On Fri, Apr 25, 2014 at 10:26 AM, K7VE - John k7ve@k7ve.org wrote:
(Please trim inclusions from previous messages) _______________________________________________
A few, maybe as little as 10, border nodes might run BGP and *provide VPN/Tunnel services to everyone else* and not everyone needs to run the same VPN/Tunnel protocol. Routing takes care of getting from point A to point B.
As others have already mentioned, some ISP's charge extra for VPN traffic. And again, you create bottlenecks placing all your eggs into one basket. This is getting circular.
The idea is to have a fully connected address space using the Internet/BGP to interconnect.
Why does every IP need to be internet accessible directly?
Lemme tell you a story: Back in the early days of the 1990's, a Colonel heard about this "Internet" thing and commanded that all of their military machines be placed upon said Internet even though their base had their own network space and communicated to other bases via tunnels and p-t-p links. Back then firewalls were few and far between back then and many machines weren't audited. Didn't matter to said Colonel and thus all the machines were placed onto the Internet. It didn't take long before hackers were able to probe the network and penetrate some machines that weren't meant for public access. Once it was discovered that hackers got into his network, an audit report came out that was as thick as the Manhattan phone book of all the flaws in their network.
Let's fast forward this to today: We have network radio hardware that cannot be tightly secured (node and the like), a constant and persistent threat of software vulnerabilities and hacking attempts trying to get more and more machines onto the internet to act as part of botnets or phishing schemes - not to mention regulation and financial burdens. And you want to put every machine on the Internet? It's not that simple.
There can be multi-homing and tiers to minimize single points of failure. How many of you can say your 'home' ampr-lan doesn't have a single point of failure?
I can, but I've already said I'm a special case. However I don't have any machine directly connected to the internet that is behoven to a single network gateway or provider.
What you're asking is for people around the world to connect to your group of routers (which will likely be US based - increasing latency for those outside of north america) just so that they can talk to one another or receive public traffic if they're not able to afford the $1000 or more for AS registration + RIR membership + ISP announcement costs + maintenance costs. Again, I think you are proposing a big mistake and a class system.
Encap/IPIP and RIP tables could theoretically have 16 million entries for Net-44, why not use aggregation and a tiered network instead?
Because it causes bottlenecks and SPOF's. Unless you can contractually provide me a TOS with 5 9's of reliability under heavy penalties, people are better off being responsible for their own traffic. If you are willing to offer that, then I'll be glad to sign up.
As I see it, the end user would use a router (a cheap Mikrotik or RasPi) with one or more upstream VPN connections to a border node or sub-tier router and would route all non-local 44net traffic over that connection/those connections. All the user needs is a VPN/Tunnel configuration and credentials provided by the border node/tier router operator. So much simpler.
Multiple VPN's not connecting to the same gateway causing routing issues. It's one thing to bond to a single gateway endpoint. But routing between two different gateway devices announcing your subnet would cause havoc and alot of inter-router latency as packets get slung between both gateways.
Think big net, not personal net.
Think networks (plural) and not singular net.