44net July 2019

44net@mailman.ampr.org

86 participants
91 discussions

Re: [44net] Time to restructure the network?
by Rob Janssen 22 Jul '19

22 Jul '19

/> From my point of view, any interconnection technology that requires /> going through a third point (e.g. external OpenVPN server) likely won't > fly with me. Odds are that any such interconneciton is going to be a > long way from here and add unacceptable latency. Ideally, where direct > connections are possible, a mesh topology, like the current IPIP mesh is > what I'd like to see, regardless of underlying technology. There is no reason why you cannot have some VPN servers in datacenters in Australia, and connect them to the system and interconnect them in a mesh fashion. Then everyone can connect to their closest server and you have fast local connectivity, combined with ease of access. When, in addition, you arrange for the subnets involved to be BGP announced on internet, you will have fast internet connectivity as well, without a roundtrip via UCSD. While this is already possible with the current system, it is much more complicated to implement it and it can only be done on a select number of router types. > Obviously, > there will be corner cases, such as endpoints stuck behind CGNAT, which > may require a relay point external to them. For me, I'd rather beat my > router into submission and get that direct connection (like I have with > IPIP). ;) As several people have written, may users are not network architects and have limited knowledge about networking. And there may be many more who are interested in joining the network but have been unable to do so, because of lack of knowledge and/or lack of a suitable internet connection. Making the system easier to access may get us many more participants and after that we may ask ourselves "why did we live with that complicated IPIP system for so long"? Here in the Netherlands, there are 16 registered IPIP gateways (some of them are not actually operational), and 36 active VPN connections with BGP. Plus at this time there are 14 active OpenVPN connections (endpoints not using BGP) out of 220 registered accounts for that. So 50 "new technology" connections vs at most 16 old IPIP connections. That should be clear. There used to be more active connections, it is on a decrease again. Probably after some time the users start asking "what is the benefit of being on this network, what service is it offering that I don't have on plain internet". That is something we should be working on as well. Rob

1 0

Re: [44net] Time to restructure the network?
by Rob Janssen 22 Jul '19

22 Jul '19

> But you also say "There is no need for a portal that registers the subnets, > they only need to be configured > in the gateway routers." > > I haven't seen a technical write-up of what you propose. But the statement > above tells me that those who aren't interested in the putting up with the > new problems the overlay hubs would create have lost the simplicity we have > now. The routing of the subnets is not something the user would have to manage, that is what BGP does automatically. There is no need to register them. Every gateway tells its neighbors what subnets it has locally, and this information is passed around the entire overlay network. > It's easy enough to say things like "you can set up crosslinks to wherever > you like". But without the central registry, we lose the simplicity we have > today. Today, we download a file and run a script. Done. Direct > connections to everyone else. No middle men. No added latency. No added > complexity. No added troubleshooting difficulty. No added dependence on > some volunteer at the hub who may or may not be available when needed. As I wrote, to have that it would require an additional protocol like Cisco DMVPN which unfortunately is proprietary and not available in most (if not all) of the inexpensive routers that radio operators want to use. > Now if your proposal included the following, it would truly be solving a > problem for some people with causing a problem for others: > > 1) For folks who can't support direct connections, let them use a VPN > connection to a hub of their choosing (as you appear to be proposing) > > 2) *** BUT *** leave the central registry in place, and augment it so that > when you sign up for a hub, your subnets are still published to all other > gateways as reachable through the hub. > > 3) Therefore, those who can support direct connects but are not a hub can > still see a full registry and automatically create direct links/tunnels to > all other gateways (whether they are individual gateways or hub gateways) > and routes to all subnets behind all other gateways. I think the minor problem of "now some paths are two hops while they would have been direct in the current system" is very minor compared to the many issues there are with the current system. When we want a system that anyone can easily connect to without being a network export, the system I propose provides that. When you do not want that, because it takes away the artificial hurdles "that everyone has to overcome", of course you could object to such changes. It is similar to the situation of no-code licenses. People who already had passed the CW exam were objected to removing the requirement for new licensees, with similar reasoning. Again, while there are over 500 gateways in the current network with tunnels between all of them, there is no way they are all going to be in use. Wiring them up for everyone really makes no sense, and introduces a scalability problem that would become real when it were easier to use the system and we had like 50000 participants instead of 500. A system with regional hubs, while still offering the capability to cross-connect, is much more extensible. Cross-connects require manual intervention because the situation has to be examined. As the new system does not require the IP address of the participants to be static, allows them to be behind NAT, behind a firewall, etc, it has to be decided what type of connection is made, which direction the connection is made, etc. E.g. when one of the two has a static address and the other one dynamic, it is best to connect from the dynamic to the static address (and re-make the connection when the dynamic address changes). When they are behind NAT, it is possible to use a VPN that can cross NAT. Right now, such stations simply cannot participate, and with a new system they can. Rob

3 2

Formal notice of my resignation from ARDC Technical Advisory Committee
by Bryan Fields 21 Jul '19

21 Jul '19

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 In light of the recent theft from amateur radio, I cannot continue to be part of ARDC. I was a technical committee member for several years, at least since 2014 or so, and while the TAC members wished to accomplish much, not much happened. I will give credit for reverse DNS as we worked to get that delegated to BGP operators properly, and my allocation at 44.98.254.0/24 was the first subnet to have it working. I've recently asked about RPKI, DNSSEC, and even made some noise regarding SWIP. In every talk I've given I've mentioned the resource amateur radio has in 44/8 and how very special it is. Protect the IP space and use it, just as get on and use the bands to protect them. Understand this is likely 50M+ USD for this space paid to ARDC, and has exposed 44net to ARIN control. RDNS seems to have been broken as well. I call for a full public accounting of these monies, and outside public audit of ARDC. Brian Kantor must resign and we must demand a clear ethics policy with self-inurement and cross dealing between organizations prohibited. Best 73s and it was a pleasure helping the community where I could. - -- Bryan Fields, W9CR Former ARDC TAC member 727-409-1194 - Voice http://bryanfields.net -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEaESdNosUjpjcN/JhYTmgYVLGkUAFAl0xQu4ACgkQYTmgYVLG kUDRkhAAqpST8VkCAyipaj496C0bO3wjArJKvIookeQYOAqGqYl2wtHxC6zWBEeG zYfolJ4zVOku91RRIP2x/PtTdWLJ8PSpWNVxLWDcb8ofVZ7p8aRTsqCx0nWko18c HKE6FJ1Qfp+NmTeOWrBc7/CWd/7FPJseTVA5oOq9L4VOTrdXUF0DuvzNpcGTihST XO2Mnv0A5a5+5ih+5yeus/mgmmbwSSB9jBQQbZ/wBWLq+wPLnd6rBjBVsZrsOY1G Kr88enrMbrK78h7+9OCM+o19Dz5rItNxXz87o8UfeqNHMldYqMMhXWiMjFjWvvNJ phILyuvjElkh+fgoqJ+tdXyavnteuVJm0lpOKEsNpgpKkw+QQw4QwsJxoAIY9j85 gSa9v1BIwhx+H7r8K2vl/GMdbd81G8fBgVi5c55czIa52LqlX6uAyIm9/iQWiEdA Ob06JxCvszc+DEuRE5xdonN4NpUqIMOPmrz7FB6gigN2u43J8eIt0NdwjaRfIY0c MLd0g4F/9LaGSCo+cDvDhfghYyVJL8yj74RMggiIkJXUDcrLZxlp7o61nXEmPOhS 2zY3yDe485fDvcdr40uDINDt05oBwK1PjEf6ZO02LuO4c6DPVifBGO1gPc3Fovzr +C95bM5SPoeyPC8WWZEHJIG/75n1R5yUYFfHWo49KLGngqioGYo= =0LLk -----END PGP SIGNATURE-----

5 4

Re: [44net] Time to restructure the network?
by Rob Janssen 21 Jul '19

21 Jul '19

> Then, the question becomes : > - Is it better to keep full mesh / standalone endpoints (such as current > IP-IP) ? But if so, how to handle Plug and Play and NAT traversal ? > - Or is it better to have small local gateways managed by skilled teams, > and end-users connecting to those gateways with simpler PnP VPN systems ? > > We choosed the second option, with fully home-made design (OpenWRT, > OpenVPN, OSPF), because it best suited our needs, and because we are an > island, with few inter-connects with the rest of the world. Same thing here. We are not an island but still we feel that we need to use a local gateway where everyone is connected using modern technologies compatible with today's internet connections and equipment. Our gateway is still connected to the IPIP mesh but the individual stations are connected using another VPN type. > It seems lots of people in the world are using similar designs, with a > central gateway and enpoints connecting to it via VPNs. Maybe we just > have to share our experiences, and adopt some kind of "standardized" > rules for our gateways ? That is what I am trying to do... and reduce their compexity by dropping the old IPIP mesh and use some newer technologies that are available in standard routers, so it will become easier to setup a gateway. Rob

4 3

44.192.0.0/10 sale
by Phil Karn 21 Jul '19

21 Jul '19

Hello all, I've not been active here, but some of you may remember me as the guy who first got TCP/IP going on amateur packet radio way back in 1986. At one time, my name was registered as the owner of the block. This makes me one of a VERY small group of people with any arguable personal property interest in network 44. And yes, 25% of this space, which is VERY unlikely to ever be used by hams, has been sold to Amazon. Rather than try to personally profit from this, we all readily agreed to place the *entire* proceeds of this sale into a 501(c)(3) charity chartered to support amateur digital radio and related developments. No one is buying a yacht or a mansion. As a tax-exempt charity, our tax returns and related documents will be publicly available so you can see what is being done. Like the rest of the amateur community, all of you will have the opportunity to apply for grants and do good things for amateur radio with them. 73, Phil

12 17

Re: [44net] 44.192.0.0/10 sale
by Rob Janssen 21 Jul '19

21 Jul '19

> Please consider using part of the money for reserving us (buying ?) IPV6 address for future use .. I think there is quite universal agreement that we should not buy/reserve special IPv6 addresses as a group but rather everyone should obtain addresses from their own local internet provider and we should arrange some way to distribute the list of IP addresses in use amongst the participants. This makes it unnecessary to use a tunneling system which simplifies the network and makes the routing much faster (no need to go via UCSD anymore!). And these addresses are normally included with your internet service for free. Rob

2 1

Re: [44net] Time to restructure the network?
by Rob Janssen 21 Jul '19

21 Jul '19

> I'll +1 your comments and raise you with this: > > As President and engineer of EastNet, let me go over some bullet points > for those especially NOT in our country or region. > > o The average age of those sysops on EastNet is 70+ > o They grew up without technology and are most happy to remain ignorant > about it > o BGP, IPIP, GRE are initial groupings they could care less about. > o Many of these guys can't even type in a URL without their hands held. > o Virtual Private Network to them sounds like the evil doings of the > dark web and they want nothing to do with it. > o If it's not standard equipment from my ISP it must be against my > contract with them. > o If HRO doesn't sell a pre-made appliance to plug in and use for > this amprnet thing then it can't be any good or work. Do you really think that the abundancy of elderly users in the amateur radio community is to be used as a reason not to change anything anymore until they all are dead? Should there be no development anymore just because these people cannot learn? Should we all stand still just because of that? Don't you think that the scarce newcomers we have (and need) will be running away in laughter when they see such statements being made?? > I could go on but I'll stop right there. As Charles tried to mention, > just because a very small percentage of hams are familiar with amateur > IP or amateur wired internet that doesn't mean the bulk of hams are or > that they even wish to learn. Most still immediately think IP = wired > only period and that's not what they took a license test for... and they > find it to actually be offensive in regards to amateur RADIO. If it's > not HF Contesting, it's not "ham radio" it's wire and they don't need > nor want to learn about this... but they do wish to offer the services. I am in no way proposing that any radio amateur is to be joining the AMPRnet! When they are happy working in CW on HF, or to be contesting, just let them do it! The AMPRnet is for those interested in networking and when they ar not interested in amateur IP there is no need for them to become familiar with it. > The current IPIP mesh network does indeed work... I suppose if it works > don't fix it no longer applies? I'm on it and the fact you see this > mail is a PoC it works. That is a very narrowminded view. The fact that you could make it work does not mean that it works for everyone. We sometimes see the struggles here when people try to join, and I can tell you that joining the system I propose (and that we have had running here for several years, and is running in some other regions as well) is much easier to join. There is NO NEED anymore to fiddle with ISP routers to make forwardings or DMZ settings, NO NEED to install specialized software on routers or systems, just buy a suitable router (e.g. the MikroTik hEX, list price $59,95, or even smaller and cheaper models), apply some simple configuration steps that can be written up in a document, and you are online. And you can make a wireless connection to a friend or to some local access point and the routing will be fully automatic. Traffic to your friend will be over your link and other traffic will be via the internet. As an example of what you need to connect this way, this is an example of all configuration required in such a router to connect (an actual export of a router): /interface l2tp-client add allow=mschap2 connect-to=213.222.29.196 disabled=no ipsec-secret=\ HAMNET-L2TP max-mru=1400 max-mtu=1400 name=l2tp-241 password=12345678 \ profile=default use-ipsec=yes user=l2tp-pd2ebh /routing bgp instance set default as=4220401109 router-id=44.137.11.158 /routing bgp network add network=44.137.11.144/28 /routing bgp peer add in-filter=hamnet-in name=gw-44-137 nexthop-choice=force-self out-filter=\ hamnet-out remote-address=44.137.61.254 remote-as=4220406100 ttl=1 \ update-source=l2tp-241 /routing filter add bgp-communities=44137:10050 chain=hamnet-in set-bgp-local-pref=50 add bgp-communities=44137:10200 chain=hamnet-in set-bgp-weight=200 add action=accept chain=hamnet-in prefix=44.0.0.0/8 prefix-length=8-32 add action=accept bgp-as-path=4220406100 chain=hamnet-in prefix=0.0.0.0/0 add action=discard chain=hamnet-in add action=accept chain=hamnet-out prefix=44.0.0.0/8 prefix-length=8-32 add action=accept bgp-as-path=4220406100 chain=hamnet-out prefix=0.0.0.0/0 add action=discard chain=hamnet-out That is all! With this configuration, that user connects to our VPN server with L2TP/IPsec which passes NAT and can be on a dynamic address, advertises the local network and receives the routes. This can be copied to another user and just be modified for the different user,password,AS number, router ID and local network. This is the text version of the configuration, it can be modified in a GUI when desired. Sure you can keep saying "but my 70+ years old users don't understand it and they have their JNOS box running IPIP so they don't want to change that" but do you really think this can be used as a reason to keep everything the same and not to allow others to join much more easily? That is like saying the new hams should learn CW because the old ones also did, and the new digital modes (e.g. FT-8) are evil because the CW operators don't understand them. Rob

3 2

Re: [44net] Time to restructure the network?
by Rob Janssen 21 Jul '19

21 Jul '19

> As far as we are thinking about possible evolutions, we can also add new > criteria. Ability to change link "weight" according to link quality (or > other parameters) may be an intesring thing. Well, as soon as something is changed in the protocol you lose the big advantage of running standard protocols available in standard firmware, see the AMPR RIP thing. > I don't know if BGP has some "weight" parameter. OSPF has. It can not > change the weight dynamically, but it's possible to change that weight > by an external script. That's nice, and that's the reason why we choose > OSPF for our "internal" network. I have considered doing similar things in BGP (adjusting prepend or local-pref dynamically based on SNMP monitoring of the link). We have not experimented with OSPF yet, I read in many places that it has problems with scaling when the CPU power on routers is limited (like on old RB750s) Rob

5 7

Time to restructure the network?
by Rob Janssen 21 Jul '19

21 Jul '19

Now that we are all going to have to dive into our router configurations, wouldn't it be a good time to make some changes that are long overdue? Like getting rid of the IPIP mesh and replace it with something more modern and supported by off-the-shelf routers, works behind NAT, etc? I would say setup some routers with VPN of different types around the world, have everyone connect to there using a suitable VPN protocol, run BGP on it to announce the gateway subnets. A $50 MikroTik can do those jobs, for those that still want to run a JNOS system on MS-DOS they can put one in front of their box and still use it. People are already using it for IPIP mesh, a change in topology would be only a config change for them. And other routers mentioned here can do it too, without having to get external programs installed on them. Those that want direct connection without a centralized system in the path can simply setup a VPN connection between them and configure the BGP peers, it will automatically work. There is no need to use only a single protocol in such a network, only the peers have to agree, so you can select from anything like L2TP/IPsec, OpenVPN, Wireguard, just plain GRE or even IPIP, etc etc. Just at this time I am trying to move my colocated machine that runs as an IPIP mesh member and I face that stupid "protocol 4 is not passed by the firewall" problem again. Arghh!! Also we could get that IPv6 idea going. Remember it has been discussed many times and the only things we still need is some agreement on how to register and distribute the "list of AMPRnet prefixes in IPv6 space". Again that could be done using BGP, no need to setup yet another registration portal with downloadable files. Note that Daniel EA4GPZ put some ideas around IPv6 on his site: https://destevez.net/ipv6-for-amateur-radio/ Rob

9 10

Re: [44net] Time to restructure the network?
by Rob Janssen 21 Jul '19

21 Jul '19

> I saw that. Messages are readable on Android, but appears blank in Thunderbird. When we answer, the answer remains blank (but the text is readable in the message source) > Will check... Mail isn't what it used to be. Programs like Thunderbird auto-decide whether to send the mail in text or HTML, and somewhere along there are linebreaks inserted in the messages that I do not insert myself and that do not appear in my Sent folder, which fouls up the layout. I see that with some other people's messages as well, so the fault may be in the mailing list software. The funny thing is that sometimes when my messages, that appear broken when posted, get quoted by other people they suddenly are OK. It is now completely unclear to me whether I am supposed to breakup paragraphs by line or to type everything on a single line. Both ways things are getting fouled up. Rob

4 4

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net July 2019