Confirming that ARIN's web-based IRR system won't allow 44net addresses,
since there's no underlying allocation from one of ARIN's ranges. Your
upstream provider will probably not be able to put in the IRR objects for
you.
For IRR, AltDB doesn't have a simple web interface but it does work
regardless of the RIR (or lack of) that originally allocated the IPs.
I don't think there's a way to use RPKI on the 44net range as of yet,
though - that would likely need either a contract for one of the RIRs to
sign resources or ARDC to set up, maintain, and gain trust for a
certificate authority and handle RPKI requests like the RIRs do. Either of
these is a pretty significant undertaking.
73 de K0BYJ,
--
Jay
On Mon, Dec 14, 2020 at 3:00 PM <44net-request(a)mailman.ampr.org> wrote:
> Send 44Net mailing list submissions to
> 44net(a)mailman.ampr.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.ampr.org/mailman/listinfo/44net
> or, via email, send a message with subject or body 'help' to
> 44net-request(a)mailman.ampr.org
>
> You can reach the person managing the list at
> 44net-owner(a)mailman.ampr.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of 44Net digest..."
> Today's Topics:
>
> 1. Re: 44NET Route Objects IRR (Caleb Pal)
> 2. Re: 44NET Route Objects IRR (G1FEF)
>
>
>
> ---------- Forwarded message ----------
> From: Caleb Pal <cleb(a)defcon-3.net>
> To: James Colderwood via 44Net <44net(a)mailman.ampr.org>
> Cc:
> Bcc:
> Date: Mon, 14 Dec 2020 08:57:53 -0800
> Subject: Re: [44net] 44NET Route Objects IRR
> Hello,
>
> Your upstream providers may be able to put a proxy obj into the ARIN db
> for you. Unfortunately ARIN changed their IRR db in June of this year.
> They added a web based IRR service. According to ARIN, the web based
> service only allows you to add object for resources you own (your
> upstream ISP could not create those proxy objects since they do not own
> the 44net resources). If they still use the ARIN email IRR system, they
> can add proxy objects, they will just appear as ARIN-NOAUTH in the IRR
> db. I don't think NOAUTH is a problem for most providers now, but could
> be down the road if they start filtering/ignoring NOAUTH entries.
>
> Of course altdb, radb and others are options (full list at:
> http://www.irr.net/docs/list.html). Not sure how other RIR's outside the
> US are handling NOAUTH entries.
>
> I assume since AMPR does not have a RSA with ARIN, Chris cannot create
> IRR records for those folks who BGP advertise AMPR resources?
>
> v/r,
>
> Caleb
>
> On 12/13/2020 10:08, James Colderwood via 44Net wrote:
> > Hi Pierre,
> >
> > Thank you for the heads up. I was aware of altdb but it hadn't crossed
> > my mind. Hopefully one of these solutions will work :-).
> >
> > On 2020-12-13 17:32, Pierre Emeriaud wrote:
> >> Le dim. 13 déc. 2020 à 12:04, G1FEF via 44Net
> >> <44net(a)mailman.ampr.org> a écrit :
> >>>
> >>> > On 13 Dec 2020, at 09:54, James Colderwood via 44Net
> >>> <44net(a)mailman.ampr.org> wrote:
> >>> >
> >>> > Hi All,
> >>> >
> >>> > May I wish you all happy holidays!
> >>> >
> >>> > Quick question, I'm working on establising my 3rd upstream but hit
> >>> a snag. The suppliers validation automation prohibits announcing
> >>> AMPR addresses as the system can't qualify validity.
> >>>
> >>> Are you talking about automatically checking entries in an IRR, or
> >>> RPKI?
> >>
> >> For service providers requesting an IRR route object to automate
> >> filter creation I've been using altdb. While it has not a lot of value
> >> in terms of authorization (anyone can create objects about any
> >> resource - a proper LOA has more value here) it is usually enough for
> >> provisioning tools to create appropriate filters / prefix-lists:
> >>
> >> $ whois -h whois.altdb.net 44.151.210.0
> >> route: 44.151.210.0/24
> >> descr: F4INU
> >> origin: AS206155
> >> mnt-by: MAINT-AS206155
> >>
> >> $ bgpq3 -4 -l F4INU as206155
> >> no ip prefix-list F4INU
> >> ip prefix-list F4INU permit 44.151.210.0/24
> >>
> >>
> >> 73 de F4INU
> >> --
> >> pierre
> >
>
>
>
>
> ---------- Forwarded message ----------
> From: G1FEF <chris(a)g1fef.co.uk>
> To: AMPRNet working group <44net(a)mailman.ampr.org>
> Cc:
> Bcc:
> Date: Mon, 14 Dec 2020 17:26:28 +0000
> Subject: Re: [44net] 44NET Route Objects IRR
> > I assume since AMPR does not have a RSA with ARIN, Chris cannot create
> > IRR records for those folks who BGP advertise AMPR resources?
>
> The vast majority of folk advertising their subnet over BGP are using
> altdb with no issues (currently).
>
> IIRC, altdb is run by one person, so if you don’t already have a MNTNER
> object there, it can sometimes take some time to get one.
>
> Chris
>
>
>
> > v/r,
> >
> > Caleb
> >
> > On 12/13/2020 10:08, James Colderwood via 44Net wrote:
> >> Hi Pierre,
> >>
> >> Thank you for the heads up. I was aware of altdb but it hadn't crossed
> >> my mind. Hopefully one of these solutions will work :-).
> >>
> >> On 2020-12-13 17:32, Pierre Emeriaud wrote:
> >>> Le dim. 13 déc. 2020 à 12:04, G1FEF via 44Net
> >>> <44net(a)mailman.ampr.org> a écrit :
> >>>>
> >>>>> On 13 Dec 2020, at 09:54, James Colderwood via 44Net
> >>>> <44net(a)mailman.ampr.org> wrote:
> >>>>>
> >>>>> Hi All,
> >>>>>
> >>>>> May I wish you all happy holidays!
> >>>>>
> >>>>> Quick question, I'm working on establising my 3rd upstream but hit
> >>>> a snag. The suppliers validation automation prohibits announcing
> >>>> AMPR addresses as the system can't qualify validity.
> >>>>
> >>>> Are you talking about automatically checking entries in an IRR, or
> >>>> RPKI?
> >>>
> >>> For service providers requesting an IRR route object to automate
> >>> filter creation I've been using altdb. While it has not a lot of value
> >>> in terms of authorization (anyone can create objects about any
> >>> resource - a proper LOA has more value here) it is usually enough for
> >>> provisioning tools to create appropriate filters / prefix-lists:
> >>>
> >>> $ whois -h whois.altdb.net 44.151.210.0
> >>> route: 44.151.210.0/24
> >>> descr: F4INU
> >>> origin: AS206155
> >>> mnt-by: MAINT-AS206155
> >>>
> >>> $ bgpq3 -4 -l F4INU as206155
> >>> no ip prefix-list F4INU
> >>> ip prefix-list F4INU permit 44.151.210.0/24
> >>>
> >>>
> >>> 73 de F4INU
> >>> --
> >>> pierre
> >>
> > _________________________________________
> > 44Net mailing list
> > 44Net(a)mailman.ampr.org
> > https://mailman.ampr.org/mailman/listinfo/44net
>
>
>
> _______________________________________________
> 44Net mailing list
> 44Net(a)mailman.ampr.org
> https://mailman.ampr.org/mailman/listinfo/44net
>
Hello all,
Does anyone have up to date setup instructions for Vyos?
I have been able to get ampir-rip installed and it appears to be creating
routes and can receive pings via one of my IPs with a DNS address
configured however pings to that address from a non 44 machine are being
responded to via the wrong interface.
I have so far been unable to ping anything on the 44 side but am not
currently convinced the routing is configured correctly.
Thanks,
Kevin
VA3PSL
I want to thanks all that helped with the setup of my vultr vps with BGP and openvpn to distribute the /24 that was assigned to me.
I played a lot with the openvpn and wireguard software up to a point I had to redo the whole install of the VPS.
here is the receipy I have been able to use for the task. I am running a Debian10 that was updated to the latest software
First I have use the tutorial at https://www.vultr.com/docs/configuring-bgp-on-vultr
Be aware that on my version of bird I was not able to open the "/var/log/bird.log" files because of a propriatary right. the file belongned to root and it was supposed to belong to bird it is a known bug that I hope will be fixed soon.
this helped me create that information into my bird.conf
------------------------------------------------------------------------------
log "/var/log/bird.log" all;
router id xxx.xxx.xxx.xxx ; use the ipv4 address assigned to your vps
protocol device
{
scan time 60;
}
protocol static
{
route 44.xxx.xxx.0/24 via xxx.xxx.xxx.xxx ; use your assigned /24 from ampr and the ipv4 from your vps
}
protocol bgp vultr
{
local as yyyyyyyyyyy; this is the private asn given to you by vultr and availble on your dashboard on myvultr.com for your vps
source address xxx.xxx.xxx.xxx;
import none;
export all;
graceful restart on;
next hop self;
multihop 2;
neighbor 169.254.169.254 as 64515;
password "YourSecretPassword" ;
}
------------------------------------------------------------------------------
On the openvpn side of thing I have use the install script from angristan available at https://github.com/angristan/openvpn-install
just followed the instruction and all was good.
from there I changed some things on my network at etc/network/interfaces
--------------------------------------------------------------------------
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
#source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
auto ens3
allow-hotplug ens3
iface ens3 inet dhcp
iface ens3 inet static
address 44.135.59.1/32
---------------------------------------------------------------------
the last line point at the first address of my /24 put yours into your file.
then on the openvpn server I changed into the server.conf file only one line
the file is at /etc/openvpn/server.conf
i switched the server line from
server 10.8.0.0 255.255.255.0
to
server 44.135.59.0 255.255.255.0
the 44 address is my /24 put yours if you follow my exemple.
that's it!
it was not that complicated. But I had to dig a bit to understand the whole thing.
My next step will be to split my /24 in parts. one section will be for the single connections like now, but I want to have connection that are like blocks of /28 or /29.
I know I will have to make another instence of the openvpn server That is the part that is the less clear for me yet. The conf file is more clear. As I want to strat and stop each instence easily I will have to make a new starting script for systemd And that is where I will need to read more.
If this helps someone I will be happy!
If you see a problem with my setup please let me know!
Pierre
VE2PF
Who is 44.170.120.59? And why is (s)he portscanning for SSH servers?
I think everyone should register their addresses in DNS and have reverse lookup working.
Rob
> If anyone wants to test my incoming access, you can try n2mh.ampr.org
> or http://n2mh-web.ampr.org. Please let me know the results.
Sorry, that web url is a typo. It should be
http://n2mh-web.n2mh.ampr.org
I have received several emails to n2mh(a)n2mh.ampr.org.
73, Mark, N2MH
So, I'm going to continue to harp on the question of what
capabilities/services are we attempting to enable? On that note, I'm
going to point out the ARDC ToS which expressly indicates that the
entirety of connectivity is outside the scope of what ARDC does.
Specifically, section 3, "ARDC DOES NOT provide network services.
Specifically, we do NOT provide network connectivity,"... [1]. While
that document does cover address assignment agreements, it doesn't talk
about the IPIP mesh at all.
Is it out of scope? Is the IPIP tunnel service in scope and a thing
that should be covered by the ToS?
Secondly, and less critically, that document has an inaccurate
assessment of AMPRNet as far as I understand:
> “AMPRNet” means the network 44/8; that is, all Internet IP addresses
from 44.0.0.0 through 44.255.255.255.
So, is the IPIP mesh network gateway an actual service from ARDC?
Should it be? How is it related to address assignment service?
I'm putting forward this question because of the following reasoning:
The primary resource of interest is the IPv4 address space. Those that
already know how to work with allocations of address on the internet,
either personally or by proxy, can and do get allocations of /24 and
greater regularly and utilize them. Anybody who can do this prefers to
do this. (I'm willing to be told that I'm wrong here, but I haven't seen
that case.).
The substantial problems show up in the form of addresses being used
over IPIP or VPN connections, due to bandwidth, latency (to California
and back!), and configuration complexity (610 IPIP tunnels last I
counted). What if we give up on that, and just start pushing users to
regional operators with local connectivity solutions?
What if we spent the time here building the parts for those local
connectivity solutions? To some extent, that's already the discussions
underway. Because I think regional operators will be completely happy
to just announce address space out of their existing infrastructure.
Seeing the variety of framings regarding protocol and hardware choices
leads me to think that there's not much agreement at all about the scale
(Hardware vs Software, ISP / Enterprise / SMB / roll-your-own devices)
of the solution that's needed. How those regional operations
interconnect, also a regional to regional question. Is this whole
question out of scope for ARDC/AMPRnet?
[1] https://www.ampr.org/terms-of-service/
I need to contact Ian - VE7BST urgently.
Ian, if you are reading this please can you contact me off list asap.
If anyone knows how to contact Ian, please could they pass this on.
Thank you,
Chris - G1FEF
