22 Jul
2019
22 Jul
'19
4:32 a.m.
What I would do is the following:
Ask the IP space owner (person allocated to) to send an e-mail to
Brian,
requesting the block to be advertised over BGP (needs to be /24+,
or collection of networks /24+) and Cc me in this e-mail. I reply with
the ASN, route objects that need to be created, etc. Brian hopefully
approves the request.
Afterwards, I advertise the /24 via BGP to the Internet.
Then, I arrange with the IP space owner how the space will be router
to them. I
can support OpenVPN, PPTP, L2TP, GRE, IPSec, etc.
I think he means "after I connect to a VPN server in the USA or e.g. in
Greece, how do I make it send the traffic for my Israelian subnet to me
over that connection".
That is by far not that complicated.
He only needs to connect to that VPN server, he will get an IP from the
address space of that server, and setup BGP over that connection (using
an agreed-upon private AS number) and announce his own Israelian subnet.
The BGP protocol will then exchange this information with all other
interconnected VPN servers and they will all route his subnet to the VPN
server he is connected to, and that will route it to him.
Traffic from internet will still be routed to UCSD as part of the
default network announcement, and the router there will first route it
to the VPN server he is connected to, then to him. No need to announce
his /24 on internet explicitly!
Of course this gets more difficult when the IPIP mesh is kept in place
and is used as backbone.
Then the VPN gateway he connects to needs to add his subnet to its list
of handled subnets, via the portal.
This means he can connect only to a single VPN server and have working
routing.
When that server goes down, he would have to arrange that the portal
information is changed, the subnet being removed from that gateway and
added to another.
Without IPIP, he could simply connect to two or more VPN servers at the
same time, and as long as one of them is working he has connectivity to
everywhere.
Rob
22 Jul
22 Jul
4:55 a.m.
New subject: Adding VPN server at UCSD ?
Oh, I misunderstood maybe. I considered that the Israelian BGP subnet will be announced
from the VPN Server’s ASN. It will not go to UCSD and traffic to it will not come via
UCSD.
Having UCSD in the middle for non-North America is 200+ ms bonus per packet, so most
people want to avoid it.
On 22 Jul 2019, at 12:32, Rob Janssen via 44Net
<44net(a)mailman.ampr.org> wrote:
What I would do is the following:
Ask the IP space owner (person allocated to) to send an e-mail to Brian, requesting the
block to be advertised over BGP (needs to be /24+, or collection of networks /24+) and Cc
me in this e-mail. I reply with the ASN, route objects that need to be created, etc. Brian
hopefully approves the request.
Afterwards, I advertise the /24 via BGP to the Internet.
Then, I arrange with the IP space owner how the space will be router to them. I can
support OpenVPN, PPTP, L2TP, GRE, IPSec, etc.
I think he means "after I connect to a VPN server in the USA or e.g. in Greece, how
do I make it send the traffic for my Israelian subnet to me over that connection".
That is by far not that complicated.
He only needs to connect to that VPN server, he will get an IP from the address space of
that server, and setup BGP over that connection (using an agreed-upon private AS number)
and announce his own Israelian subnet.
The BGP protocol will then exchange this information with all other interconnected VPN
servers and they will all route his subnet to the VPN server he is connected to, and that
will route it to him.
Traffic from internet will still be routed to UCSD as part of the default network
announcement, and the router there will first route it to the VPN server he is connected
to, then to him. No need to announce his /24 on internet explicitly!
Of course this gets more difficult when the IPIP mesh is kept in place and is used as
backbone.
Then the VPN gateway he connects to needs to add his subnet to its list of handled
subnets, via the portal.
This means he can connect only to a single VPN server and have working routing.
When that server goes down, he would have to arrange that the portal information is
changed, the subnet being removed from that gateway and added to another.
Without IPIP, he could simply connect to two or more VPN servers at the same time, and as
long as one of them is working he has connectivity to everywhere.
Rob
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net 
5:09 a.m.
New subject: Adding VPN server at UCSD ?
What I would do is the following:
>
> Ask the IP space owner (person allocated to) to send an e-mail to Brian, requesting
the block to be advertised over BGP (needs to be /24+, or collection of networks /24+) and
Cc me in this e-mail. I reply with the ASN, route objects that need to be created, etc.
Brian hopefully approves the request.
-----------------
Can we make a test case ? if yes what is needed ? 44.138.x/24 IP for tests ? i can
apply for that
I have a Mikrotik router at home for the current IPIP that work is that enough good ?
if yes im willing to test let me know and ill contact you off topic
keep in mind im not sure i will be able to configure the router myself probably you will
need to direct me or (preferred ) you will have to get access to the router and
configure it remotely
Regards
Ronen - 4Z4ZQ
________________________________
From: 44Net <44net-bounces+ronenp=hotmail.com(a)mailman.ampr.org> on behalf of
Antonios Chariton via 44Net <44net(a)mailman.ampr.org>
Sent: Monday, July 22, 2019 2:55 AM
To: AMPRNet working group
Cc: Antonios Chariton; Rob Janssen
Subject: Re: [44net] Adding VPN server at UCSD ?
Oh, I misunderstood maybe. I considered that the Israelian BGP subnet will be announced
from the VPN Server’s ASN. It will not go to UCSD and traffic to it will not come via
UCSD.
Having UCSD in the middle for non-North America is 200+ ms bonus per packet, so most
people want to avoid it.
> On 22 Jul 2019, at 12:32, Rob Janssen via 44Net <44net(a)mailman.ampr.org>
wrote:
>
>> What I would do is the following:
>
> Ask the IP space owner (person allocated to) to send an e-mail to Brian, requesting
the block to be advertised over BGP (needs to be /24+, or collection of networks /24+) and
Cc me in this e-mail. I reply with the ASN, route objects that need to be created, etc.
Brian hopefully approves the request.
>>
>> Afterwards, I advertise the /24 via BGP to the Internet.
>>
>> Then, I arrange with the IP space owner how the space will be router to them. I
can support OpenVPN, PPTP, L2TP, GRE, IPSec, etc.
>
> I think he means "after I connect to a VPN server in the USA or e.g. in Greece,
how do I make it send the traffic for my Israelian subnet to me over that
connection".
> That is by far not that complicated.
>
> He only needs to connect to that VPN server, he will get an IP from the address space
of that server, and setup BGP over that connection (using an agreed-upon private AS
number) and announce his own Israelian subnet.
> The BGP protocol will then exchange this information with all other interconnected
VPN servers and they will all route his subnet to the VPN server he is connected to, and
that will route it to him.
>
> Traffic from internet will still be routed to UCSD as part of the default network
announcement, and the router there will first route it to the VPN server he is connected
to, then to him. No need to announce his /24 on internet explicitly!
>
> Of course this gets more difficult when the IPIP mesh is kept in place and is used as
backbone.
> Then the VPN gateway he connects to needs to add his subnet to its list of handled
subnets, via the portal.
> This means he can connect only to a single VPN server and have working routing.
> When that server goes down, he would have to arrange that the portal information is
changed, the subnet being removed from that gateway and added to another.
>
> Without IPIP, he could simply connect to two or more VPN servers at the same time,
and as long as one of them is working he has connectivity to everywhere.
>
> Rob
> _________________________________________
> 44Net mailing list
> 44Net(a)mailman.ampr.org
> https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
5:21 a.m.
New subject: Adding VPN server at UCSD ?
July 22, 2019 10:32 AM, "Rob Janssen via 44Net" <44net(a)mailman.ampr.org>
wrote:
Of course this gets more difficult when the IPIP mesh is kept in place
and is used as backbone.
Then the VPN gateway he connects to needs to add his subnet to its list
of handled subnets, via the portal.
This means he can connect only to a single VPN server and have working
routing.
I don't think BGP has a problem working over IPIP tunnels. In the end it is just a TCP
connection to one or mre endpoints.
Marius, YO2LOJ
1953
days inactive
1953
days old
3 comments
4 participants
participants (4)
-
Antonios Chariton -
marius@yo2loj.ro -
R P -
Rob Janssen