28 Dec
2020
28 Dec
'20
5:34 p.m.
If we replaced the IPIP mesh with a collection of
geographically
distributed VPN servers (OpenVPN?) which advertised routes for /24 (or
larger) subnets, and dual homed each subnet to two or more VPN servers we
would have pretty good redundancy and could end the distribution of IPIP
endpoints and just let the Internet route between subnets.
That, or alternatively we could setup a number of routers across the globe with
a tunnel mesh between them (similar to what is now done on IPIP, but probably
better to use something like GRE/IPsec tunnels), with BGP talking between all
those routers, and let users connect their router to one or more of them as
they desire. When one, they could use a VPN with static routing of their subnet,
when they use 2 or 3 connections they could use BGP as well to advertise their
own subnet plus maybe local people's subnets they have routed over radio.
(in the above, with BGP I mean BGP on private AS with only AMPRNet routes, not
full internet BGP)
In such a setup, a single router failing would have little or no impact on the
network as a whole. And everyone can participate with simpler or more complex
setups without having to forcibly deal with a 600-tunnel mesh (that still does
not allow redundancy of the internet connection, i.e. the current IPIP tunnel
mesh cannot handle redundant internet connections that present a different
internet IP to the tunnel system).
Routers in this system could also announce, directly or via their ISP, subnets
from AMPRnet directly to internet. That would just mean there is a more direct
path between AMPRNet users and internet users in that region. But it is not
a firm requirement to do so.
But well, it has all been discussed several times already. In the beginning,
the counter-argument was "it would cost money and who is going to pay that??".
I think that is resolved now.
The next one was "but we won't have a full mesh, traffic to my buddy is going
to take 2 or 3 tunnel hops instead of one". Well, not really true, one can
always setup a direct tunnel to someone else, and a BGP session over that, and
direct traffic will take that path because it has less visible hops.
So then we usually end up in the "it has always been done this way (IPIP mesh)
and I am not going to change". Where the discussion usually stops until the
next new user turns up that has difficulty getting connected to the mesh, e.g.
because they are behind a NAT router they cannot change, their address is
very dynamic, they want to use an off-the-shelf router, etc etc.
By now it appears to be the classical "it was difficult for me should it
should be difficult for everyone else trying to join" that has also been
abused for so long in the battle to get rid of CW exams when obtaining a
ham radio license...
Rob