On Wed, 11 Aug 2021, Mark Van Daele via 44Net wrote:
Date: Wed, 11 Aug 2021 19:00:20 -0500 From: Mark Van Daele via 44Net 44net@mailman.ampr.org To: 44Net general discussion 44net@mailman.ampr.org Cc: Mark Van Daele markvd@markvd.net Subject: Re: [44net] A new era of IPv4 Allocations
tl;dr: I agree with Mark's points, and I disagree with the plan previously put forward in the presentation.
IMHO the TAC plan as presented is a non-starter. Anything that involves significant re-ip is overly burdensome even with funding. Usually $$
re-iping should be avoided at almost all costs.
I also fail to see the justification of reserving 44.64/10 with no future purpose when it is already in use. I currently have space in this range that would be orphaned. While it wouldn't be a significant deal for me to re-ip, as you've seen from other posters it will be for some and I fail to see the well defined purpose to sequester such a large space.
Withholding address space for such an option is not promotive of the whole. We already have groups setting aside address space for RF mesh networks.
Re selling space, there is no reason to sell more space. ARDC has plenty of funding assuming it is appropriately managed going forward. If anything they have the opposite problem, make sure funding is appropriately allocated and well spent.
We don't need more fund-raising at the moment.
Back to the proposal, do we really need to allocate a dedicated /10 for unconnected purposes? How about finding a /16 or /15 not in use or with limited use? Is there really that large of a defined need to have 4 million IPs reserved as unconnected?
Unconnected connected IPs? That's what RFC1918 is for, and destination NAT along with source NAT.
For me, I appreciate the opportunity to provide feedback and this seems to be a solution in need of a problem. I might be missing something but I fail to see the justification for this radical of a change in your paper.
I agree.
Re the future, from my perspective I am very interested in the new TAC-proposed Global PoP infrastructure and portal that has been proposed. I'd love to see more/better gateway options, different options for connecting (including easy to use methods for "newbies", options for those stuck behind carrier NAT aside from running their own BGP/POP, and a better portal to manage the space and connection options. This is where I?d be focusing a lot of my time.
I'd like to see more than just the one gw.ampr.org, potentially one on the East coast of the USA, and another in the middle for those users who are in those locations. A European POP makes sense as well, but this a problem bigger than the USA.
IMHO the TAC should be focused on network stewardship, architecture, policy, and community need. I may have missed it, but does the TAC have a defined charter? It might make sense to get community feedback and prioritization on the problems we are trying to solve.
I agree with the above comments.
I'd also like to see ARDC have a better focus on providing network POP and hosting infrastructure that supports the amateur community. While giving out grants is great, I could see growth on the operations side as well to support better infrastructure. Especially with funding there is no reason you couldn't staff a small infrastructure department to support this.
SeattleIX https://www.seattleix.net/ has a single employee, and a board that oversees the operations of that employee while operating in a transparent nature. This is a good model to follow.
Re the endpoint and connection discussion, I do use a Pi3 as my IPIP gateway using one interface and 802.1Q VLANs. I have it behind my primary pfsense firewall and forward ipencap from external to it. My notes on how I set up the pi are here: http://k9mev.ampr.org/piconfig.txt
IPIP IMO isn't the best solution, but it is one that is in place. VPN and GRE make a lot more sense today as IPIP is deprecated in almost all but this space.
Having a single route for 44.0.0.0/10 in one location isn't the worse idea for some basic form of connectivity, but for VoIP and disaster applications, having local connectivity is better. For a state like Alabama, that often means Atlanta is the closest point for connectivity, but most connectivity in general flows to Atlanta from Alabama.
I think the Pi solution or a cheap Mikrotik are both valid solutions.
I did at one time discover a configuration on the Ubiquiti EdgeRouter that could use the VPN implementation without any cryptographic functions at all, but when they updated to EdgeOS Version 2.0, they removed the functionality I had apparently used to "misconfigure" OpenVPN. This is of limited functionality other than crossing artificial barriers like links where encryption is not allowed, or trying to connect networks through a single port forward. Hashing, e.g.: MD5 or SHA, are not encryption.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager