Hello fellow radio/network geeks!
While trying as much as I can to not come off as condescending, I would
like to try and provide a little perspective so that we can hopefully clear
up some confusion and speak in mutually agreeable terms.
There seems to be many misconceptions by several people on this list who
may be seeing 44net as a single service or network where everyone needs to
be able to speak to each other and where all traffic sourced from it can be
trusted. Oh, and RADIO :)
The global internet isn't even one large network in that sense. It's
actually just a concept that allows many different individual autonomous
networks to coordinate and cooperate with each other while allowing them to
share traffic among their users. Those in control of things like
allocating IP space and DNS are only in that position because the majority
of networks recognize their authority.
Just like similar authorities on the internet, ARDC is just a registry that
provides chunks of the globally unique IP space to individual networks
which allows them to interoperate with each other or any other global
network without conflict (but does not mean that they *must* work with
other networks). In this case, they only agree to provide these services
to networks that support amateur radio in one form or another. It just so
happens that they also provide a service that coordinates IPIP tunnels so
these networks can send encapsulated traffic to each other without needing
to make their own peering arrangements with other networks on the internet
at large. Since most people are only used to the idea of the internet
being a "service" provided to them, it's easy to see why this can be
confused.
Those familiar with the HSMM projects may have noticed that they chose to
operate in the non-unique 10/8 space in order to support autoconfiguration.
However, once their project grew beyond those specific linksys models,
they started having conflicts. Even now, those HSMM networks that are up
and running can't communicate with users on other networks without
complicated NAT tables. It would be much better to take advantage of our
44/8 resources for those projects by assigning blocks to each mesh island.
That way they can start peering with other networks or other mesh islands
directly. When asked why having 44/8 is important, this is a perfect
example and there are many others.
When talking about technical solutions to problems we come across, it's
also important to consider that as hams, it's likely that our networks are
experimental and will therefore have a wide range of configurations that
could prohibit their ability to share traffic with some others. This
should absolutely be encouraged as long as what they do does not impact any
other network's ability to operate normally. Therefore, there is no
"right" or "wrong" way to configure your network as long as you get your
expected result. Just keep in mind that following best-practices is the
best way to ensure compatibility. Ideally, those who operate the registry
will shift closer to this way of thinking and start supporting more
advanced users to do non-standard things (such as DNS or PTR delegation,
for example).
We also need to be careful about the terminology we use when referring to
security, in order to avoid mistaken assumptions. Source addresses can be
used in our case to provide a convenient filter against the majority of
incoming junk internet traffic. However, this must not be confused for
"authentication" or knowing *who* is sending you the packets. Make sure
you understand the risks when opening up a service on your network. If
you're trying to filter out most undesirables, source filtering can be
okay. However, if you need to know who you are talking to, you must use
another method. Also, myself and several others on this list may be in a
good position to help if you need assistance in this area.
Best regards,
-Cory NQ1E
Your friendly neighborhood radio hacker
What would this mean for the existing tunnel mesh?
Today, with the existing full mesh of tunnels, there is no single point of failure between any gateway and any other. Surely you're not suggesting the introduction of multiple, regional single points of failure. Or are you?
Michael
N6MEF
Sent from my Verizon Wireless 4G LTE smartphone
-------- Original message --------
From: K7VE - John <k7ve(a)k7ve.org>
Date:04/24/2014 11:07 PM (GMT-08:00)
To: AMPRNet working group <44net(a)hamradio.ucsd.edu>
Subject: Re: [44net] What is 44net?
(Please trim inclusions from previous messages)
_______________________________________________
Don,
You are missing the whole point - Not everyone needs to run BGP, or
have a datacenter, they just need to find a border node who does and
VPN/Tunnel to it. It's called cooperation.
Those who can provide a BGP border node, can 'advertise' through this
list or portal.ampr.org that fact and how to get setup to tunnel/VPN
to them. Like I said some of these routers have 'unlimited' support
for VPN/Tunnel clients. You can also tier this architecture. A
single border router might be supporting 20 /16 VPNs/Tunnels to tier 2
routers, those routers might support 30 smaller subnets and so on ---
There are some peering points that are relatively inexpensive (or
free) and some individuals are in a position to be generous. This is
no different than the FM repeater operator who pays for a site,
equipment, and power costs to benefit a community of users, who may or
may not make donations to that cost.
Right now the total traffic on 44net could probably ride on a single
home broadband connection.
http://wiki.mikrotik.com/wiki/Manual:Interface/Gre
The VPNs can be full up using available protocols MikroTik runs a
variety of VPN protocols PPTP, L2TP, IPIP, ... Cisco has DMVPN -- you
just have to find a common one between two routers.
I run my personal /24 (non-44net) over a VPN 24x7 and have several
hosts, including D-STAR gateways running over it.
http://www.seattleix.net/rules.htm
________________________________
John D. Hays
K7VE
PO Box 1223, Edmonds, WA 98020-1223
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
Again, we are going into the weeds, and certainly beyond the intent of our
licenses, and the regulating agencies.
How do you know the identity of a ham on RF? When I make FM/SSB contact, I
have NO means to authenticate the other parties - nor do they have a means
to authenticate me. There is no rationale to apply authentication scrutiny
to one mode of ham radio communications, yet, entirely ignore it on another.
Assi kk7kx/4x1kx (<- does any of you know I am who I say I am???)
-----Original Message-----
From: 44net-bounces+assi=kiloxray.com(a)hamradio.ucsd.edu
[mailto:44net-bounces+assi=kiloxray.com@hamradio.ucsd.edu] On Behalf Of Tom
Hayward
Sent: Thursday, April 24, 2014 8:58 AM
To: AMPRNet working group
Subject: Re: [44net] What is 44net?
(Please trim inclusions from previous messages)
_______________________________________________
If Hans is operating a gateway on local RF, we need to know the identity of
the local ham on RF, not the gateway operator. There are various ways to
accomplish this, many of which have been discussed on the list. For example,
emails can be authenticated with a PGP digital signature. The equivalent
layer 3 technology is IPsec(AH).
Tom KD7LXL
On 4/24/14, 9:52 AM, lleachii(a)aol.com wrote:
> 44.0.0.0/8 is, in fact, one network, as specified in RFC1166.
This predates CIDR, and it's not valid for anything in today's internet other
than establishing the provenance of 44/8 ownership by ARDC.
> Many folk
> have noted that they don't wish to have their allocation connect to others
<snip>
> 44.0.0.0/8 is announced - your argument that 44/8 is not one network fails
> on that one notion.
44/8 is not one network, claiming so is like saying the Internet is one network.
> You mentioned spoofing. This is the reason the encap file and route table
> should be kept private. Only other amateurs would know the location of the
> other endpoints.
Wow, did you just make a security though obscurity argument? I don't trust
anything with a 44.x address, and you shouldn't either.
--
Bryan Fields
727-409-1194 - Voice
727-214-2508 - Fax
http://bryanfields.net
44net-request(a)hamradio.ucsd.edu wrote:
> Subject:
> Re: [44net] Running for ARDC director position
> From:
> Tom Hayward <esarfl(a)gmail.com>
> Date:
> 04/17/2014 08:23 PM
>
> To:
> AMPRNet working group <44net(a)hamradio.ucsd.edu>
>
>
> I believe Bart got frustrated with the lack of change-management and
> specifications in AMPR. How your script is written depends on these
> things.
What we see every time again when those issues are discussed is that there are people
who approach AMPRnet not as a hobby amateur packet radio network, what it is, but as an
extension of their network at work, usually they work in a professional datacenter or at an ISP.
They want documentation and specifications because that is what they have at work.
But this is a hobby, and there are not going to be specifications and documentation until
someone who feels the need for them is going to write it. And they do not volunteer!
The usual way to gather information has been to ask here, and possibly to dig in the archives
of this list. That may be a frustrating endeavour for a professional network admin, but for the
average hobbyist it is a learning experience and a way to get things working by gradually
tweaking the configuration.
Please note that once you got everything working, it is pretty much useless. So we should
not take away the challenge of getting things working. When there is a clear recipe to get
everything working, or worse yet: automatic configuration, what reason would there be left
to start the experiment to begin with? A lot of AMPRnet is about learning, not about achieving
the end result: a perfectly working network. Because the fun ends once that goal is reached.
Another thing I want to note is that Bart and some of his peers like to use a lot of inside
terminology they speak with their colleagues at work. They disregard the fact that the
people on this list are radio amateurs, people with a technical interest but not experts in
internet technology as he is. Every couple of months the same discussion springs alive and
people start to pingpong technical terms between them and lose everyone else. And worst,
they don't hesitate to slash the existing system, claiming all the time that it is legacy
technology, that it is very unreliable, that it has to be replaced by the stuff they use at work
because at work everything is so much better, etc.
But remember: that is at work. And this is our hobby. We may have different objectives,
like being able to comprehend things. It may well be that the optimal solution for an amateur
packet network is not the one that is optimal for the large internet with the professional admins.
We also use NBFM to talk to our friends, a technology that is considered "legacy" by the
professionals as well. Some even use morse code. They are not going to abandon that
because all the professionals have switched.
>
> It seems that to be allowed/compliant in AMPR, it just has to work
> with the existing system. But what is the existing system? There are a
> lot of existing systems and most of them are not documented. For
> example, we learned via the mailing list that many AMPR gateways have
> a static route to 44/8. This isn't documented in the encap file, it's
> just added by their scripts. Where is the specification for this?
I don't think many gateways have a static route for 44/8. I certainly don't have one myself.
I could add such a route (as a null route), maybe that is a good idea. I'll think about it.
What I do have is a default route in table 44 that points to amprgw. But the purpose of that
is NOT to serve as a route for 44/8, its purpose is to route everything OUTSIDE 44/8 back
out via amprgw. I require that because my ISP acts responsibly and has BCP38 in place.
In the past, before I installed ampr-ripd, I manually ran a script that downloaded the encap
file and installed the routes. I never put that in a cron job because the server for that file
failed so often and I felt it was better to monitor the process and fall back to the previous
encap file when things went wrong.
As a result, my routes were often not completely uptodate and it was a good idea to route
traffic for which I had no correct tunnel route back to amprgw. In those days that still worked,
amprgw (mirrorshades in those days) would forward that traffic to the actual gateway.
Nowadays amprgw does not perform that function anymore, so indeed it good be a good idea
to add a 44/8 null route.
But I don't think small issues like this warrant all the uproar, and I think it is much more fun
to discuss pro's and con's of a certain configuration on the list than to throw stones at the
existing system and demand everything to be overturned to look like an enterprise network.
Rob
There is no unified policy governing non-ham traffic on 44 networks. Each
of us is bound to the terms and conditions of the respective national agency
that issued our ham radio licenses. This is somewhat consistent with the
mishmash of national regulations governing the global internet traffic.
Also, most (if not all) amateur radio licenses weren't crafted with the
internet in mind, and hence they don't provide clear cut guidance.
Therefore, it is our responsibility as gateway operatorw to balance
advancing the state of the art while maintaining compliance with our
licenses.
Assi kk7kx/4x1kx
-----Original Message-----
From: 44net-bounces+assi=kiloxray.com(a)hamradio.ucsd.edu
[mailto:44net-bounces+assi=kiloxray.com@hamradio.ucsd.edu] On Behalf Of Paul
Lewis
Sent: Wednesday, April 23, 2014 2:16 PM
To: AMPRNet working group
Subject: Re: [44net] routable or private?
(Please trim inclusions from previous messages)
_______________________________________________
>
>Personally I block all traffic with a non-44/8 source or destination,
>but I was never sure if that is the "correct" policy?.
>
>73, Paula G8PZT
>
--
paul(a)skywaves.demon.co.uk
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
> If this is, " a hack to backbone a semi-private network on top of the
> public internet" then why do we need 44/8? Please explain why 10/8 would
> not work just as well?
>
>[....] if it's not going to be routable then why do we need 44/8? use
> RFC1918 space and give 44/8 back. [...] We could attract many
> into this hobby if we'd simply offer to be the teachers of the IP
> networking craft using standards based methods used by everyone else
across
> the internet.
>
PRECISELY.
Can we please make a decision on this and move ahead?
I'd like to know, one way or the other, because I sure aint interested in
all this private 44net stuff..
Is 44net routable or private?
Steve
> http://www.ampr.org/pubs.html
>
> http://www.ampr.org/faq.html
>
> I don't see what's missing. Build a Ham RF IP network. Hook if up
> to the 44net community if desired. A very select few would need to
> go the next step and get their own BGP ISP setup. If anything, that's
> mentioned too much on the website and should be de-emphasized.
>
What's missing is, it's not in the wiki so people can find it.
Edit, annotate, and add it to the wiki please.
Thank you.
Steve
