to achieve an acceptable degree of efficiency when

        controlling consecutive connections from the same phone

        number, it is required that both the client's phone number and

        connection time be registered somehow in the server (e.g., Is

        it on pppd's log file?). Without such information it would be

        very difficult to achieve any prevention against DoS attacks

        originated from incoming calls.

    </para>

    </note>

    </listitem>

    <listitem>

    <para>

        The ISP is isolated from Internet, so it is not possible to

        provide Internet access through the ISP. For example, don't

        ever think you will be able to send international e-mail to

        Gmail or Yahoo, nor visit web sites like Google or Wikipedia.

        I really would like to provide such accesses, but without a

        link to Internet I don't have where to send your requests.

    </para>

    </listitem>

    <listitem>

    <para>

        The information generated inside the ISP is jailed to it. This

        way, it will be available to people registered inside the ISP

        only (e.g., through the web interface).

    </para>

    </listitem>

    <listitem>

    <para>

        The implementation of services that required persistent

        connections (e.g., <application>chats</application>) will not

        be considered as a practical offer.  Instead, only

        asynchronous services (e.g.,

        <application>e-mail</application>) will be supported. This

        restriction is required to reduce the connection effective

        times. For example, consider an environment where you connect

        the ISP to send/receive e-mails only and then quickly

        disconnect from ISP to release the line for others to use.

        There is no need for you to be connected at the same time

        someone else sends you an e-mail, this in order for you to

        receive it.  E-mail messages sent to you will be available in

        your mailbox the next time you establish a point-to-point

        connection with the ISP and use your mail client to send and

        receive new messages. Likewise, you don't need to be connected

        to the ISP in order to write your e-mail messages.  You can

        write your messages off-line and then establish connection to

        send it whe it be ready.

    </para>

    </listitem>

    <listitem>

    <para>

        Your user profile will be automatically removed from the ISP

        when no effective point-to-point connection be established by

        you in a period greater than 7 days since the last effective

        point-to-point connection you established to the ISP. When

        your user profile is removed, you will need to get registered

        again (i.e., create a new user profile) using the web

        interface provided by the ISP.  </para>

    </listitem>

    <listitem>

    <para>

        When a user receive messages, the user's e-mail client must be

        configure to move the e-mail messages from server to client.

        This is forced in the ISP computer by denying user's from

        accessing the IMAP service. Only POP service will be

        available. This restriction is required to save disk space on

        ISP computer.

    </para>

    </listitem>

    </itemizedlist>

    <para>

        I'm very sorry about these limitations, but this is the best I

        can offer with one PC, one modem, and one single telephone

        line. If you think this configuration can be improved somehow,

        please send me an e-mail to <email>al@example.com</email>.

        Notice that, for any mail to reach my mailbox, you should be

        registered inside the ISP first and used the ISP mail server

        to send the mail. I don't answer phone calls personally, the

        phone is very busy answering point-to-point connections ;).

    </para>

    <para>

        In order for you to share information with others, it is

        required that both you and the person you want to share

        information with, have an e-mail address registered inside

        ISP. This registration process is realized through a secured

        web interface accessable through an encrypted connection.  The

        web interface provided should permit everyone to update or

        delete their personal profiles. All actions realized through

        this web interface must be simple enough to be achieved in

        less than 15 minutes (the time you have before the

        point-to-point connection be closed by the ISP).

    </para>

    <para>

        Inside the ISP, user information is stored inside an LDAP

        server. The web application manipulates LDAP records and all

        related files inside the operating system that make possible a

        user to establish a point-to-point connection to the ISP, as

        well as registering, updating or deleting its profile inside

        the ISP.  Care should be taken to prevent one user to

        modify/delete profiles from other users. The user's profile

        administration is individual to each user using the user's

        identity as reference. The user's identity is determined by a

        username (e.g., the e-mail address) and a password.  The LDAP

        server will be available for everyone to consult from their

        mail clients.  Inside the web application, verifications must

        be included to avoid duplicated values, invalid characters and

        similar stuff.

    </para>

    <para>

        Inside the ISP, all related subsystems (e.g., Postix,

        Cyrus-Imapd and Saslauthd) must retrive user information from

        LDAP server.  Likewise, the mailbox administration must be

        automated based on the users in the LDAP server. The web

        application must be able to be aware of all files related

        inside the infrastructure in a way that administration tasks

        can be automated and presented friendly to end users (this

        will required the web application to run some program that

        needs root privileges =:-|). The whole process would be as

        follows:

    </para>

    <orderedlist>

    <listitem>

    <para>

        Establish a point-to-point connection to ISP, as described in

        <xref linkend="configurations-ppp-modem-client" />.

    </para>

    </listitem>

    <listitem>

    <para>

        Register a new user profile through the web application

        provided by the ISP.

    </para>

    </listitem>

    <listitem>

    <para>

        Configure your workstation using the information provided as

        result of a successful registration in order to start using

        the services provided by the ISP you recently get registered

        in. 

    </para>

    </listitem>

    </orderedlist>

    <para>

        In case some kind of force intend to confiscate me the

        computer where the ISP is installed in, it should be noticed

        that the whole ISP filesystem is encrypted in a way that it

        would be very difficult to get any valid data from it, once it

        be physically compromised. The encryption feature is applied

        before the operating system starts. In this configuration a

        password is required to decrypt the operating system

        filesystem in order to be able of booting it up as expected.

        If the password is not provided (or is incorrectly provided),

        the only thing you get is a prompt to enter a password :-).

        With this action I pretend to protect my work from the Cuban

        political system.  Presently (Oct 1, 2011), legal resolutions

        related to Information Technologies (ITs) have been only

        specified to Cuban State's organizations in a very

        contradictory and restrictive way (see resolution 149 from

        MIT).  There is no public resolution covering management of

        ITs at a level of natural citizens.  The legal conception, as

        far as I can see, is that no one can be independent from the

        Cuban State (i.e., you need to work for it somehow and be

        limitted to its working conditions).  If you decide to work

        for your own (i.e., based on a philosophy of life different

        from that followed by the Cuban State) you will be considered

        a dissident and will be rejected by a highly oppressed and

        armless society. Because Cuban natural citizens don't count

        with a legal definition about how to use ITs individually from

        the Cuban State's point of view, it is very difficult to be

        sure about the ground we are putting our feet on (e.g., the

        State could use its force to affect our creation based on its

        idea of <quote>appropriate usage</quote>, <quote>national

        security</quote>, etc.). This way, dramatic measures like

        encryption need to be considered in order to protect our

        natural freedom of sharing our creation in whatever way we

        decide to do it.

    </para>

    <para>

        Another important matter to be aware of is about the ISP's

        policy.  In order to keep freedom, it is required to define

        the boundaries of that freedom so you can determine and judge

        it.  Absolute freedom would end up in total destruction and

        absolute restriction would suppress the natural freedom of

        human beings to express themselves individually.  So a middle

        point will be used.  For example, if you think you have the

        freedom to abuse the ISP I provide (e.g., by spamming it, or

        by provoking denying of service attacks) you probably do, but

        consider that I will make use of my freedom to immediatly

        banish you for trying to destroy my work. On the other hand,

        if you show yourself as an educated and good-will person with

        solid ideas and reasons to share, you'll be totally welcome to

        stay. 

    </para>

</sect1>