9 Jun
2012
9 Jun
'12
1:25 a.m.
First I think the idea here is to get more ways into 44 than mirrorshades.
If ISPs are willing to take delegations for CIDRs of 44 then that is one
side of the formula. This may be a few or possibly one per /16, I don't
think we should be propagating this all the way to /30 subnets.
The other side is to bring in pockets of activity (LANs) into these "edge
routers", which will often be VPN servers for tunnels from the LANs. The
problem we have now is that almost all of the tunnel configuration and
methods are tied to non-standard, uncommon, or ancient technology. We
don't have to have just one VPN solution, e.g. it doesn't have to always be
IPIP using JNOS, or even OpenVPN. It just has to be a VPN/Tunnel protocol
that the edge router or routers support for those LANs connecting to them.
OpenVPN, L2TP, MPLS, ... the key is that it is a standard, widely
deployed, authenticated, and easy to setup. I can take $60 router off the
shelf, provide a standard configuration and deploy it very quickly using
L2TP. A new LAN would be able to take a script, plug in their credentials
(for a primary and fallback edge router) and be up in short order, whether
they are on a public / private (natted) address, static or dynamic.
Not everyone setting up a LAN will be a network engineer, so we need
recipes for some common "off the shelf" routing solutions that are pretty
solid for someone following directions.
------------------------------
John D. Hays
K7VE
PO Box 1223, Edmonds, WA 98020-1223
<http://k7ve.org/blog> <http://twitter.com/#!/john_hays>
<http://www.facebook.com/john.d.hays>
On Fri, Jun 8, 2012 at 4:28 PM, Elias V. Basse III <kd5jfe(a)gmail.com> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
What about an ipip server that links openvpn to the mirrorshades ipip link?
This would allow coexistence of both protocols.
73 de KD5JFE
Elias
Sent from my iPhone
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
9 Jun
9 Jun
10:01 a.m.
New subject: OpenVPN or *VPN
Gentlemen,
I think there is a BIIIG misunderstanding about mirrorshades.
Mirrorshades is just a last resort default 44 gateway from the internet to
ampr and a central 44 route administration point.
This means that all there should set up their tunneling so they could reach
the 44 peers without passing mirrorshades.
Mirrorshades offers you all the necessary info in form of updated encap
files and RIPv2 broadcasts.
But the tunneling has to be done on a peer to peer basis based on that
information on both sides of the tunnels.
And this issue puts a big strain on mirrorshades.
Most of the setups get incoming traffic via PtP and the mirrorshades tunnel
and send out the reply packets NATted to their ISP IPs.
That outgoing traffic is then tunneled by mirrorshades to the proper
recipient.
And this is plain and simple WRONG.
You need to tunnel the outgoing traffic back to the IPIP peer it originated
from.
If this is set up correctly and you have a updated encap, you don't need
mirrorshades any more, except for internet->ampr connectivity (and to update
your routing table if you use the RIP method).
So between ampr peers, you could either use the traditional IPIP setup, or
implement whatever routing protocol and transport media you want, as long as
it is PtP and does not rely on mirrorshades.
And the simplest way to check your correct setup is to drop any default
route to 44 networks in your system. If all is set up correctly, all
connections should still work flawless.
If not, your setup is faulty and mirrorshades is your single point of
failure.
73s de Marius, YO2LOJ
3:26 p.m.
New subject: OpenVPN or *VPN
Marius,
I understand that under you system a person on the radio side can reach
assets on the internet, but a person on the internet cannont see or use
assets on the radio side unless they route thru microshades (which blocks
this trafic) BTW WD4DSY did have a webserver on his address running over a
56K link back in the day. ?Brian how did this work?
We want to use 44 space for Dstar, IRLP servers, Club Webservers, Weather
nodes, APRS gateways and what ever someone dreams up.
Yes I know these
could use other means such as 10space or other public IPs, but I am a ham
the 44 net is assigned to ham radio use and our projects have just as much
of a right to use it as your tunneling project.
Lin
4:27 p.m.
New subject: OpenVPN or *VPN
Lin,
This is how it works right now.
The gateway for the whole 44.0.0.0/8 network is amprgw. So any traffic
directed to a 44 address from the public internet goes via amprgw.
In turn, the amprgw looks up the requested address in its routing tables and
tunnels the request to the proper tunnel endpoint.
For a 44 host to be reachable from the internet, its IP and tunnel endpoint
has to be known by amprgw, meaning that unregistered hosts or subnets are
not accessible.
Amprgw does not filter traffic, at least not to my knowledge. It is the
responsibility of the host owner to do that filtering.
The other way around, forwarding traffic from a 44 island to the public
internet is again the decision of the systems owner and has to be done via
its public gateway, not amprgw.
And in this case, being NATed, the traffic has nothing to do with amprgw and
shows up in the internet as regular traffic. And as long it is wired, it
does not conflict with any ham policies.
What is happening "on the air" is the responsibility of each user.
So, if you want to put a up whatever server you like using 44 addresses, the
only way to be accessible from the internet (at least at the moment) is via
amprgw, and this is done via tunnels.
There is no workaround at this time, and this is basically what the whole AS
and BGP discussion in the last months is all about.
If you use 44 addresses without tunneling or private addresses (10, 192.168
et.al.) for your servers it is basically just the same thing. There will be
no access from the internet unless you do some forwarding. So no one
restricts your right to use this space, but for public internet access you
have to join the tunnel project or rely to the same means as in case of
using private addresses.
YO2LOJ
From: 44net-bounces+marius=yo2loj.ro(a)hamradio.ucsd.edu
[mailto:44net-bounces+marius=yo2loj.ro@hamradio.ucsd.edu] On Behalf Of Lin
Holcomb
Sent: Saturday, June 09, 2012 17:26
To: AMPRNet working group
Subject: Re: [44net] OpenVPN or *VPN
Marius,
I understand that under you system a person on the radio side can reach
assets on the internet, but a person on the internet cannont see or use
assets on the radio side unless they route thru microshades (which blocks
this trafic) BTW WD4DSY did have a webserver on his address running over a
56K link back in the day. ?Brian how did this work?
We want to use 44 space for Dstar, IRLP servers, Club Webservers, Weather
nodes, APRS gateways and what ever someone dreams up. Yes I know these
could use other means such as 10space or other public IPs, but I am a ham
the 44 net is assigned to ham radio use and our projects have just as much
of a right to use it as your tunneling project.
Lin
4346
days inactive
4346
days old
4 comments
4 participants
participants (4)
-
Brian Kantor -
K7VE - John -
Lin Holcomb -
Marius Petrescu