Network Management Policy

Document Originally Approved May 26th, 2023

Document Last Updated July 6th, 2024

Introduction

Our Network Management Policy explains and states how we handle
on network routing and deployment information, network rules and
expectations, how we approach the operation of our network and
how we maintain our network.

This policy is a living document and will be updated from time to
time to reflect the project’s operations and service offerings as
the project ages and matures. As such, project members and end users
should refer back to this policy often and note any changes or updates.
Failure to keep up with the latest changes to the policies in use by
Marbled Fennec Networks does not exclude any project member or end
user from having to follow said the project’s policies.

In addition, project members are responsible for ensuring that the
project guest they register with Marbled Fennec Networks comply with
all policies and expectations set by the project. For all purposes, a
project member who registers and brings on a project guest is considered
the sponsor for that project guest for the duration of their visit with
our project. All actions of the project guest will be treated as if they
were the actions of their sponsoring project member(s). Please ensure
that your project guest act in accordance with all set policies.

Scope

All communications that take place via Marbled Fennec Networks
traverse over virtual network infrastructure that is operated and
maintained by our volunteer staff. This policy covers any and
all communications that occur on or through our network; are part of
any ingress or egress from and to partnered networks; or originate from
our network ranges.

Marbled Fennec Networks hosts, operates and provides a wide array of
network connectivity solutions to our project members and occasionally
project guest that are brought on by our project members. These solutions
consist of virtual routers, VPN technologies for IPv4 and IPv6 transit and
internet access (where applicable), cross partner network tunneling and
routing, virtual machine and virtual private server hosting, game server
hosting and website hosting.

The Human Element

Maintaining our network requires skill, time and attention to detail;
therefor we select volunteer staff to assist with the day to day operations
of Marbled Fennec Networks. Our staff members are equipped with the tools,
access level, documentation and network mappings to perform their duties.
Most, if not all, of our volunteer staff team consist of computer and networking
amateurs that take on the role for fun and the possible expansion of their
knowledge and skills. No volunteer staff member of Marbled Fennec Networks
performs their duties above any other function of their daily lives. Participation
in the maintenance of the project is done on a purely amateur basis, for the
love of the hobby and without pecuniary interest. Therefor, maintenance of the
network, its services and response to support tickets is done as volunteer
staff are able and are not held to any time standard nor service level agreement.

Marbled Fennec Networks does not apply, condone or otherwise imply any existence
or adherence to any service level agreement. The project is placed into operation
on a purely amateur basis by those who keep the project functional. Project members
or end users expecting complete uptime or perfect usability are encouraged to go look
for a commercial provider to fit their needs. Our volunteers will not be pushed into
placing Marbled Fennec Networks above any other portion of their daily and personal lives.
Any project member or end user found to be placing undue pressure on our volunteer staff
members will have their service(s) and account(s) terminated and will receive an email
stating that their behavior was unacceptable and they should go look into a commercial
provider. Our volunteer staff members are humans with lives, experiences and emotions; as
such, Marbled Fennec Networks values the well being and mental happiness of our operational
members above all else when it comes to the operation of our project and network. Abuse
and discrimination towards our volunteer staff will not be tolerated under any circumstance
what so ever and offending project members may have their service(s) and account(s)
terminated for such behavior.

Patch Schedule

The project aims to inspect and apply OS, firmware and software patches to
our systems each week on Saturday. The patch window is from midnight to three
AM EST and project members should expect to see little to no interruption during
the process, excluding patches that may require reboots. In the case of patches gone
wrong, we keep backup images of all routers and core services and will make our
best effort to restore things to a working state as quickly as our schedules allow
our volunteer staff to do so.

All updates and configuration changes are logged to an internal discord channel that
all of our volunteer staff members have access to for the coordination of updates and to
allow our volunteer staff members to work together without collision. In addition to
the discord channel, the project will also make post on our website detailing any
outages, major updates or changes to how the network operates in an area that the
general public can access and read.

System Backups

Marbled Fennec Networks has the project setup with automatic backups that run
every day at midnight. With these nightly backups, we are setup to keep the
most recent sixteen images on hand for all VMs, routers and services that the
project itself maintains. The last backup image created is locked before any major
updates for a minimum of one week to give our volunteer staff a known working
image to roll back to in the event of any failed, buggy or broken OS/firmware updates.
One week after an update has been applied, the affected systems are considered
stable and the locked image will be unlocked to allow disk space to be recycled.

All backup images are stored on a different physical server in the same data center
as our main server. The machine that handles the backup images (backup.fenfox.run)
exist as a virtual machine on the secondary physical host known as mech02.fenfox.run
and has firewall rules in place that only allow communication from our internal
IPv6 /64 subnet. The backup server has been provided with one terabyte of storage
and automatically prunes and verifies all stored images. Only the lead network
engineer and project coordinator have direct access to the backup server.

Network Addressing

Due to the nature of the project and the possibility for network abuse,
we statically assign all routes and internet protocol addresses to our project
members when and if their request for service(s) are approved. The address
range you are given is attached to your file and is setup on a virtual interface
for you to use. This is done to make troubleshooting and identification of bad
actors and improper network use easier on our volunteer staff. Project members
are not allowed to request a custom IPv4 range, as these are NAT’d and assigned
in order. Custom IPv6 ranges from our pool may be requested, however, they may
take a few days to be assigned and the request ‘vanity’ subnet must fall within
a /58 pool that is routed to either catos.fenfox.run or ikus.fenfox.run.

PTR Record Assignment

Marbled Fennec Networks requires that the network interface address in any assigned
subnet have it’s PTR record set upon activation for the identification of project
member or end user traffic. Typically the project places our routing interface on
the IPv6 2604:4300:f03:xx::1/64 address and usable addresses begin at
2604:4300:f03:xx::2/64 and increase per device profile created. To make it possible
for our volunteer staff to identify traffic on our network, the 2604:4300:f03:xx::1/64
address must have a PTR record set to the following naming space
“.marbledfennec.net” or “.fenfox.run” as this properly identifies the traffic to us and
other networks.

Project members and end users who do not consent to having a PTR record assigned
will not be connected to the network. This is not optional and is a rule made for
traffic accounting and member accountability reasons.

Marbled Fennec Networks will forward PTR request to our upstream provider
when our project members ask. We keep a documented list of requested and
assigned PTR records for our network. We do not, however, require that any
member submit a PTR request to us for each endpoint in order to use the
network in their homelabs or on their personal devices. This service is
completely optional and will be available for use for as long as our upstream
provider continues to provide it to us.

If you choose to submit a request for reverse DNS (PTR), please make sure you
submit a record that makes sense at a glance. Currently the expected formatting
is “<dev>.<member>.marbledfennec.net” or “<dev>.<member>.<router>.fenfox.run”

When submitting PTR records, keep in mind that they are public and lots of web
services automatically perform lookups on connecting client devices. Any name
that you set for an IP address within our network will become public information
and may possibly logged by remote admins and network or server devices.

Partner Network Routing

Where such benefits our project members, Marbled Fennec Networks may opt to setup a
tunnel that routes traffic between our network and another project’s network.
Announcements will be placed on our website when this happens. Usually this is done
to give both projects an additional point of presence on the internet for geographical
reasoning or to share internal resources between the teams of both projects. Sometimes
when we opt to peer with a partner network, static routes will be created for passing
certain traffic through the partner network when it results in lower pings or faster
link speeds for our project members when accessing certain websites or network services.

Interconnecting tunnels like such are always limited to 100Mbps traffic in both
directions and do not have a monthly transfer cap placed on them. When Marbled
Fennec Networks makes an peering agreement with another project, the full details
of the agreement will be transparently posted on our websites for our project members
and end users to be able to review. As long as the tunnel benefits both projects, it
will remain in operation. Marbled Fennec Networks will only make peering agreements
with other projects in which the agreement is done at zero cost to either project and
their respective members.

Further more, when peering with partner networks, test router ‘jigs’ for testing routes
to specific locations and services are required to be setup and tested; and when one
peering partner has a better result than the other, they become the preferred route for
the other partner for access to those locations. This creates a mutual beneficial peering
for both projects and their members.

Network Security and Intrusion Detection System

By default, our network runs a firewall that does not allow outside connections
to come in on the IPv4 side of things. We deploy NAT for IPv4 access and we allow
port forwarding request to be made on a first come, first served basis through our
support system. No project member or end user is allowed to obtain a public IPv4
address from our network as that address class is shared between everyone and the
project has a very limited pool of said addresses.

For IPv6 access, which is the goal of the project, packets are routed straight through
our networking equipment to the project member’s equipment. Project members are highly
encouraged to deploy their own firewall on their side as, unless otherwise requested, we
do not firewall IPv6 for project member assigned network ranges. Project members may
request that we firewall off their subnet from outside traffic if they wish.

Project members should be aware that all on network traffic from all
project members passes through various firewalls, routers and intrusion detection systems
that automatically inspect the traffic and may automatically and temporarily block suspicious
traffic while alerting our volunteer staff of potential problems. Our staff can drop into
the network at the packet level to inspect what is causing alerts or alarms. None of our
volunteer staff are allowed to disclose the traffic they see to anyone other than other staff
members who are working on the network, our upstream provider’s Network Operations Center or
law enforcement who may be doing an investigation for network abuse. Marbled Fennec Networks
tries its best to remain a neutral carrier and for the most part, has no interest in what
project members are doing on the network as long as it is legal and they are not putting the
network or our volunteer staff at risk.

Marbled Fennec Networks will not exclude any network traffic from passing through the Intrusion
detection system on our routers. The IDS is in place as a security measure to help us protect
the network from attacks and abuse, both internal and external.

DNS Server Management

Marbled Fennec Networks operates and provides two public DNS servers that anyone on the
internet may make use of for general DNS queries. Both DNS servers are tied into the OpenNIC
project, meaning that users are able to resolve both ICANN and OpenNIC domains when using
either server. The addresses for the servers are dns.fenfox.run and dns2.fenfox.run and both
provide IPv4 and IPv6 access.

While we strive to remain an unbiased/neutral network operator, there will be times in which
our volunteer staff members must moderate the DNS servers in order to prevent malware or
botnets from using the servers in their operations. To date, there are roughly 42 domains that
are dropped using iptables. Packets arriving at our servers containing the hex for these domains
are dropped before they make it to the DNS service. We will not unblock known command and
control domains.

Aside from the above, Marbled Fennec Networks will not restrict access to domain lookups.
The internet is a weird place and not everyone will agree with the information that others
seek out and that is something we all have to deal with as system admins. Furthermore, DNS
logs are only kept for 48 hours before being truncated to zero bytes file size.

Project Member Accounts and Services

Project members are not permitted to share their account(s) details with anyone not
listed on their service request and on the approval notice sent from our support department.
You account(s) and service(s) are intended for your own personal use only and shall not
be shared outside of your homelab or personal devices. You are fully responsible for all
communications and data that traverse our network in relation to your account(s), service(s)
and network access profile(s).

In the event Marbled Fennec Networks receives any complaints about project member
or project guest activities, our volunteer staff will begin an investigation that may
involve the temporary monitoring of said network traffic and data flow. If said project
member or project guest is found to be in violation of our policies, their access to
service(s) and account(s) may be restricted while we attempt to contact them for a
resolution. Failing contact, said project member or project guest service(s) and
account(s) will be disconnected and terminated.

Outright Banned Communications

Marbled Fennec Networks does not allow project members or project guest to operate
TOR nodes of any type, mail servers or relays, public proxies or torrent services.
If a member is found to be doing such things, their access to the network and
service(s) will be terminated and the offending project member or project guest will
be banned from requesting or obtaining service(s) or account(s) in the future.

Marbled Fennec Networks does not and will not permit the operation of SMTP (email)
servers by members or guest of our project who have received access to account(s) and
service(s) provided on our network. Due to the efforts we have put in to keep our address
space spam free, clean and off of blocklist; we will not respond to request to unblock
access to ports 25, 465 and 587. Traffic on these ports is blocked both at the edge and
internally within our routing stack. Furthermore, project members or project guest subnets
that make attempts to use email ports will generate alerts in our monitoring and management
software, causing our volunteer staff to act on the alerts to ensure these ports remain
unusable.

Network Management System

The network operated by our volunteer staff includes an NMS, or Network Management
System, that handles various task such as but not limited to: traffic accounting
per subnet and project member or project guest, interface throughput and error condition
alerting, uptime and outage tracking and relating stats. All routers, hosts and VMs operated by
Marbled Fennec Networks are registered with our NMS. This is not optional and is a requirement
for any equipment operated by the project itself. Additionally, to augment the NMS’s capabilities,
we also deploy ntopNG on our routers to help visualize traffic flows. For project members and
project guest, the interface on our side of all tunnels is added to the NMS for monitoring and
optionally project members may request that their side of the tunnel be added to the NMS for
monitoring purposes, though such is not a requirement at this time.

Network Status Monitoring

Marbled Fennec Networks host a publicly viewable status page at https://status.marbledfennec.net
This status page monitors all equipment that is operated by the project itself and provides
uptime tracking as well as network status to our project members and end users. During outages
or planned maintenance, our volunteer staff will post notices on the status page that detail the
nature of the outage or problem and what we are doing to resolve it. Project members and end users
can see the uptime tracking for the past four to six hours using the status page. For members of
our project, they are allowed to message our support desk requesting that their interface on
their side of the tunnel is added to the monitoring page so that uptime tracking is made easier.

Firewall Rules and Reactions

As needed in order to maintain network quality and to protect our network, we may
set and adjust firewall rules to deny or permit types of traffic and network ranges.
Our project members and project guest can check our website for updates that detail
any changes to our network and why those changes have occurred.

In an attempt to keep network availability and usability fair for all project
members, Marbled Fennec Networks deploys and occasionally makes adjustments to
a Quality of Service system on each router. The QoS system is intended to attempt
to evenly divide the bandwidth of each router amongst its active users at any given
time. Some types of traffic may temporarily see slower service on our network when
compared to other types of traffic, if those traffic types are both flowing the network
at the same time. Certain things such as known VOIP applications and web browsing are
QoS exempt; while other traffic such as steam downloads are always QoS managed. This
is done purely for the purpose of ensuring network usability between all project members
and will have little to no impact during periods of light network usage. As of July 5th, 2024,
the current QoS rates shared between users on any given router are: 350Mbps download
and 175Mbps upload. These traffic rates were chosen base on a rolling average of the past
four months of network usage patterns.

We also may place bandwidth restrictions on specific project members or project guest
who are deemed to be abusing the network by using extreme amounts of network capacity
or bandwidth for extended periods of time. Project members and project guest need to
be mindful that the bandwidth on a router is shared between all users of that router.
Members who continue to burn through extreme amounts will eventually be disconnected
and may face termination of their service(s) and account(s). Currently, as of
Feb 20th 2024, the alert threshold for network bandwidth abuse is set at 600GB within
a single month period. Accounting date starts on the first of the month and ends on the
last day of the current month. Usage accounting is performed on a per subnet basis, not
per device, meaning a project member’s usage is accounted for across all of their devices
together. Project members exceeding 600GB within a one month period will be placed a the
second lowest QoS level (maximum of 15Mbps bit rate) for the remainder of the current
month. Project members exceeding 900GB within a one month period will be placed at the
lowest QoS level (maximum of 3Mbps bit rate) for the remainder of the current month.
Project members exceeding 1000GB within a one month period will receive an email about
fair usage and a warning of the possibility of their account(s) and service(s) being
terminated due to excessive network burden and bandwidth hogging. Project members who
receive two of these warning emails within a three month period will have their account(s)
and service(s) terminated and will not be allowed to apply for service(s) from Marbled Fennec
Networks for forty-five days following.

While we cannot, and do not, guarantee complete network isolation from other
project member and project guest subnets; the volunteer staff at Marbled Fennec
Network do their best to implement firewall rules that deny access to other
member and guest subnets by default. This is applied even across other routers
in the stack to attempt to prevent project members from reaching into other subnets
deployed on our network. If you need access to another member’s subnet, you both
need to submit a ticket to our support desk requesting such and you both need to
validate the request.

The network the Marbled Fennec Networks provides and maintains is not meant to be
a replacement for a commercial transit provider. The project is provided by hobbyist
who are maintaining this project out of their pockets and we ask that our project members
be mindful of that and work together to share the resources. Abuse of the project’s
allocated resources will not be tolerated. We have hard limits on our transit and network
speeds for the connections to the outside world that we have to be mindful of and work
to ensure fair use of.

Intended Network Usage

The project provides and maintains an IPv6 enabled network for our project members
to use in a homelab or personal setting. The service(s) and account(s) that you
may be granted access to are for your own personal use only. You may not operate a
hosting, telecommunications or similar company or business system on our network and
doing so will get your access terminated. Exceptions for certain types of hosting,
such as personal websites, may be granted on a known and documented basis. You must
speak with support for more information on that process, such grants are subject to
all network and project policies.

You may not use our network to invade another person’s privacy; access or attempt to
access any internet host which you do not have permission; to hack, crack or otherwise
gain access to any other internet host; to share data or software that you do not have
the rights to; use or access packet sniffers or similar tools; send unsolicited mail;
restrict or inhibit any other member from using or enjoying our network; harass other
persons or groups; impersonate other persons or groups; or use any internet host
in a way that is not authorized by its operators.

You may not perform actions that would cause undue burden to our network resources
or other users connected to our network. For hosted services, this includes but is not
limited to: exploits to bypass service limitations; exceed allocated network speeds or
traffic limitations; gaining access to virtual machines not hosted under your account;
exploits to make unauthorized changes to our network and systems.

Doing any of the above will result in termination of your service(s) and account(s), as
well as you being banned from using our network in the future.

Public Display of Network Statistics

Marbled Fennec Networks will collect, parse and occasionally display on our website
information about how the network is used. We are making this known via this
policy as information collected and displayed will be in the form of traffic type,
traffic amount, protocol, IPv6 subnet, the parties those subnets are provided to and
which router the traffic flowed across. This is solely for allowing
users a look into how our network is being utilized and the amounts of traffic we
route through our equipment, as well as a tool to help plan changes and modifications
to our network in response to usages. Marbled Fennec Networks will not disclose individual
IPv6 addresses in the presented information on our website, only entire subnets. If
you do not agree with this process, you should contact support immediately to cancel
your service(s) and account(s).

As part of our network management policy, the project reports banned IP addresses
to AbuseIPDB on a regular basis. This reporting is automatically handled via various
services within our network.

Internal Collection and Parsing of Network Statistics

Volunteer staff helping run the project will have the ability and tools needed
to collect, parse and display network statistics internally that will help our
project see how the network is utilized, view traffic flows and amounts in real time,
see where traffic is going in and out of our network, which IP addresses are involved,
which parties those IP address are provided to, end point connection IP addresses and
estimated geo-location, resolved DNS queries and other related network statistics.
This information is used internally to help our volunteer staff make decisions related
to setting up our routing, migrating users between routers, troubleshooting issues on
the network, providing project members with support, planning maintenance and performing
network upgrades.

Volunteer staff are not allowed to disclose this level of detailed information to the
public. The highly detailed information view is only to be used internally for day to
day upkeep task of the network and project, or to assist our upstream provider(s) or
law enforcement when required by law.

Cooperation with Upstream and Law Enforcement

Marbled Fennec Networks aims to keep good relations with our upstream provider(s) and law
enforcement agencies. In the event that a situation arises that we are instructed to,
and such compliance is required, the project will provide our upstream provider
and/or law enforcement with a virtual network drop via a virtual machine that will grant
them network level access on our core network bridge. Due to the types of situations
that might require this action, we may be ordered to not give out information during the
investigation; however, once the investigation is over, we will be transparent about
what happened to the level which we are legally allowed.

All in all, just behave and don’t abuse the network. We think that is a
pretty fair request of our members, guest, vendors and sponsors.