For a long time now, I have been allowing IPIP only from registered gateways and disallowed nested IPIP. Indeed I have seen in the past that IPIP packets were sent with the intention of being forwarded through "allow trusted subnets" rules and then maybe back out to internet hosts that were targeted for DDoS or similar.
When looking in the logs of those rules, I usually see dropped packets from hosts that are apparently on dynamic addresses and have changed address, but this change has not yet reached me through the ampr-rip announcements. However, there are indeed also instances of apparently unrelated intrusion attempts.
It remains my position that we should change from this IPIP mesh to a more modern VPN system where stations with dynamic addresses can participate through a local VPN server that participates in a network that uses standard protocols to form a dedicated AMPRnet tunnel network with automatic routing, that can be used by standard equipment and can be made more resilient against unwanted use (e.g. by using GRE/IPsec and L2TP/IPsec tunnels instead of the traditional IPIP).
However, I no longer want to beat a dead horse. We had the discussion a while ago but unfortunately it was then redirected onto a separate mailing list.
Rob
Those with a dynamic address CAN participate as their public gateway can now be a FQDN for their dynamic service. I have some within the New York State subnet (44.68/16).
On 3/14/2020 3:28 PM, Rob Janssen via 44Net wrote:
For a long time now, I have been allowing IPIP only from registered gateways and disallowed nested IPIP. Indeed I have seen in the past that IPIP packets were sent with the intention of being forwarded through "allow trusted subnets" rules and then maybe back out to internet hosts that were targeted for DDoS or similar.
When looking in the logs of those rules, I usually see dropped packets from hosts that are apparently on dynamic addresses and have changed address, but this change has not yet reached me through the ampr-rip announcements. However, there are indeed also instances of apparently unrelated intrusion attempts.
It remains my position that we should change from this IPIP mesh to a more modern VPN system where stations with dynamic addresses can participate through a local VPN server that participates in a network that uses standard protocols to form a dedicated AMPRnet tunnel network with automatic routing, that can be used by standard equipment and can be made more resilient against unwanted use (e.g. by using GRE/IPsec and L2TP/IPsec tunnels instead of the traditional IPIP).
However, I no longer want to beat a dead horse. We had the discussion a while ago but unfortunately it was then redirected onto a separate mailing list.
Rob _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
-
Charles J. Hargrove -
Rob Janssen