> If there are any additional checks that can be put into the Portal, I’m happy to add them if we can reach a consensus on what those checks should be...
> Regards,
> Chris
Do you think it is viable to add another manual validation step for any gateway config
that has one of these properties:
- external gateway address is within 44.0.0.0/8
- advertised subnet is not owned by the gateway operator
This would at least prevent mishaps like we had this week, because especially a gateway
address within 44.0.0.0/8 should be throughly validated so that it is properly BGP routed
to somewhere, and the operator of that destination can properly process the IPIP packets
and not route them in a loop.
Rob
> The portal has made it easier for those to request blocks and for
> routing to become a bit more efficient through RIP vs having to download
> the encap.txt file and having to reload it every so often so the
> automation is definitely welcomed in this regard. The whole concept of
> ip encapsulation under ip is what confuses most people. Take OpenVPN for
> example - people don't want to know it's using ip encapsulation, they
> just want to configure it and have it work.
Well, that is the issue. We provide OpenVPN certificates for local amateurs
to connect to our gateway, and there rarely is any issue with that.
(apart from people making 2 connections at the same time, which of course does
not work because the certificate is directly bound to the user's IP address)
But I think what happens is: people hear about this AMPRnet/HAMNET thing, they
google a bit for information, and they get lost in technical documents not in
their language, talking about something that is not their expertise, and
expecting them to enter information in forms that they do not understand at all.
Then it is not so surprising that some bogus information ends up in the system
unless validation is improved, either in the software or in a manual step.
The whole thing with RIP was definitely a good idea, and much better than
regularly downloading and loading an encap.txt file.
However, what can be improved is the entering and maintenance of the data
that actually gets transmitted there.
> That could turn into something a bit too time consuming as well for
> those who would be in charge of taking responsibility for the
> functioning systems of others such as coordinators.
I'm not too worried about that, the assignment of IP addresses is also mostly
a manual process here (from mail to hosts file), helped with some scripts to
mail the update to the DNS robot and to place updated files on the server.
The number of updates is relatively small, I get maybe one a week or up
to 3 a week when it is a busy time.
For gateways, this should be even less.
Rob
> Rob et al;
> This user is flagged RADIO only in his config and should not be a listed
> "gateway" at all:
> ...
> If this is causing an issue, let me know and I'll send him a note asking
> him what he's looking to do and point him to a few things that may help
> him out.
Well, the recurring issue is that users do not really understand the whole
system and still are expected to manage it themselves via the portal.
This does not work well. They experiment with entering some data, see it
appear listed under their account, but do not understand what it is for.
They leave it there and move on to another experiment.
I do not blame them, it is a complicated matter and there are many options
of connecting to the network. On my own pages I strongly advise against
using the portal and instead mail me with the request they have, usually
they do not want to use IPIP anyway and registering on the portal does more
harm than good.
Of course it could be improved in the portal user interface, but it has been
claimed before that restricting people to making valid entries (i.e. the
external gateway address is NOT in net-44 and the advertised subnets are
owned by the gateway operator) causes issues in some niche situations.
Hence those checks have been removed, and users are no longer guided towards
what they should and should not (and probably don't want to) do.
Users get an address from me, and register a gateway in the portal with that
address as external address (this is what caused the mishap this week!).
Moreover, they have to add advertised networks and they do not understand
that they first have to request a network to be assigned to them, and they
pick a random network from the pulldown list (this happened with the same user).
So I am all for a change towards a system where people like coordinators or
other experienced users have to validate the entered gateway configuration
before it becomes active.
But recognizing that this would require more programming work in the portal
(and thus in practice will not happen), I am for a reduction of the complexity
and vulnerability of the system by removing dangerous capabilities that
almost nobody uses, such as having the gateway address within net-44 and the
advertisement of networks not owned by the user. They could still be allowed
for existing users and could still be modified by administrators of the portal,
but not by end-users.
Rob
Rob et al;
This user is flagged RADIO only in his config and should not be a listed
"gateway" at all:
44.118.1.1 2018-03-01 18:16:04 N1QX View
<https://portal.ampr.org/gateways_list.php?a=view&id=1403>
44.118.1.2 2018-03-01 18:16:12 N1QX View
<https://portal.ampr.org/gateways_list.php?a=view&id=1404>
44.118.1.3 2018-03-01 18:16:19 N1QX View
<https://portal.ampr.org/gateways_list.php?a=view&id=1405>
44.130.104.1 2017-10-02 18:34:13 DG8NGN View
If this is causing an issue, let me know and I'll send him a note asking
him what he's looking to do and point him to a few things that may help
him out.
I know in Maine, they prefer to use M$ and software that's 100% GUI
based. The problem however becomes that the sysop doesn't learn what
they're doing because the GUI hides the technical information.
--
I won't be like a Texas official and call Ocasio-Cortez a bimbo
but she does think Roe vs Wade are two different ways to cross a river.
-----
73 de Brian N1URO
IPv6 Certified
n1uro-dawt-ampr-dawt-org
uronode-dawt-n1uro-dawt-com
> Until a decision is made about what to do long term here, maybe the AMPR
> Portal web interface can change this name from "gateway" to "public
> Internet IP (gateway)". I think that would help some people avoid this
> issue.
Either that, and/or a descriptive text above the form that explains what a gateway
is, why you want to have it (and why not), and where to read more about it.
There are those "hover" type help texts but I am afraid it is not enough.
I think several "gateways" now listed (with no subnets) are the result of people
wanting to register/publish their system information in a way that is more like
what HamnetDB does.
It should be clearer that creating a gateway here actually sets up routes and
when done incorrectly can mess things up pretty badly.
The announced subnets list has similar risks. For a while it was limited to
subnets registered by the person logged in, there were people wanting to route
subnets for others (probably to forward them internally) and this check was
removed, and now people who do not completely understand what is going on are
randomly announcing other people's subnets without anyone knowing.
Perhaps best would be when all gateway setup had to be validated by someone with
more experience (a coordinator, an old hat in AMPRnet, etc) before it becomes
finalized, similar to the subnet allocation.
Rob
Talked to network people at the ISP, they indicate that they have changed something w.r.t.
the routing via Eurorings. It should be researched and hopefully fixed.
In the meantime I am thinking about relaying the RIP packets from my own colo host to our
gateway as an extra safeguard against things like this.
I see that ampr-ripd has options -E and -F that should relay the raw packets to a specified
address, good. That should work.
But I don't think it is possible to make ampr-ripd receive and act upon those relayed packets,
isn't it? Should I NAT them at the receiving system so they again have 224.0.0.9 as destination?
Has anyone tried such a setup and does it work without nasty issues?
(normally all RIP packets will be received twice in this case)
Rob
Does anyone else find it useless to have a password reminder email sent out
every month where you're told your password is [****] ?
-------- Forwarded Message --------
Subject: mailman.ampr.org mailing list memberships reminder
Date: Mon, 01 Apr 2019 05:00:19 -0700
From: mailman-owner(a)mailman.ampr.org
To: wlewis(a)acscalifornia.org
This is a reminder, sent out once a month, about your mailman.ampr.org
mailing list memberships. It includes your subscription info and how
to use it to change it or unsubscribe from a list.
<SNIP>
List Password // URL ---- -------- 44net(a)mailman.ampr.org ****
Since yesterday, or maybe earlier, we do not receive the full RIP table
anymore and our route table for IPIP routes has almost emptied.
A trace of UDP port 520 shows only 2 RIP packets per cycle.
Has something changed? Or does this have to be some rate-limiting on
the path to here?
Rob
I did further debugging...
It is indeed our 213.222.29.194 gateway that has the issue, it misses most
of the routes at least since yesterday (I notice because I have some mail
in the queue routed over IPIP that has stalled since yesterday).
But I do have another independently hosted IPIP host in the Netherlands
that receives all the normal routes. It is at IP 89.18.172.156
and is located in another datacenter.
So likely it is a routing issue on the internet...
Rob
