On Sat, Jul 11, 2020 at 3:06 AM Clive Blackledge via 44Net
<44net(a)mailman.ampr.org> wrote:
Hello,
From the surface, it seems like AMPRnet needs a ‘one
country, two systems’
approach. An external system that interfaces with the public internet and
deals with the trends there (RPKI, Domain keys, firewalls, etc.) and
another that the ham community prefers (open, encryption-free
communication).
If another non-AMPRnet site/host on the internet insists on speaking
HTTPS/SSL there's no way around this - unless of course one proposes
proxying on the edge. But if we were to do proxying on the edge then
what's the point of using/assigning public IPs within AMPRnet to begin
with?
One challenge is announcing 44net space on the internet when filtering
becomes more common and LoAs aren’t enough anymore. The use of tunnels
today bridges this gap, but it doesn’t scale very well.
My proposal is to look into datacenter space in some of the major IXs (not
just UCSD) today and announce large chunks of 44net far and wide. The
anticipation is to get grandfathered to avoid filtering that is likely to
happen increasingly in the coming years. Hopefully the nonprofit status of
ARDC can get us some goodwill/discounts with network operators and
datacenters, but it’s like finding the perfect repeater location… it will
still cost money for hardware and rent, even with the most generous
landlord.
This *could* be done, in theory. In fact a number of people are
currently running such overlay networks and some (such as myself) are
announcing/routing 44/9,44.128/10 prefixes on their overlay networks.
However, there are a few things that need to be kept in mind when it
comes to such a proposal.
1. It would require AMPRnet to operate its own AS. While this is *may*
be possible to convince different peers in different upstreams to
announce 44/9,44.128/10 prefixes on AMPRnet's behalf, this would
ultimately end up causing more trouble than it's worth (from a network
management standpoint). That's why for multihomed networks, such as
the one being proposed here, the only realistic approach would be for
AMPRnet to become its own AS rather than relying on other ASes to
announce AMPRnet space.
2. The edge routers on this overlay network would most likely need to
be configured as a iBGP full mesh so that they would all share the
same view of the internet. Now, there may be ways around this. I
myself spent two years trying various alternatives in order to run an
overlay network of the sort being proposed here without doing iBGP.
However, iBGP proved to be the lowest maintenance/least time consuming
approach (which is probably why iBGP is the preferred approach for
sharing routes between multiple border routers within a multihomed
AS/AS with multiple peers).
3. It would require that AMPRnet establish/maintain a 24/7 NOC rather
than relying on USCD's NOC as is currently the case. After all, peers
wouldn't like it if there was no one there to pick up the
phone/respond promptly to the email should there be some routing issue
(such as flapping or worse). Nor would they tolerate this for long
before simply depeering. In a related note, there really is no
"grandfathering" when it comes to peering on the Internet. If a
network decides to take a stricter policy when it comes to ROAs, for
example, they usually do not simply exempt existing peers from these
requirements just because they are existing peers.
4. Considering that this new AMPRnet would be worldwide in scope and
considering that AMPRnet's prefixes are already assigned along
regional lines (i.e.44/9 for US, 44.76/16 for US/TX etc.), converting
AMPRnet into one big overlay network without at the same time creating
a whole lot of inefficient routing would entail creating a fairly
sophisticated routing policy on the edge. It would need to be a bit
more sophisticated than simply advertising 44/9 and 44.128/10 at every
border router.
In short, what is being proposed here would entail a whole lot more
BGP, not less. And it would require a great deal more maintenance and
upkeep than is currently the case. It would mean less time for
experimental activities and more time focused on upkeeping a massive
global network.
For those who wish to use BGP, that’s still an option.
I would recommend
most people join an overlay network (sd-wan) solution that can provide the
same benefits of BGP (multiple paths, static IPs, etc) but is easy enough
to assign IP blocks and route IPs without BGP. Some solutions today that
are open source and create a managed VPN mesh that can be managed from a
centralized location. It’s like IP-IP tunneling used today, except it
abstracts away the need for a static IP tunnel endpoint, and auto-routes
away from links that have bad connectivity.
Using an SD-WAN also provides the ability to do malware checking,
firewalling, and other features that would be normal in a network like
this. People can choose if nodes can only talk to other 44net nodes or
expand access to the internet as a whole.
I think there is a bit of confusion here as to what an "SD-WAN" is. An
"SD-WAN" generally refers to services that centralize and rationalize
the management of network connections (including tunnels, LTE, MPLS -
depending on the service being offered). They are usually provided by
Tier 1s/larger Tier 2s who, IMHO, tend to use SD-WAN as a catch-all
marketing term for all of their "modern" enterprise connectivity
services which are not MPLS/DWDM/etc. and which can complement and/or
serve as a replacement.
SD-WANs are generally not substitutes for layer 3 routing protocols.
They certainly are not a replacement for BGP. If AMPRnet prefixes are
to be visible on the public internet then a BGP speaker somewhere will
have to be advertising these prefixes. Right now AMPRnet's 44/9 and
44.128/10 prefixes are being advertised by UCSD's border router(s)
(AS7377). If AMPRnet were to move in the direction proposed above,
then as already noted, this would require a lot more BGP (and most
likely an IGP as well to complement it). SD-WANs would not be a
substitute for this.
Once the internet side is sorted out, the “internal”
side of 44net could
implement open services for everyone, including packet gateways, DNS, etc.
The anticipation is to be able to access these services without needing to
leave 44net. This affords us a few things.
We can become the ISP for amateur radio and create our
own walled garden
while also interfacing with the wild west of the internet to protect our
interests there.
Rather than trying to turn AMPRnet into one big overlay ISP, I think
the better approach would be to continue to assign /24+ prefixes to
HAMs that have the resources to announce them and keep them on them on
the internet - *but* to make these assignments with the clear
understanding that these "BGP HAMs" will provide tunneling services to
other regional/local HAMs (who are not doing BGP + far away from San
Diego) - including carving out pieces (i.e. /27s, /28s etc) of their
own /24+ prefixes and assigning them to "non-BGP HAMs", so to speak.
This I think would meet the goal as proposed above, but without
needing to create a massive/high maintenance overlay network/ISP. It
would also maintain the experimental ethos of AMPRnet. The big overlay
net/ISP thing would take away from this as we spent more and more of
our time on all the "housekeeping" that would be required to maintain
ISPs and walled gardens.
-Clive
KF6DMA
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
- Erik
KE5SAI