/> From my point of view, any interconnection technology that requires /> going through a third point (e.g. external OpenVPN server) likely won't
> fly with me. Odds are that any such interconneciton is going to be a
> long way from here and add unacceptable latency. Ideally, where direct
> connections are possible, a mesh topology, like the current IPIP mesh is
> what I'd like to see, regardless of underlying technology.
There is no reason why you cannot have some VPN servers in datacenters in Australia,
and connect them to the system and interconnect them in a mesh fashion.
Then everyone can connect to their closest server and you have fast local
connectivity, combined with ease of access. When, in addition, you arrange
for the subnets involved to be BGP announced on internet, you will have fast
internet connectivity as well, without a roundtrip via UCSD.
While this is already possible with the current system, it is much more complicated
to implement it and it can only be done on a select number of router types.
> Obviously,
> there will be corner cases, such as endpoints stuck behind CGNAT, which
> may require a relay point external to them. For me, I'd rather beat my
> router into submission and get that direct connection (like I have with
> IPIP). ;)
As several people have written, may users are not network architects and have
limited knowledge about networking. And there may be many more who are interested
in joining the network but have been unable to do so, because of lack of knowledge
and/or lack of a suitable internet connection.
Making the system easier to access may get us many more participants and after
that we may ask ourselves "why did we live with that complicated IPIP system
for so long"?
Here in the Netherlands, there are 16 registered IPIP gateways (some of them are
not actually operational), and 36 active VPN connections with BGP. Plus at this
time there are 14 active OpenVPN connections (endpoints not using BGP) out of
220 registered accounts for that. So 50 "new technology" connections vs at most
16 old IPIP connections. That should be clear.
There used to be more active connections, it is on a decrease again. Probably
after some time the users start asking "what is the benefit of being on this
network, what service is it offering that I don't have on plain internet".
That is something we should be working on as well.
Rob
> But you also say "There is no need for a portal that registers the
subnets,
> they only need to be configured
> in the gateway routers."
>
> I haven't seen a technical write-up of what you propose. But the
statement
> above tells me that those who aren't interested in the putting up
with the
> new problems the overlay hubs would create have lost the simplicity
we have
> now.
The routing of the subnets is not something the user would have to
manage, that
is what BGP does automatically. There is no need to register them.
Every gateway tells its neighbors what subnets it has locally, and this
information
is passed around the entire overlay network.
> It's easy enough to say things like "you can set up crosslinks to
wherever
> you like". But without the central registry, we lose the simplicity
we have
> today. Today, we download a file and run a script. Done. Direct
> connections to everyone else. No middle men. No added latency. No
added
> complexity. No added troubleshooting difficulty. No added dependence on
> some volunteer at the hub who may or may not be available when needed.
As I wrote, to have that it would require an additional protocol like
Cisco DMVPN
which unfortunately is proprietary and not available in most (if not
all) of the
inexpensive routers that radio operators want to use.
> Now if your proposal included the following, it would truly be solving a
> problem for some people with causing a problem for others:
>
> 1) For folks who can't support direct connections, let them use a VPN
> connection to a hub of their choosing (as you appear to be proposing)
>
> 2) *** BUT *** leave the central registry in place, and augment it so
that
> when you sign up for a hub, your subnets are still published to all other
> gateways as reachable through the hub.
>
> 3) Therefore, those who can support direct connects but are not a hub can
> still see a full registry and automatically create direct
links/tunnels to
> all other gateways (whether they are individual gateways or hub gateways)
> and routes to all subnets behind all other gateways.
I think the minor problem of "now some paths are two hops while they would
have been direct in the current system" is very minor compared to the many
issues there are with the current system. When we want a system that anyone
can easily connect to without being a network export, the system I propose
provides that. When you do not want that, because it takes away the
artificial
hurdles "that everyone has to overcome", of course you could object to such
changes. It is similar to the situation of no-code licenses. People who
already
had passed the CW exam were objected to removing the requirement for new
licensees, with similar reasoning.
Again, while there are over 500 gateways in the current network with tunnels
between all of them, there is no way they are all going to be in use.
Wiring
them up for everyone really makes no sense, and introduces a scalability
problem
that would become real when it were easier to use the system and we had like
50000 participants instead of 500.
A system with regional hubs, while still offering the capability to
cross-connect,
is much more extensible.
Cross-connects require manual intervention because the situation has to be
examined. As the new system does not require the IP address of the
participants
to be static, allows them to be behind NAT, behind a firewall, etc, it
has to be
decided what type of connection is made, which direction the connection
is made,
etc. E.g. when one of the two has a static address and the other one
dynamic,
it is best to connect from the dynamic to the static address (and
re-make the
connection when the dynamic address changes). When they are behind NAT,
it is possible to use a VPN that can cross NAT.
Right now, such stations simply cannot participate, and with a new
system they can.
Rob
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
In light of the recent theft from amateur radio, I cannot continue to be part
of ARDC. I was a technical committee member for several years, at least since
2014 or so, and while the TAC members wished to accomplish much, not much
happened.
I will give credit for reverse DNS as we worked to get that delegated to BGP
operators properly, and my allocation at 44.98.254.0/24 was the first subnet
to have it working. I've recently asked about RPKI, DNSSEC, and even made
some noise regarding SWIP.
In every talk I've given I've mentioned the resource amateur radio has in 44/8
and how very special it is. Protect the IP space and use it, just as get on
and use the bands to protect them.
Understand this is likely 50M+ USD for this space paid to ARDC, and has
exposed 44net to ARIN control. RDNS seems to have been broken as well.
I call for a full public accounting of these monies, and outside public audit
of ARDC. Brian Kantor must resign and we must demand a clear ethics policy
with self-inurement and cross dealing between organizations prohibited.
Best 73s and it was a pleasure helping the community where I could.
- --
Bryan Fields, W9CR
Former ARDC TAC member
727-409-1194 - Voice
http://bryanfields.net
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEaESdNosUjpjcN/JhYTmgYVLGkUAFAl0xQu4ACgkQYTmgYVLG
kUDRkhAAqpST8VkCAyipaj496C0bO3wjArJKvIookeQYOAqGqYl2wtHxC6zWBEeG
zYfolJ4zVOku91RRIP2x/PtTdWLJ8PSpWNVxLWDcb8ofVZ7p8aRTsqCx0nWko18c
HKE6FJ1Qfp+NmTeOWrBc7/CWd/7FPJseTVA5oOq9L4VOTrdXUF0DuvzNpcGTihST
XO2Mnv0A5a5+5ih+5yeus/mgmmbwSSB9jBQQbZ/wBWLq+wPLnd6rBjBVsZrsOY1G
Kr88enrMbrK78h7+9OCM+o19Dz5rItNxXz87o8UfeqNHMldYqMMhXWiMjFjWvvNJ
phILyuvjElkh+fgoqJ+tdXyavnteuVJm0lpOKEsNpgpKkw+QQw4QwsJxoAIY9j85
gSa9v1BIwhx+H7r8K2vl/GMdbd81G8fBgVi5c55czIa52LqlX6uAyIm9/iQWiEdA
Ob06JxCvszc+DEuRE5xdonN4NpUqIMOPmrz7FB6gigN2u43J8eIt0NdwjaRfIY0c
MLd0g4F/9LaGSCo+cDvDhfghYyVJL8yj74RMggiIkJXUDcrLZxlp7o61nXEmPOhS
2zY3yDe485fDvcdr40uDINDt05oBwK1PjEf6ZO02LuO4c6DPVifBGO1gPc3Fovzr
+C95bM5SPoeyPC8WWZEHJIG/75n1R5yUYFfHWo49KLGngqioGYo=
=0LLk
-----END PGP SIGNATURE-----
> Then, the question becomes :
> - Is it better to keep full mesh / standalone endpoints (such as current
> IP-IP) ? But if so, how to handle Plug and Play and NAT traversal ?
> - Or is it better to have small local gateways managed by skilled teams,
> and end-users connecting to those gateways with simpler PnP VPN systems ?
>
> We choosed the second option, with fully home-made design (OpenWRT,
> OpenVPN, OSPF), because it best suited our needs, and because we are an
> island, with few inter-connects with the rest of the world.
Same thing here. We are not an island but still we feel that we need to
use a
local gateway where everyone is connected using modern technologies
compatible
with today's internet connections and equipment. Our gateway is still
connected to
the IPIP mesh but the individual stations are connected using another
VPN type.
> It seems lots of people in the world are using similar designs, with a
> central gateway and enpoints connecting to it via VPNs. Maybe we just
> have to share our experiences, and adopt some kind of "standardized"
> rules for our gateways ?
That is what I am trying to do... and reduce their compexity by
dropping the
old IPIP mesh and use some newer technologies that are available in standard
routers, so it will become easier to setup a gateway.
Rob
Hello all,
I've not been active here, but some of you may remember me as the guy
who first got TCP/IP going on amateur packet radio way back in 1986. At
one time, my name was registered as the owner of the block. This makes
me one of a VERY small group of people with any arguable personal
property interest in network 44. And yes, 25% of this space, which is
VERY unlikely to ever be used by hams, has been sold to Amazon.
Rather than try to personally profit from this, we all readily agreed to
place the *entire* proceeds of this sale into a 501(c)(3) charity
chartered to support amateur digital radio and related developments. No
one is buying a yacht or a mansion. As a tax-exempt charity, our tax
returns and related documents will be publicly available so you can see
what is being done. Like the rest of the amateur community, all of you
will have the opportunity to apply for grants and do good things for
amateur radio with them.
73, Phil
> Please consider using part of the money for reserving us (buying ?) IPV6 address for future use ..
I think there is quite universal agreement that we should not buy/reserve special IPv6 addresses as
a group but rather everyone should obtain addresses from their own local internet provider and we
should arrange some way to distribute the list of IP addresses in use amongst the participants.
This makes it unnecessary to use a tunneling system which simplifies the network and makes the
routing much faster (no need to go via UCSD anymore!).
And these addresses are normally included with your internet service for free.
Rob
> I'll +1 your comments and raise you with this:
>
> As President and engineer of EastNet, let me go over some bullet points
> for those especially NOT in our country or region.
>
> o The average age of those sysops on EastNet is 70+
> o They grew up without technology and are most happy to remain ignorant
> about it
> o BGP, IPIP, GRE are initial groupings they could care less about.
> o Many of these guys can't even type in a URL without their hands held.
> o Virtual Private Network to them sounds like the evil doings of the
> dark web and they want nothing to do with it.
> o If it's not standard equipment from my ISP it must be against my
> contract with them.
> o If HRO doesn't sell a pre-made appliance to plug in and use for
> this amprnet thing then it can't be any good or work.
Do you really think that the abundancy of elderly users in the amateur radio
community is to be used as a reason not to change anything anymore until
they all are dead?
Should there be no development anymore just because these people cannot
learn?
Should we all stand still just because of that?
Don't you think that the scarce newcomers we have (and need) will be
running away
in laughter when they see such statements being made??
> I could go on but I'll stop right there. As Charles tried to mention,
> just because a very small percentage of hams are familiar with amateur
> IP or amateur wired internet that doesn't mean the bulk of hams are or
> that they even wish to learn. Most still immediately think IP = wired
> only period and that's not what they took a license test for... and they
> find it to actually be offensive in regards to amateur RADIO. If it's
> not HF Contesting, it's not "ham radio" it's wire and they don't need
> nor want to learn about this... but they do wish to offer the services.
I am in no way proposing that any radio amateur is to be joining the
AMPRnet!
When they are happy working in CW on HF, or to be contesting, just let
them do
it! The AMPRnet is for those interested in networking and when they ar not
interested in amateur IP there is no need for them to become familiar
with it.
> The current IPIP mesh network does indeed work... I suppose if it works
> don't fix it no longer applies? I'm on it and the fact you see this
> mail is a PoC it works.
That is a very narrowminded view. The fact that you could make it work
does not
mean that it works for everyone. We sometimes see the struggles here when
people try to join, and I can tell you that joining the system I propose
(and that
we have had running here for several years, and is running in some other
regions as well) is much easier to join.
There is NO NEED anymore to fiddle with ISP routers to make forwardings or
DMZ settings, NO NEED to install specialized software on routers or systems,
just buy a suitable router (e.g. the MikroTik hEX, list price $59,95, or
even smaller
and cheaper models), apply some simple configuration steps that can be
written
up in a document, and you are online.
And you can make a wireless connection to a friend or to some local
access point
and the routing will be fully automatic. Traffic to your friend will be
over your
link and other traffic will be via the internet.
As an example of what you need to connect this way, this is an example
of all
configuration required in such a router to connect (an actual export of
a router):
/interface l2tp-client
add allow=mschap2 connect-to=213.222.29.196 disabled=no ipsec-secret=\
HAMNET-L2TP max-mru=1400 max-mtu=1400 name=l2tp-241 password=12345678 \
profile=default use-ipsec=yes user=l2tp-pd2ebh
/routing bgp instance
set default as=4220401109 router-id=44.137.11.158
/routing bgp network
add network=44.137.11.144/28
/routing bgp peer
add in-filter=hamnet-in name=gw-44-137 nexthop-choice=force-self
out-filter=\
hamnet-out remote-address=44.137.61.254 remote-as=4220406100 ttl=1 \
update-source=l2tp-241
/routing filter
add bgp-communities=44137:10050 chain=hamnet-in set-bgp-local-pref=50
add bgp-communities=44137:10200 chain=hamnet-in set-bgp-weight=200
add action=accept chain=hamnet-in prefix=44.0.0.0/8 prefix-length=8-32
add action=accept bgp-as-path=4220406100 chain=hamnet-in prefix=0.0.0.0/0
add action=discard chain=hamnet-in
add action=accept chain=hamnet-out prefix=44.0.0.0/8 prefix-length=8-32
add action=accept bgp-as-path=4220406100 chain=hamnet-out prefix=0.0.0.0/0
add action=discard chain=hamnet-out
That is all! With this configuration, that user connects to our VPN
server with L2TP/IPsec
which passes NAT and can be on a dynamic address, advertises the local
network and
receives the routes. This can be copied to another user and just be
modified for the
different user,password,AS number, router ID and local network.
This is the text version of the configuration, it can be modified in a
GUI when desired.
Sure you can keep saying "but my 70+ years old users don't understand it
and they have
their JNOS box running IPIP so they don't want to change that" but do
you really think this
can be used as a reason to keep everything the same and not to allow
others to join much
more easily?
That is like saying the new hams should learn CW because the old ones
also did, and
the new digital modes (e.g. FT-8) are evil because the CW operators
don't understand them.
Rob
> As far as we are thinking about possible evolutions, we can also add new
> criteria. Ability to change link "weight" according to link quality (or
> other parameters) may be an intesring thing.
Well, as soon as something is changed in the protocol you lose the big advantage of
running standard protocols available in standard firmware, see the AMPR RIP thing.
> I don't know if BGP has some "weight" parameter. OSPF has. It can not
> change the weight dynamically, but it's possible to change that weight
> by an external script. That's nice, and that's the reason why we choose
> OSPF for our "internal" network.
I have considered doing similar things in BGP (adjusting prepend or local-pref
dynamically based on SNMP monitoring of the link).
We have not experimented with OSPF yet, I read in many places that it has problems
with scaling when the CPU power on routers is limited (like on old RB750s)
Rob
Now that we are all going to have to dive into our router
configurations, wouldn't it be a
good time to make some changes that are long overdue?
Like getting rid of the IPIP mesh and replace it with something more
modern and supported
by off-the-shelf routers, works behind NAT, etc?
I would say setup some routers with VPN of different types around the
world, have everyone
connect to there using a suitable VPN protocol, run BGP on it to
announce the gateway subnets.
A $50 MikroTik can do those jobs, for those that still want to run a
JNOS system on MS-DOS
they can put one in front of their box and still use it. People are
already using it for IPIP mesh,
a change in topology would be only a config change for them. And other
routers mentioned
here can do it too, without having to get external programs installed on
them.
Those that want direct connection without a centralized system in the
path can simply setup
a VPN connection between them and configure the BGP peers, it will
automatically work.
There is no need to use only a single protocol in such a network, only
the peers have to agree,
so you can select from anything like L2TP/IPsec, OpenVPN, Wireguard,
just plain GRE or even IPIP,
etc etc. Just at this time I am trying to move my colocated machine
that runs as an IPIP mesh
member and I face that stupid "protocol 4 is not passed by the firewall"
problem again. Arghh!!
Also we could get that IPv6 idea going. Remember it has been discussed
many times and the
only things we still need is some agreement on how to register and
distribute the "list of AMPRnet
prefixes in IPv6 space". Again that could be done using BGP, no need to
setup yet another
registration portal with downloadable files.
Note that Daniel EA4GPZ put some ideas around IPv6 on his site:
https://destevez.net/ipv6-for-amateur-radio/
Rob
> I saw that. Messages are readable on Android, but appears blank in Thunderbird. When we answer, the answer remains blank (but the text is readable in the message source)
> Will check...
Mail isn't what it used to be. Programs like Thunderbird auto-decide whether to send the mail in text
or HTML, and somewhere along there are linebreaks inserted in the messages that I do not insert myself
and that do not appear in my Sent folder, which fouls up the layout. I see that with some other
people's messages as well, so the fault may be in the mailing list software.
The funny thing is that sometimes when my messages, that appear broken when posted, get quoted by
other people they suddenly are OK.
It is now completely unclear to me whether I am supposed to breakup paragraphs by line or to type
everything on a single line. Both ways things are getting fouled up.
Rob
