First I think the idea here is to get more ways into 44 than mirrorshades. If ISPs are willing to take delegations for CIDRs of 44 then that is one side of the formula. This may be a few or possibly one per /16, I don't think we should be propagating this all the way to /30 subnets.
The other side is to bring in pockets of activity (LANs) into these "edge routers", which will often be VPN servers for tunnels from the LANs. The problem we have now is that almost all of the tunnel configuration and methods are tied to non-standard, uncommon, or ancient technology. We don't have to have just one VPN solution, e.g. it doesn't have to always be IPIP using JNOS, or even OpenVPN. It just has to be a VPN/Tunnel protocol that the edge router or routers support for those LANs connecting to them. OpenVPN, L2TP, MPLS, ... the key is that it is a standard, widely deployed, authenticated, and easy to setup. I can take $60 router off the shelf, provide a standard configuration and deploy it very quickly using L2TP. A new LAN would be able to take a script, plug in their credentials (for a primary and fallback edge router) and be up in short order, whether they are on a public / private (natted) address, static or dynamic.
Not everyone setting up a LAN will be a network engineer, so we need recipes for some common "off the shelf" routing solutions that are pretty solid for someone following directions.
------------------------------ John D. Hays K7VE PO Box 1223, Edmonds, WA 98020-1223 http://k7ve.org/blog http://twitter.com/#!/john_hays http://www.facebook.com/john.d.hays
On Fri, Jun 8, 2012 at 4:28 PM, Elias V. Basse III kd5jfe@gmail.com wrote:
(Please trim inclusions from previous messages) _______________________________________________ What about an ipip server that links openvpn to the mirrorshades ipip link?
This would allow coexistence of both protocols.
73 de KD5JFE Elias
Sent from my iPhone _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Gentlemen,
I think there is a BIIIG misunderstanding about mirrorshades.
Mirrorshades is just a last resort default 44 gateway from the internet to ampr and a central 44 route administration point.
This means that all there should set up their tunneling so they could reach the 44 peers without passing mirrorshades.
Mirrorshades offers you all the necessary info in form of updated encap files and RIPv2 broadcasts.
But the tunneling has to be done on a peer to peer basis based on that information on both sides of the tunnels.
And this issue puts a big strain on mirrorshades.
Most of the setups get incoming traffic via PtP and the mirrorshades tunnel and send out the reply packets NATted to their ISP IPs.
That outgoing traffic is then tunneled by mirrorshades to the proper recipient.
And this is plain and simple WRONG.
You need to tunnel the outgoing traffic back to the IPIP peer it originated from.
If this is set up correctly and you have a updated encap, you don't need mirrorshades any more, except for internet->ampr connectivity (and to update your routing table if you use the RIP method).
So between ampr peers, you could either use the traditional IPIP setup, or implement whatever routing protocol and transport media you want, as long as it is PtP and does not rely on mirrorshades.
And the simplest way to check your correct setup is to drop any default route to 44 networks in your system. If all is set up correctly, all connections should still work flawless.
If not, your setup is faulty and mirrorshades is your single point of failure.
73s de Marius, YO2LOJ
Marius,
I understand that under you system a person on the radio side can reach assets on the internet, but a person on the internet cannont see or use assets on the radio side unless they route thru microshades (which blocks this trafic) BTW WD4DSY did have a webserver on his address running over a 56K link back in the day. ?Brian how did this work?
We want to use 44 space for Dstar, IRLP servers, Club Webservers, Weather
nodes, APRS gateways and what ever someone dreams up. Yes I know these could use other means such as 10space or other public IPs, but I am a ham the 44 net is assigned to ham radio use and our projects have just as much of a right to use it as your tunneling project.
Lin
Lin,
This is how it works right now.
The gateway for the whole 44.0.0.0/8 network is amprgw. So any traffic directed to a 44 address from the public internet goes via amprgw.
In turn, the amprgw looks up the requested address in its routing tables and tunnels the request to the proper tunnel endpoint.
For a 44 host to be reachable from the internet, its IP and tunnel endpoint has to be known by amprgw, meaning that unregistered hosts or subnets are not accessible.
Amprgw does not filter traffic, at least not to my knowledge. It is the responsibility of the host owner to do that filtering.
The other way around, forwarding traffic from a 44 island to the public internet is again the decision of the systems owner and has to be done via its public gateway, not amprgw.
And in this case, being NATed, the traffic has nothing to do with amprgw and shows up in the internet as regular traffic. And as long it is wired, it does not conflict with any ham policies.
What is happening "on the air" is the responsibility of each user.
So, if you want to put a up whatever server you like using 44 addresses, the only way to be accessible from the internet (at least at the moment) is via amprgw, and this is done via tunnels.
There is no workaround at this time, and this is basically what the whole AS and BGP discussion in the last months is all about.
If you use 44 addresses without tunneling or private addresses (10, 192.168 et.al.) for your servers it is basically just the same thing. There will be no access from the internet unless you do some forwarding. So no one restricts your right to use this space, but for public internet access you have to join the tunnel project or rely to the same means as in case of using private addresses.
YO2LOJ
From: 44net-bounces+marius=yo2loj.ro@hamradio.ucsd.edu [mailto:44net-bounces+marius=yo2loj.ro@hamradio.ucsd.edu] On Behalf Of Lin Holcomb Sent: Saturday, June 09, 2012 17:26 To: AMPRNet working group Subject: Re: [44net] OpenVPN or *VPN
Marius,
I understand that under you system a person on the radio side can reach assets on the internet, but a person on the internet cannont see or use assets on the radio side unless they route thru microshades (which blocks this trafic) BTW WD4DSY did have a webserver on his address running over a 56K link back in the day. ?Brian how did this work?
We want to use 44 space for Dstar, IRLP servers, Club Webservers, Weather nodes, APRS gateways and what ever someone dreams up. Yes I know these could use other means such as 10space or other public IPs, but I am a ham the 44 net is assigned to ham radio use and our projects have just as much of a right to use it as your tunneling project.
Lin
-
Brian Kantor -
K7VE - John -
Lin Holcomb -
Marius Petrescu