44net

44net@mailman.ampr.org

1 participants
3194 discussions

Re: [44net] Test New Tool - APRS Code Recovery
by Marius Petrescu 18 Apr '14

18 Apr '14

Time and again there appear suggestions for using that LOTW certificate for other things then LOTW. I don't know if you are aware, but not everyone is an ARRL member or uses LOTW. So, as long as things like APRS have absolutely nothing to do with ARRL, please keep them apart. Marius, YO2LOJ

8 12

Re: [44net] Running for ARDC director position
by . 18 Apr '14

18 Apr '14

I agree with N6MEF. When I first requested an allocation and how to stand up a 44GW, I was simply told I had the /24. I was stuck building a GW with only the mailing list, knowledge of networking and the Linux manual as my guide. I had to learn about the AMPR DNS zone, *NOS, how the network works, etc. Brian was a huge help. And he told me to document how I got my 44GW working...alot of that has been incorporated into the rip44d page and setting up a Linux machine in the Wiki, not just directly by me, but through others and from this email thread, etc. We all have been doing a good job recently by way of creating documentation by posting to to the Wiki; but it would be easier if those who have the particular experience (e.g. setting up a TNOS/JNOS node or compiling the new C++ based rip44) take time to record their steps. Perhaps even write a history of 44net...I keep a little copy/paste history and info at http://kb3vwg-010.ampr.org but I'm definitely not the AMPR historian, by experience. I'm willing to take time to draft some things (such as the AMPR DNS and start a page listing all services I'm aware of on AMPRNet, since I maintain some services such as a non-authorative DNS slave at 44.60.44.3)...but it would be better if those with direct knowledge (e.g. the DNS admin or an owner of one of the authorative slaves) draft it (i.e. I have no clue who to talk to about considering making my server authorative). -KB3VWG

1 0

Re: [44net] Running for ARDC director position
by Bryan Fields 18 Apr '14

18 Apr '14

On 4/17/14, 5:20 PM, Neil Johnson wrote: > As for not being official "Legacy" address space, signing an LRSA with > ARIN is problematic for many legacy address holders because it is not > clear wether the rights one gets and gives up is worth it. Plus it > can incur paying enormous annual fees (in the tens of thousands of > dollars range) to ARIN. Actually, ARIN has no jurisdiction over the legacy space. The NSF has ruled that this (Postel) space is property of the legacy holders. *ARDC owns 44/8. * ARIN is required to manage the minimum of the database entries needed to make this space work at no cost to. Signing a legacy RSA would be a bad idea as ARDC would give up ownership of 44/8 which is worth in excess of $100M USD! We need to stay away from ARIN as much as we can, ie do everything via rwhois and DNS via AMPRnet servers, not ARIN. I'd even go so far to say that ARDC is basically it's own RIR not bound by *ANY *ARIN policy. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net

4 3

Wiki
by Chris 17 Apr '14

17 Apr '14

The wiki is back up and running with the latest software version. Regards, Chris

2 2

ampr.org subdomains
by Dean Gibson AE7Q 17 Apr '14

17 Apr '14

An open question on ampr.org hostnames (see my response below): On 2014-04-08 15:32, Brian Kantor wrote: > Dean, I feel it would be a bad idea to delegate the forward lookup to your nameserver without also delegating the reverse lookup, which would be difficult and we do not do. You can continue to have as many names in the ampr.org dns like ns1.ae7q as you like by having John set them up for you, which will automatically set up the appropriate PTR record as well. I'd much rather you did it this way. > > Best wishes. - Brian > > On 2014-04-04 17:47, Dean Gibson wrote (to<bkantor(a)ucsd.ude>): >>> I have IP address 44.24.240.173 in Bart Kus’s 44.24.240.0/20 block. I sent a request to John Hays, the admin for the 44.24.0.0/16 block to add the following records to the ampr.org domain: >>> ns1.ae7q IN A 44.24.240.173 >>> ae7q IN NS ns1.ae7q >>> This would allow me to create additional hostnames in the ae7q.ampr.org sub-domain, in my own DNS server. I’ve run BIND for 15 years, and this is a nice way to delegate a sub-domain; the ampr.org domain remains protected. >>> John was able to add the first line to the domain, but not the second line, and he suggested that I contact you. I see other NS records in the ampr.org domain; is this something that you can do? >>> Sincerely, Dean AE7Q >>> I understand the difficulty with delegating the reverse lookup in general, which I was not requesting and don't need. It's often not done on the Internet anyway for small (eg, hobby) servers, except for mail servers, where it is a means of spam server detection. I've run multiple sites with various functions (DNS, mail, web) on one box on the Internet for 15+ years, and the only reverse DNS I've ever needed was for mail servers. Usually, a hobby machine serves several functions within the same box, and multiple hostnames are mapped to the same IP address. In fact, for ae7q.com (and my other domains), due to DNS requirements, I can't use CNAMEs for the domain hostname (for those that leave off www.), the nameserver hostname, or the mail server hostname (NS and MX records can't reference a CNAME -- RFC 2181 <https://tools.ietf.org/html/rfc2181> section 10.3). These all use an "A" record to assign the *same IP address* as the mail server (which also can't use a CNAME, due to spam detection). That's three "A" records to one IP address (and that's just in one domain), and it is a very common practice. I do use CNAMEs other places. I understand that you would like a PTR record for every hostname, but that has the following negative consequences that I can see: 1. It encourages people to request a larger IP address block than they need, and then create a multi-homed machine for the various functions. I think it's a really bad idea to consume unnecessary IP addresses, and I think it's already happening in the 44.x.x.x network. 2. For frequent changes, it unfairly and unduly burdens those volunteers who have to respond to requests. I make *very* frequent changes to my Internet and LAN domain records. I have over 50 network devices on my LAN at home on five subdomains, and I use DDNS (both manually and via DHCP) for most of them (it's just easier than changing a zone file and restarting BIND). Granted, most of those won't be on the 44.x.x.x network, but the present scheme discourages experimenting with configurations by amateurs who don't want to burden the volunteers who make the ampr.org changes. I would suggest that you reconsider your position of requiring a PTR record for each hostname. Much better to have a policy of encouraging *user-managed* subdomains, in my opinion; that would help lead to a consistency in hostnames in ampr.org (eg, all of the form <whatever>.<callsign>.ampr.org). A much poorer alternative (also my opinion) is the present practice of having end users to *submit to coordinators* CNAME records for subdomains of any "A" records that are allocated to them. Frankly, the former suggestion (user-managed subdomains where an ampr.org coordinator adds the "NS" record *once*), is a lot less work, in my opinion. Or is there a risk I'm not aware of? Remember, the subdomains are served off of the user's DNS server(s), not the ampr.org DNS servers. Sincerely, Dean Gibson AE7Q

2 1

Re: [44net] AMPRNet BGP vs non-BGP routing
by Bryan Fields 16 Apr '14

16 Apr '14

On 4/11/14, 12:04 PM, Bart Kus wrote: > Well, IPIP itself is not the problem. It avoids the costs of Internet > BGP peering. What is a problem is the lack of dead-peer-detection > between IPIP gateways. If intra-AMPR BGP peering was actually deployed > as part of the general recommendations then we wouldn't need to anycast > to achieve redundancy. But as it stands, the deployed technologies are > very light, and anycasting our IPIP endpoint is the easiest way to > achieve the desired redundancy. We do plan to make special BGP+IPSec > arrangements with select AMPRnet peers to further improve our > availability and security, but there's no need to do any of that work on > the mailing list. I'd say we should keep it on the mailing list. I'm very interested in what others are doing with BGP announced AMPRnet space! I'd be interested in interconnecting if you need a gateway or something. I've got a good relationship with my upstream in Tampa. Granted the latency to WA is a bit much :) FWIW I'll be in Belview for NANOG 61 in June. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net

3 2

NOS "versions"
by Eric Fort 13 Apr '14

13 Apr '14

Does such exist.... Has anyone created..... can said code be easily separated / compiled separately..... What I'm looking for is a "version" of nos that is devoid of any of it's networking functionality or well at least the bottom 3 layers of the OSI stack. The issue being that NOS has long been a standard and familiar interface for networked amateur radio BBS systems. I'm good with that. over the last 20+ years though we have moved to computers and operating systems that are much more capable, especially when it comes to processing speed, memory, and a decent built in network stack. I now no longer need my application (BBS) to handle the network layer stuff but simply need what amounts to a good BBS interface. can/has this functionality be/been gutted/separated out from the NOS code base such that I can end up with an application that simply is setup to listen on the proper port via init.d and present *ONLY* the familiar bbs interface while the OS handles all the networking stuff and the application not even being capable of such. Eric

5 9

some answers I hope to latest NOS questions ...
by Maiko Langelaar 13 Apr '14

13 Apr '14

Good day to all, Unfortunately my subscription options were set to nomail, so I have not been following posts very reliably this past few months. Anyways, just thought I would dig through the digest and comment on stuff. > Doing the routing on the NOS side of things seems a bit backwards > these days (cough encap.txt) You don't have to use encap.txt anymore, depending on your configuration. Brian introduced AMPRnet RIP broadcasts a few years ago. Some of us use those now to update our NOS routes. > Of course you cannot do that if you are still running NOS > on an old DOS box. Technically speaking you could always do encap.txt on a NOS system running in DOS - I did it that way over 12 years ago. > Does such exist.... Has anyone created..... can said code > be easily separated / compiled separately..... The irony is (and there was a lot of criticism towards the authors at the time, this was before I took it over in 2004), the original NOS was actually 'hacked' to give it BBS functionality, as well as a few other features. Anythings possible, but removing the NOS from NOS (think about it, that's what it would come down to) would be a big waste of time and all you would have left is a BBS 'hack'. Sound to me perhaps FBB is more what you're looking for. It's a BBS first and foremost. Actually, how about BCM (Baybox) or OpenBCM out of Europe. It's pretty slick stuff actually, check it out. > don't say whether you're interested in a Windows or a Linux based Believe it or not I have a text (console) based Windows (yeah, true native windows not a DOS compile) version of JNOS, experimental like all of the NOS stuff is, even got WINMOR running B2F forwarding with RMS stations in both my windows and linux versions. Again, I'm an experimenter so the software (like usual NOS style) is not always the most user friendly. I'm just going to say, I'm encouraged for my own ham radio needs. Multipsk as a packet modem works too :) > This appears to be the only "maintained" version of JNOS I took over from James Dugal in 2004, and rebranded it as JNOS 2.0, you can see it in the credits on my official site for JNOS 2.0. James passed away years ago, passing the tourch so to speak, as others did to him as well when they got tired of working on it, or just had to give it up. My primary development platform for years was LINUX, it still is, just that I feel I need to get moving into the Windows (very untapped user base) domain. Just wish I had more time to devote to it, I'm a busy family and working man too like a lot of the people on this group. > haven't looked at the code to see how deep into the stack he's > getting but his dependence on winp cap indicates it still has some > degree of coupling to layer 3. The windows version I started with WinPcap cause I wanted a quick way to tie into the WIN32 tcp stack. I've tried to do raw sockets and it's just plain ugly and I got frustrated. The WinPcap has turned out to be pretty decent for what I need. I use the original NOS ip stack code, no windows IP or TCP functions, it's all NOS (yeah obsolete, exciting eh) code for ip routing, and such. Anyways, just thought I would try and clarify a few things. Feel free to ask me if you have more questions about all of this. With kind regards, Maiko Langelaar / VE4KLM * http://www.langelaar.net/projects/jnos2

1 0

Re: [44net] 44Net Digest, Vol 3, Issue 71
by Rob Janssen 12 Apr '14

12 Apr '14

44net-request(a)hamradio.ucsd.edu wrote: > Subject: > Re: [44net] ampr-ripd for openwrt > From: > marius(a)yo2loj.ro > Date: > 04/12/2014 12:56 PM > > To: > "AMPRNet working group" <44net(a)hamradio.ucsd.edu> > > > For the Mikrotik mipsbe metarouter architecture, I have a repository > online, where you can find ampr-ripd included: > http://yo2loj.ro/openwrt/mr-mips/packages/ > > I asked the question for someone else, a newcomer in gateway land. I forgot to ask which hardware architecture he uses, as I first assumed that openwrt always means those modified Linksys routers. The above list has an ampr-ripd with version 1.6 but a recent date. Is it really 1.6 or is it the latest version? Rob

2 1

Re: [44net] 44Net Digest, Vol 3, Issue 71
by Rob Janssen 12 Apr '14

12 Apr '14

44net-request(a)hamradio.ucsd.edu wrote: > Subject: > Re: [44net] syn and such attacks on 44 net lately ? > From: > Gustavo Ponza <g.ponza(a)tin.it> > Date: > 04/12/2014 07:31 PM > > To: > 44net(a)hamradio.ucsd.edu > > > Hi Maiko and all, > >> Anyone else noticing the SYN and FIN WAIT 1 status on their >> 44 systems lately ? Telnet, Smtp, HTTP, and such. Seems to >> be a 'bit' heavy this past few weeks. >> >> Maiko / VE4KLM > > just reported several times publicly and privately with no reply ... :) > Just look at someone of that below. > > gus i0ojj There are at least two different kinds of attack: 1. the ones that try to connect to your system to scan for vulnerabilities (including Heartbleed) 2. the ones that try to use your system for reflection to another victim. I have seen many of the second kind lately. Note that it is no use to complain to the owner of the "sending address" in this case, because it is spoofed and not the real sender. it is the intended victim of the attack! The symptom is many incoming connections in SYN_RECV state in the netstat -t output. What happens is you receive a SYN with a spoofed sender address, and you are supposed to send a number of SYN ACK packets to the "sender". As this is done repeatedly and to many different destinations, the "sender" (the victim) is hammered with traffic. The real cause of this problem is the lack of uptake of BCP38 (SAF, source address filtering). While "we" are sometimes suffering because of source address filtering when we want to dump traffic sourced in net 44 directly on the internet (instead of tunneling it back via amprgw), SAF in fact is a very good thing, and providers not doing it should be convinced to implement it to end those spoofed address attacks. Back to the SYN problem. I see two different schemes of this attack: 1. the SYN packets are sent with a source port that is a well-known service, like 80, 443, 119, 110 2. the SYN packets are sent with the usual random high-numbered port. The first ones are easily filtered with an iptables rule: iptables -A (chainname) -p tcp --syn -m multiport --source-ports 0:1023 -j DROP This blocks all connects from a privileged port, and should not hurt any normal operation. In fact it would be good if this rule was applied externally at amprgw, so that all this crap does not enter our tunnels. I have added it to several of my systems and the systems at work already. The second ones are a bit more tricky. You cannot simply block those as they look similar to normal traffic. However, if you have the typical low-traffic amateur radio system, you can use the "recent" module to limit unanswered traffic from the same IP address. iptables -A (chainname) -p tcp ! --syn -m recent --name tcp --remove iptables -A (chainname) -p tcp --syn -m recent --name tcp --set iptables -A (chainname) -p tcp --syn -m recent --name tcp --update --seconds 30 --hitcount 5 -j DROP What we do here is limit the number of "open" SYN packets from the same IP address to 5 in 30 seconds. When a SYN comes in, the second and third rules setup a bucket for the sending address in which those events are counted. When another packet comes in, the first rule resets that bucket and traffic from that system is allowed. So for normal incoming connections there is no impact, as the SYN/SYN ACK/ACK 3-way handshake quickly removes the special treatment of the client. However, for those spoofed SYN packets for which there is never any followup traffic, after 5 of those from the same system the "sender" is blocked from further access until they stop doing that for another 30 seconds. Works fine, this rule blocks tens of thousands of packets a day here and ends the issue of many incoming connections in SYN_RECV state. Note that these rules (or at least the first one) should be inserted BEFORE the typical "-m state -state ESTABLISHED,RELATED -j ACCEPT" rule that is often near the beginning of the list, because that rule will match on the followup packets of the connection so the --remove rule will never be reached, and the result would be that a client cannot make more than 5 connects in 30 seconds. Not a problem for telnet, but will be a problem when you run a website. Unfortunately this kind of "recent traffic" rule does not lend itself well for application at amprgw, because it has to maintain a lot of state and will probably be overloaded by the traffic being handled there. Rob

2 1

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net