Re: [44net] Two questions

Sorry to say but this is not entirely correct. ampr-gw does not black hole packets from 44/8 to the internet. This is the whole purpose of that gateway: To permit 44/8 traffic to the internet and back. The 44 to 44 traffic is supposed to go via IPIP directly, so that one is dropped correctly. So no traffic can originate from an IPIP 44 address towards an 44/8 located in the internet, and, as you correctly said, no reply can go out. And this is valid not only for TCP, but for any protocol. One can hardly compromise a host without replies reaching the originator. Of course, some ddos is possible... Regarding BGP announced subnets: If they like, they can set up an IPIP endpoint, if not, that's it, they will be treated as spoofed IPs at the moment and dropped. It's their personal choice. IMHO the biggest enemy in this case is illegitimate traffic being NATed to a 44 IP in a ham environment by bad routing, allowing external internet traffic to the 44net. And there is nothing one can do to prevent it on the service provider side except some kind of authentication. Marius -----Original Message----- From: 44net-bounces+marius=yo2loj.ro(a)hamradio.ucsd.edu [mailto:44net-bounces+marius=yo2loj.ro@hamradio.ucsd.edu] On Behalf Of Cory (NQ1E) Sent: Sunday, June 14, 2015 20:31 To: AMPRNet working group Subject: Re: [44net] Two questions (Please trim inclusions from previous messages) _______________________________________________ It's also not true of the IPIP-only connected networks. The gateway at UCSD only blackholes 44/8 packets from IPIP nets toward the internet, not from it (as long as the IPIP destination is valid). This means, BGP nets (and spoofed internet traffic) can send packets to IPIP nets though the gateway just fine. It's the return path that is broken. As a result, if you use TCP you can filter out most unwanted internet users (until the gateway gets fixed). But similar to what Bryan said, this does not give you any assurance that the traffic is from the direct actions of a licensed amateur. On Sun, Jun 14, 2015 at 10:07 AM, Marius Petrescu <marius(a)yo2loj.ro> wrote: subnets