On 15.06.2015 07:17, Tim Osburn wrote:
I remember that, I setup a tunnel but I don't think anyone did any testing with it. We can try that again. So to recap that idea, that would be a IPIP tunnel from a none UCSD router (Router Z) on the internet to the amprgw server. You would then add the current 53 authorized BGP prefixes as static routes on the amprgw to go over that IPIP tunnel and then egress out to the internet from that router Z location. Router Z would need to allow traffic from any 44 IP Address to egress out router Z's ISP internet connectivity
+1
Once that's working it would be nice to let the maintainers of the current 53 authorized BGP prefixes decide (e.g. through the AMPRNet Portal) whether they want to add an IPIP route for their prefix pointing to router Z which is decapsulating traffic directed to these nets or not (some do setup an IPIP endpoint theirself already). This way we are able to keep End-to-End-Communication (Source-44 to Dest-44) alive and source-route-filtered gateways do not net to NAT through their ISPs commercial address(es).
Btw: My current workaround would be to parse the BGP-table of the Internet for net44-prefixes and do it myself (I have something similar to "router Z"). I would be happy if there is a non-private solution...
73, Jann