44net

44net@mailman.ampr.org

2 participants
3170 discussions

by nasluch＠jestok.com

Hello I am using the UFW firewall on Debian Buster. What rule do I have to use to enable protocol 4 (ipencap) for the ampr-ripd script to work? Tom SQ4BJA

3 years, 12 months

Re: [44net] ipencap routing question

by Rob Janssen

> If we replaced the IPIP mesh with a collection of geographically > distributed VPN servers (OpenVPN?) which advertised routes for /24 (or > larger) subnets, and dual homed each subnet to two or more VPN servers we > would have pretty good redundancy and could end the distribution of IPIP > endpoints and just let the Internet route between subnets. That, or alternatively we could setup a number of routers across the globe with a tunnel mesh between them (similar to what is now done on IPIP, but probably better to use something like GRE/IPsec tunnels), with BGP talking between all those routers, and let users connect their router to one or more of them as they desire. When one, they could use a VPN with static routing of their subnet, when they use 2 or 3 connections they could use BGP as well to advertise their own subnet plus maybe local people's subnets they have routed over radio. (in the above, with BGP I mean BGP on private AS with only AMPRNet routes, not full internet BGP) In such a setup, a single router failing would have little or no impact on the network as a whole. And everyone can participate with simpler or more complex setups without having to forcibly deal with a 600-tunnel mesh (that still does not allow redundancy of the internet connection, i.e. the current IPIP tunnel mesh cannot handle redundant internet connections that present a different internet IP to the tunnel system). Routers in this system could also announce, directly or via their ISP, subnets from AMPRnet directly to internet. That would just mean there is a more direct path between AMPRNet users and internet users in that region. But it is not a firm requirement to do so. But well, it has all been discussed several times already. In the beginning, the counter-argument was "it would cost money and who is going to pay that??". I think that is resolved now. The next one was "but we won't have a full mesh, traffic to my buddy is going to take 2 or 3 tunnel hops instead of one". Well, not really true, one can always setup a direct tunnel to someone else, and a BGP session over that, and direct traffic will take that path because it has less visible hops. So then we usually end up in the "it has always been done this way (IPIP mesh) and I am not going to change". Where the discussion usually stops until the next new user turns up that has difficulty getting connected to the mesh, e.g. because they are behind a NAT router they cannot change, their address is very dynamic, they want to use an off-the-shelf router, etc etc. By now it appears to be the classical "it was difficult for me should it should be difficult for everyone else trying to join" that has also been abused for so long in the battle to get rid of CW exams when obtaining a ham radio license... Rob

3 years, 12 months

hsmm-gw.kb9mwr.ampr.org

by Mark Herson, N2MH

Hi Steve, First of all, thanks for checking out my connectivity as requested in my post to Net44 Second, I notice that your hostname begins with hsmm. Have you done anything with that or advanced to AREDN? Third, I'm interested in your report of gateways with errors. Is that a custom script that you wrote that inspects incoming frames from the tunnel? Lastly, I tried calling your sip phone on 44.92.21.20 but there was no response. Is that an active device? 73, Mark, N2MH

3 years, 12 months

Test Script for ipip Gateway

by Mark Herson, N2MH

To the List, I have my ipip gateway set up and working. I can get to a lot of hosts/networks. However, I am not sure I have it set up completely right. Is there a test script that I can run to test out its functionality? Or, even a list of hosts/networks known to be reachable via a properly operating ipip gateway? There's a lot of destinations that I can not reach. Unfortunately, I can't tell if an individual destination is unreachable or simple off the air. A known-hosts list will tell me a lot. If anyone wants to test my incoming access, you can try n2mh.ampr.org or http://n2mh-web.ampr.org. Please let me know the results. Thanks and 73, Mark, N2MH

3 years, 12 months

Re: [44net] ipencap routing question -> What about the future ?

by Rob Janssen

> I don't really agree. IMHO, the key for mass adoption is the > availability of ready-to-use images for tiny computers such as Raspberry > Pi. Such images can be made as a by-product of a new network design, but please understand that the main objective of the network changes should be that such special images should become unnecessary to get a working network connection. It should work with a normal router. "normal" in the sense that it requires a little more than basic home NAT router functionality, but any commercial router that is able to setup a VPN like L2TP/IPsec, SSTP, PPTP etc should be able to join the network just using its standard configuration interface. And when it supports BGP, it should be able to participate in routing towards others. So, no special tricks required like we now have multipoint tunnels, ampr-ripd, etc and which would require preparation of an image for a newbie to be able to join. Sure it can be done as one of the options, as a project for someone who likes to make such images (with an initial configuration dialog etc) and loves to keep such things uptodate. A simple router like the MikroTik RB750Gr3 is in the same price class as a Raspberry Pi (when SD card, housing and power supply are included) and it conveniently provides 5 ethernet ports and a USB connector. For such a router, just an example configuration is required and the software is kept uptodate by someone else. Rob

3 years, 12 months

Re: [44net] ipencap routing question -> What about the future ?

by Rob Janssen

> Yes, a 44 BGP network would do the trick, but I am certainly not willing > to pay hundreds of USD per month for such an endeavor. BGP peering is > not cheap and not readily available in the whole wide world unless it is > not piggy backed on another preexisting AS for a select few working in > the network business. Aside from the discussion "what it really costs", this is one reason why I think the deployment of access routers around the world should be coordinated by ARDC instead of being an individual effort by hams around the world each serving only their local region. Certainly there should be room for that, but it should not be the only option. ARDC can investigate and find one or more VPS providers where they can order a number of VPS including BGP announcement of a subnet at several datacenters, for some fixed price which should be within the ARDC budget. In the network structure as I see it, there would be routers connected by tunnels and serving a VPN service for the users, but they would not all need to have BGP announced subnets. When it is too expensive to have that in some country, that can be done in a nearby country instead. The private-AS internal BGP routing of all AMPRnet addresses will handle that. Of course one usually would want a country subnet to be announced somewhere nearby, to reduce latency for the users not connected to AMPRnet. With a well-connected router mesh in good datacenters, the latency will be in the millisecond region, and not like the values we now see for traffic going via amprgw. Rob

3 years, 12 months

GL.iNet openWRT Rip44 support?

by Tracy Markham

I had reached out to the good people at GL.iNet and asked for help getting one of their openWRT routers to run my 44 net assignment. I referred them to the page explaining openWRT setup ( wiki.ampr.org/wiki/Setting_up_a_gateway_on_OpenWRT) and requested they compile an executable for the processor in the router. Apparently they did it. It will be a bit before I can try to configure it but its a one click installation. It's available to anyone with a GL.iNet router product, just navigate to Applications -> Plugins and Update, then navigate to the R section. I have a screencap of all the dependencies it installed if anyone is interested. I reached out to them because I've failed on my previous attempts to set up an EdgerouterX for my assignment... I am by no means a network engineer, this is my foray into getting a gateway going. If anyone could confirm this works that would be great. If you're willing to help me get mine going that would be even better. Tracy N4LGH

3 years, 12 months

Re: [44net] - > What about the future ?

by Rob PE1CHL

> Previously, we were talking about network topology. Here, we are talking > about applications. This is one of the drawbacks of the current 44net : > lots of applications are installed on 44net addresses, but there's no > current catalog, and no way to find them. > Maybe an idea of a project that can be handled by ARDC : a search engine > / catalog of all existing applications on 44net. I have been thinking about that before. My idea was to setup a search site which has a database of existing services, where a visitor could search by different attributes of an entry, where possible with a user interface that suggests valid values. So not a "google" style textbox where you can only search for things of which you already know the name, but also can "explore" and find new unknown things (e.g. a service type is a dropdown list or there is a page with all known types and links that you can click to search them). Now the major problem is "how do we keep this uptodate". It is quite common that someone newly active on the Dutch network experiments and installs something like a "HamServer Pi" and would register it in the database. But maybe after a couple of weeks he reprograms the Pi for something else and that entry would remain in the database and people trying to visit it would encounter a timeout. As I also do not really like systems that are constantly probing and scanning to find new services, my idea was to devise some way where a service would automatically refresh its entry by re-submitting it, and the search engine would only display entries that have been recently refreshed. (e.g. once per week or so) With such a system, the risk of stale entries is a lot less. But I have not yet devised a way to refresh entries without limiting the platform on which they can run (a Linux or Windows system can easily schedule a job that runs some program to post a form, but I do not want to limit too much what platforms can provide and auto-refresh services) Rob

3 years, 12 months

Re: [44net] ipencap routing question -> What about the future ? (many messages in 44Net Digest, Vol 9, Issue 139)

by Stuart W. Card

On 12/29/2020 3:00 PM, 44net-request(a)mailman.ampr.org wrote: > > Today's Topics: > ... > 7. Re: ipencap routing question -> What about the future ? > (Toussaint OTTAVI) I would like to comment briefly on several points made in this thread. Has the 44NGN list been shut down? Concurrently with it being mentioned in this thread on this list, I received a message indicating I had been unsubscribed from that list. If lurkers like myself, who post very rarely, only when we feel we really have something to add, are welcome on the TAC, I will apply. Please take a look at the Host Identity Protocol (HIP) as one way of providing a persistent identity with a reputation (like a call sign) on the Internet, and dynamically establishing tunnels as needed to the corresponding IP addresses (despite changes due to DHCP or mobility). _Inter alia_, this would obviate moving from a resilient flat mesh to a fragile, congestion-prone hierarchy. It would also facilitate using 44 and non-44 addresses as needed. It uses strong crypto to mutually authenticate endpoints. Yes, HIP enables encryption, automagically establishing IPsec ESP tunnels, but it does not force encryption to be used _over the air_. See these IETF documents (neither experimental nor obsoleted) on HIP: RFC 4423 architecture RFC 5207 NAT firewall issues RFC 7401 HIPv2 protocol specification RFC 7402 ESP RFC 8002 certificates RFC 8003 registration extension RFC 8004 rendezvous extension RFC 8005 DNS extension RFC 8046 mobility RFC 8047 multicast a draft addressing how to deal with the issues in RFC 5207 https://datatracker.ietf.org/doc/draft-ietf-hip-native-nat-traversal/ and especially the draft update to the 1st doc above https://datatracker.ietf.org/doc/draft-ietf-hip-rfc4423-bis/ I have a ton of other materials I am willing to share explaining how HIP deconflates identities ("names") from logical locations (IP addresses used for actual packet routing) in the Internet, and naturally integrates cryptographic authentication of said identities, thereby solving many of the problems with current practice that motivated the "clean slate Internet redesign" hype several years ago. Our company has used it for lots of things, military and commercial, including mesh WANs. Currently I am working with various standards development organizations, government agencies, commercial product and service providers, _et al_, to standardize/promote its use to identify observed [unmanned] aircraft (and other cyber-physical systems) in a trustworthy manner, enabling authorized observers to immediately establish mutually authenticated communications with the parties responsible for their safe operation. There is 1 commercial product line that explicitly admits to being HIP based (some others formerly admitted that but no longer disclose the basis of their secret sauce): Tempered Networks https://discover.tempered.io/webinars/how-tempered-uses-hip-to-achieve-zero… There are 2 arguably usable open source implementations, one of which is being updated to HIPv2 and enhancements currently being standardized: OpenHIP https://bitbucket.org/openhip/openhip/branches/ 73, AC2WH (long ago WB2IEP) -- Stuart W. Card, PhD: VP & Chief Scientist, Critical Technologies Inc. * Creativity * Diversity * Expertise * Flexibility * Integrity * Suite 400 Technology Center, 4th Floor 1001 Broad St, Utica NY 13501 315-793-0248 x141 FAX -9710 <Stu.Card(a)critical.com> www.critical.com

3 years, 12 months

Re: [44net] ipencap routing question

by lleachii＠aol.com

Roland, I guess the best way to answer this is, what Network Operating System are you using? - Windows - unknown (I last attempted in 2012) - *nix - only one tunnel need to be enumerated - Cisco - multiple tunnels are needed You can see this from the relevant Wikis. 73, - Lynwood KB3VWG

3 years, 12 months

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net