44net January 2015

44net@mailman.ampr.org

38 participants
31 discussions

Re: [44net] Tunnel mesh is (mostly) down
by Rob Janssen 06 Jan '15

06 Jan '15

> Subject: > Re: [44net] Tunnel mesh is (mostly) down > From: > "Michael E Fox - N6MEF" <n6mef(a)mefox.org> > Date: > 01/06/2015 12:32 AM > > To: > "'AMPRNet working group'" <44net(a)hamradio.ucsd.edu> > > > Hmmm. Given a 1 hour timeout, then any error would need to be detected and > corrected within that hour, or else routes will still be lost. Correct? > > It would seem that a timeout of something more like 24 hours would be more > practical. The rationale behind the 1 hour timeout is not to cover errors and outages, although it could cover cases where e.g. the server has to be relocated within the same room, or network maintenance occurs. The reason is that one of the hypotheses is that there is packet loss that drops the RIP packets, and when two subsequent RIP bursts would each loss the last (or n'th) packet e.g. because of a queue overflow somewhere the route would be already lost. The chance of this happening to 12 subsequent broadcasts (1 hour) is smaller. Further increasing the timeout would mean that a route that is no longer present would take much longer to disappear, unless a mechanism as described by Marius is added. (where a deleted route is announced in a special way) With that modification, the timeout could be safely set to something like 1 week. Rob

1 0

Re: [44net] Tunnel mesh is (mostly) down
by Rob Janssen 05 Jan '15

05 Jan '15

44net-request(a)hamradio.ucsd.edu wrote: > Subject: > Re: [44net] Tunnel mesh is (mostly) down > From: > "Marius Petrescu" <marius(a)yo2loj.ro> > Date: > 01/05/2015 07:30 AM > > To: > "'AMPRNet working group'" <44net(a)hamradio.ucsd.edu> > > > Hello, > > I don't think that increasing the route timeout the would have any bad side > effects (I think 7200 would be a good value). I have recompiled with 3600 before I read that. However, I'll keep a watch on it for some time to see if strange things still happen. It could be that the latest version that I now downloaded hides that problem with 44.140.0.1 but I can easily see if other routes are appearing/disappearing regularly. > > But maybe there is another mechanism that could be added to the ampr gateway > (And which is already implemented in ampr-ripd): > The daemon is capable of force exipring routes if they are received with > metric 15. > So adding the sending of deleted subnets with metric 15 fore a given time > AND increasing normal expire time to higher values (e.g. 10800 - 3 hours, or > even more) would make the system more stable. > > Marius, YO2LOJ > > That sounds like a good idea, in that case there could be a much longer timeout, but maybe it should then (as Brian suggested) log when it receives less packets than normal. E.g. count the received packets in a single burst and syslog a message when it is 2-3 less than in the previous burst. When we fix the problem that routes disappear too soon, but then nobody notices anything and 24 hours later we still have a problem because the routes are suddenly deleted, not much has improved. When there is some alert I can watch it in our nagios monitoring. Rob

2 1

PP5ES
by Brian Kantor 05 Jan '15

05 Jan '15

Is PP5ES on this mailing list? If so, please contact me off-list. Thank you. - Brian

1 0

Re: [44net] Tunnel mesh is (mostly) down
by Rob Janssen 05 Jan '15

05 Jan '15

> Subject: > Re: [44net] Tunnel mesh is (mostly) down > From: > Brian Kantor <Brian(a)UCSD.Edu> > Date: > 01/05/2015 07:26 PM > > To: > AMPRNet working group <44net(a)hamradio.ucsd.edu> > > > On Mon, Jan 05, 2015 at 02:27:18PM +0200, Marius Petrescu wrote: >> >Let me get this right... You are talking about the encapsulated RIP >> >transmissions originating from 169.228.66.251 to each public gateway IP? >> > >> >-----Original Message----- >> >On Behalf Of Rob Janssen >> >Sent: Monday, January 05, 2015 11:11 >> >To: Brian Kantor >> >Cc:44net@hamradio.ucsd.edu >> >Subject: Re: [44net] Tunnel mesh is (mostly) down >> > >> >Maybe something else you can do is drop the extra transmission of RIP >> >packets from the public IP >> >address. I think nobody is really using those (if not because of the funny >> >destination port number), and >> >they only add to this problem by putting even more data in the queue. > Up until a few minutes ago, the amprgw system was sending the RIP data > twice - once UNencapsulated to the public gateway IP, once encapsulated. > > Since to the best of my knowledge, no one was using the UNencapsulated RIP > for anything, I've discontinued sending it. > > If I'm wrong and someone is using it for something, I'll turn it back on. > - Brian > > > Note that those transmissions were sent to a seemingly random destination port number, which made them kind of hard to use. The source port number was always 520. I don't know if that was a bug or a feature, but it puzzled me when I was trying to receive them and could not get the encapsulated transmission working in ampr-ripd. (an issue that I later located and Marius made a change that fixed that) Rob

1 0

AMPR Portal Error for Coordinator
by William Lewis 05 Jan '15

05 Jan '15

Chris / Brian. I had a new request for an AMPR addresses allocation from the portal, but there seems to be a couple of issues. First, I never received the new request via email as I usually do. Not sure why I didn't get this request. Second, the user that submitted the request accidentally select my network of 44.002/16 when he should have selected Daniel Curry's network of 44.004/16. In the coordinators section of the portal, when I tried to DENY the request, the page refreshes and I get an error in red stating : "There are children but selected owner is not a coordinator." and I can not deny the request. I have contacted the user who submitted the request and informed him to make another request on the correct network. But, it appears there is a bug on the portal that is not sending me email notifications and not letting me deny requests. Thanks for looking into this. ---------- Wm Lewis (KG6BAJ) AMPR Net IP Address Coordinator - Northern and Central California Regions (A 100% Volunteer Group) (530) 263-1595 (Home/Office) ______________________________________________ ---------- This message is for the designated recipient only and MAY CONTAIN PRIVILEGED OR CONFIDENTIAL INFORMATION. If you have received it in error, please notify the sender immediately and delete the original. Any other use of this E-mail is prohibited.

1 0

Linux policy routing explained briefly
by Brian 04 Jan '15

04 Jan '15

There seems to be a bit of confusion as to how linux routes via policy routing. The tool which appears to be the most flexible is "ip" found in the iproute2 package. The two key switches are "route" and "rule", and they do exactly what they sound like; one manages routes and route-tables, while the other manages the ruleset in which these routes/tables are called upon. Linux begins with a main route table and a default ruleset in which that table is used. Typically you don't even notice this as it's created with the configuration of the standard network devices upon boot. Two rules will be applied for this main route table: 1) main 2) default The rules are such that the priority to these tables is so low almost any other rule will take priority over it. That's what makes amprnet routing for linux quite simple. The rule you want to make for amprnet is such that any inbound OR outbound routing sourced as 44-net uses it's own route table, with a priority higher than the main table rule. As long as the routes are in this matched table, the kernel will act as an amprnet router just fine even to entities such as xNOS, Xnet, etc. So if you want proper packet flow make sure all paths and rules match for the source you wish to route - in our case it's 44/8: A sample standard path would look like: commercial to commercial/nat inet/0 <----> linux-nat or com IP table main commercial to your ampr inet/0 <----> ucsd/bgp host ucsd/bgp host <---> linux 44-tunl0 via rule 1/table 1 <---> node/bbs/dxc ampr to ampr (tunnel only shown) 44/8-tunl0 <---> linux tunl0/rule 1/table 1 <---> node/bbs/dxc ampr to ampr to xNOS/Xnet (tunnel only shown) 44/8-tunl0 <---> linux tunl0/rule 1/table 1 <---> tun0/tap0-xNOS/Xnet This shows that the Xnet or xNOS tun/tap interfaces need to be included within the ruleset that matches table 1 or else it will become unroutable. Also you need to insure ip_forwarding is enabled, and your firewalling permits ip protocol 4 (ipencap), and ip protocol 93 (AX.25) A simple script which can do this for you is found at http://n1uro.ampr.org/linuxconf/dotun.html # --- dotun.sh --- #! /bin/bash # dotun.sh script written by N1URO # June, 2013 # enter in your information below, these are used for creating a # gateway and linking to the amprnet: AMPRIP='x.x.x.x' IPMASK='x.x.x.x' COMMIP='x.x.x.x' NOSIP='x.x.x.x' case "$1" in start) # Load your ipencap module in the kernel: modprobe ipip # Allow ip forwarding from amprnet to your ethernet interface echo "1" > /proc/sys/net/ipv4/ip_forward # load RIPv2 routing using the ampr-ripd daemon /usr/local/sbin/ampr-ripd -t 1 -a $COMMIP -p <password> -i tunl0 -v -s -r # Configure your ipencap tunnel interface - required for the amprnet ifconfig tunl0 $AMPRIP netmask $IPMASK up # Allow traceroutes to work on the amprnet: ip tunnel change tunl0 mode ipip ttl 64 tunl0 pmtudisc # If you run xNOS, configure a tun/tap interface: ifconfig tun0 $AMPRIP pointopoint $NOSIP up # configure your rointing accordingly: ip route add $NOSIP dev tun0 onlink table 1 src $AMPRIP ip route add default via 169.228.66.251 dev tunl0 src $AMPRIP onlink table 1 # configure policy routing so that frames from/to your 44-net IP # know how to route accordingly: ip rule add from 44/8 pref 1 table 1 ip rule add to 44/8 pref 1 table 1 # script is done, exit as a clean flush. exit 0 ;; stop) # Unload what we loaded above: ip rule del to 44/8 pref 1 table 1 ip rule del from 44/8 pref 1 table 1 ifconfig tunl0 down ifconfig tun0 down killall -TERM ampr-ripd modprobe -r ipip exit 0 ;; restart) dotun stop sleep 3 dotun start exit 0 ;; *) echo "Usage: dotun {start|stop|restart}" exit 0 ;; esac exit 0 --- EOF --- -- If Microsoft intended Windows to be for ham usage, they would have incorporated our protocols into their kernel. 73 de Brian Rogers - N1URO email: <n1uro(a)n1uro.ampr.org> Web: http://www.n1uro.net/ Ampr1: http://n1uro.ampr.org/ Ampr2: http://nos.n1uro.ampr.org Linux Amateur Radio Services axMail-Fax & URONode AmprNet coordinator for: Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, Pennsylvania, Rhode Island, and Vermont.

5 6

Tunnel mesh is (mostly) down
by Rob Janssen 04 Jan '15

04 Jan '15

The tunnel mesh went down today at about 08:20 UTC. Most of our routes have disappeared, are no longer being advertised on RIP. The portal.ampr.org site is not responding anymore. It looks like the portal is no longer distributing correct information to the RIP server and so the RIP server sends incomplete broadcasts and the ampr-ripd deletes the routes. Is there some fallback scenario, e.g. loading a last correct list of routes by the RIP server to make the network come back up in the state it was just before the mishap? Rob

12 15

Re: [44net] Tunnel mesh is (mostly) down
by Rob Janssen 03 Jan '15

03 Jan '15

> Subject: > Re: [44net] Tunnel mesh is (mostly) down > From: > Eric Fort <eric.fort(a)gmail.com> > Date: > 01/03/2015 05:35 PM > > To: > AMPRNet working group <44net(a)hamradio.ucsd.edu> > > > how about eliminating this issue perminantly from ever happening and > moving to voluntary peering between gateways. Know thy neighbor and > be responsible foryourpeers androutesseems to work really well for > everyone else yet amprnet still relies upon route distribution from a > single source. > > Eric > AF6EP It is still not clear to me what exactly happened, and how it was resolved, but what I saw here is that the number of tunnel routes decreased dramatically and this disconnected the stations on IPIP including myself. We already are BGP announced. That is not the problem. But as a properly setup gateway, we are both on BGP and the IPIP tunnel mesh, and the latter we configured using RIP (ampr-ripd). What apparently happened is that we received RIP broadcasts with only a very small subset of the active routes, and over time most routes got deleted. So we still had full connectivity to internet for net 44.137.0.0/16 and our statically connected subnets, but the tunnel routes inside the country and to the rest of the world mostly vanished. We don't really need those tunnels to everywhere over the world, but we run them to remain compatible with the rest of the system. It would be sufficient for us to have only tunnels to our local users, and have the remainder of the traffic routed over plain internet. However: - there is no way in the portal to specify that you want to use tunnel routes only for your own subnets - there are access lists in use at other stations that would block traffic going outside the tunnel system, because they want to limit traffic to only net-44, so we would get obscure routing problems So for now we will keep running a tunnel mesh system, and I hope that everyone else who prefers functionality over other reasons will do the same. (I fail to see how a single-point-of-failure solution can be a worse choice than a configuration that does not work *at all* even when everything is up and running) In the meantime, I hope some people can find some time to debug what was going on here. I have seen a similar problem in the RIP broadcasts before, a set of routes that appears and disappears at random. They appear in some RIP broadcast sets, then do not appear in some, then re-appear, etc. There must be a problem somewhere, but it is unclear if it is in the RIP server or in the code that delivers info to it. Maybe the problem of this morning is caused by the same bug, as it appears to have affected only a subset of all routes. Rob

1 0

Re: [44net] Tunnel mesh is (mostly) down
by Bryan Fields 03 Jan '15

03 Jan '15

On 1/3/15, 11:45 AM, Brian wrote: > On Sat, 2015-01-03 at 08:35 -0800, Eric Fort wrote: > >> > how about eliminating this issue perminantly from ever happening and >> > moving to voluntary peering between gateways. Know thy neighbor and >> > be responsible foryourpeers androutesseems to work really well for >> > everyone else yet amprnet still relies upon route distribution from a >> > single source. > Are you suggesting something such as a possible BGPv2 that all gateways > or designated regional gateways could perhaps tunnel broadcast between > themselves? This would be interesting and may help with other route > issues between those using RIPv2 <-> BGP amprnet sites. Why tunnel at the gateway level?, let the other gateways run BGP. Problem solved. How you get to the gateway could be IPIP, GRE, IPSEC, or you can run BGP yourself. Or even if you have a friendly peering location that lets you put a dish on the roof. Treating this like is some kinda special VPN really holds amprnet back. 73's W9CR -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net

4 3

Re: [44net] Should I worry about this crud coming in via the tunnel?
by Rob Janssen 02 Jan '15

02 Jan '15

> Subject: > [44net] Should I worry about this crud coming in via the tunnel? > From: > Arno Verhoeven <pe1icq(a)vrhvn.nl> > Date: > 01/02/2015 04:11 PM > > To: > "'AMPRNet working group'" <44net(a)hamradio.ucsd.edu> > > > Hi, > > I have been monitoring traffic coming in via the tunnel and am a bit shocked how much bogus (?) traffic comes in from non-44 addresses. Yes, this is quite normal. Imagine how much comes in to the country gateway and gets dropped... The internet is full of people who only want to destroy it and there is not much that can be done about it. People use spoofed sender addresses (their provider should block that but many providers don't care), and others like to scan for all kinds of situations they can abuse, e.g. for DDOS. You need a good firewall. But maybe not what Tom suggests, because that ends your connectivity with the non-44 part of internet. Rob

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net January 2015