We announce 44.144.0.0/16 over BGP to the public internet (in Belgium)
This ip space is then run on our local variant of "hamwan/hamnet" in
Belgium on 2.4ghz accesspoints and 5ghz and recently 24ghz backbone
links.
We already used 3 ISP's in 2 datacenters (free/sponsored) and our
entire network was running on 10.x.x.x addresses before we started
using the 44.144.0.0/16. (The network started in 2003 and we have
started using 44.144 in 2013). We were using a public /23, and several
/27's from the ISPs to get certain services and repeaters on the
internet. For echolink e.g. you need a unique ip per repeater since
you can only use the ports once. The same goes for d-star.
So when we told our ISPs we wanted to announce our own subnet, via
BGP, their main incentive was the fact that we would be giving back
the ip space we were using and they could use them for other clients,
since well, ipv4 space is sparse.
In terms of traffic nothing has changed since we still use the same
amount of traffic, the only difference is that we now have BGP
sessions to our ISPs and use our own IPs. All of our traffic is
sponsored by our ISPs (+- 70mbit avg over all 3 ISPs)
Furthermore we are now able to use public adresses directly on devices
like repeater or routers where before we had to nat everything and
sometimes things were getting double-natted since some HAMs put
another nat router in between their network and our "hamnet" network.
The routers in the datacenter are "The Big Firewall" and disallow any
incoming traffic to 44.144 from the internet by default, and get
opened up for certain ports, ip's or subnets when the ham using them
requests to do so or is using his own firewall. There is also a lot of
internet storm on the 44.144 (and I suspect the entire 44) network.
For the moment we are still announcing this subnet from the ASN of our main ISP.
However, we are looking into announcing this subnet through the
multiple ISPs we use and have recently aquired our own ASN number.
The ASN number has been sponsored by one of the ISPs, since they
virtually don't have to pay for them, they only cost RIPE-points. The
ISP that provided us with this ASN also loved the fact that it was a
challenge to get it approved by RIPE since 44.0.0.0/8 is essentially a
legacy subnet in ARIN and is nowhere to be found in RIPE.
Since then, RIPE has added a route object for our network;
https://apps.db.ripe.net/search/lookup.html?source=ripe&key=44.144.0.0/…
It took almost 2 years to get all of this done, and this was mostly
due to RIPE being stubborn.
However, CisarNet in Italy (44.208.0.0/16) already had a route object
in RIPE which in the end was a precedent that convinced RIPE to do the
same for us.
So thanks to the Italian network :)
I have since seen that the Swedish network (44.140.0.0/16) has also
gotten a route object in RIPE.
So there are already several networks on the 44 address space that are
doing BGP announcements directly.
If it is smart to use these ip address on the internet ?
My personal vision is that HAMRadio has also evolved to the Internet.
Echolink, D-Star, DMR, DXClusters, APRS, etc. all use the internet as
a backbone.
So why not use our IP space as part of the Internet ? Ofcourse, the
use of firewalls is strongly advised!
Our firewalls allow all 44 to 44 traffic but block any other public
inbound traffic unless exceptions have been allowed (eg echolink
ports)
The biggest problem we are seeing by connecting 44 addresses to the
internet, is when a ham comes to a hamclub and brings their own
laptop. They connect to the local wifi and get a 44.144 ip adress from
the local DHCP server. However, this ham's laptop is either infected
with a virus, or the ham is knowingly downloading copyrighted files
via torrents. You can already guess what is going on here. The illigal
download continues over the 44.144 address and we get abuse complaints
through Brian.
It has been an ongoing battle to block these practices on the network
and to educate hams to not use the 44 network for these kinds of
practices, or to at least turn of their torrent software when they
connect to the 44.144 network. We are currently "natting" some of the
44.144 subnets outbound internet traffic to other commercial public
ip's to prevent the abuse complaints until we can find a better
solution.
As for the IPIP AMPR network, We ourselves have no link with the IPIP
network to the rest of AMPR since we never got around to finding out
how to set it all up. However we peer with the German hamnet and they
also gate our subnet to the AMPR IPIP network. At the moment this
peering is done though a tunnel over the internet, but we are
currently working on doing this over RF on 5Ghz. Though the German
HAMNET we also are connected to the austria and the other networks
they are peering with. All of this using native internet routing
protocols (BGP) and no AMPR IPIP.
We use OpenVPN to connect users who are not able to link to our
network over RF (eg, no LOS to an accesspoint or none around to start
with) so everything goes through our BGP session and peerings and
IPIP. There are some users who are doing AMPR IPIP themselves and
might receive traffic from the internet through us over AMPR IPIP.
However, most of these users subnet's have never been opened up in the
firewalls so there is probably no internet traffic at all.
So, try it yourself and do a traceroute to 44.144.144.144 over AMPR
and over the public internet :)
73s
Robbie
ON4SAX
On Sat, Mar 22, 2014 at 11:10 PM, Neil Johnson
<neil.johnson(a)erudicon.com> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
I keep hearing complaints that we should "get away from using IP-IP
tunnels and just route the 44-net address space using BGP".
Can someone explain what this means and how this would be done ?
- Be sure read up on BCP38
http://tools.ietf.org/html/bcp38 to
understand why your local ISP won't (and shouldn't) let you source
traffic from IP addresses other than theirs
- Explain how you would justify and obtain stable funding to get (and
keep) an ASN for the 44-net address space ($500 initial, $100/yr
maintenance from ARIN). An ASN is necessary for multi-homing and BGP
routing.
- Explain to me what financial incentive a commercial ISP has to
routing (or peering with) 44-net address space for a small number of
customers.
- As for using VPN's, explain how to pay for and maintain the
appropriate size server(s) to host CPU-intensive VPN (IPSec and GRE)
end-points.
After understanding all the nuances of 44-net, I find that the mesh
of IP-IP tunnels and the rip44d daemon are actually quite an elegant
solution to the limitations and constraints we have to work with.
-Neil