What I would do is the following:
Ask the IP space owner (person allocated to) to send an e-mail to
Brian, requesting the block to be advertised over BGP (needs to be /24+, or collection of networks /24+) and Cc me in this e-mail. I reply with the ASN, route objects that need to be created, etc. Brian hopefully approves the request.
Afterwards, I advertise the /24 via BGP to the Internet.
Then, I arrange with the IP space owner how the space will be router
to them. I can support OpenVPN, PPTP, L2TP, GRE, IPSec, etc.
I think he means "after I connect to a VPN server in the USA or e.g. in Greece, how do I make it send the traffic for my Israelian subnet to me over that connection". That is by far not that complicated.
He only needs to connect to that VPN server, he will get an IP from the address space of that server, and setup BGP over that connection (using an agreed-upon private AS number) and announce his own Israelian subnet. The BGP protocol will then exchange this information with all other interconnected VPN servers and they will all route his subnet to the VPN server he is connected to, and that will route it to him.
Traffic from internet will still be routed to UCSD as part of the default network announcement, and the router there will first route it to the VPN server he is connected to, then to him. No need to announce his /24 on internet explicitly!
Of course this gets more difficult when the IPIP mesh is kept in place and is used as backbone. Then the VPN gateway he connects to needs to add his subnet to its list of handled subnets, via the portal. This means he can connect only to a single VPN server and have working routing. When that server goes down, he would have to arrange that the portal information is changed, the subnet being removed from that gateway and added to another.
Without IPIP, he could simply connect to two or more VPN servers at the same time, and as long as one of them is working he has connectivity to everywhere.
Rob
Oh, I misunderstood maybe. I considered that the Israelian BGP subnet will be announced from the VPN Server’s ASN. It will not go to UCSD and traffic to it will not come via UCSD.
Having UCSD in the middle for non-North America is 200+ ms bonus per packet, so most people want to avoid it.
On 22 Jul 2019, at 12:32, Rob Janssen via 44Net 44net@mailman.ampr.org wrote:
What I would do is the following:
Ask the IP space owner (person allocated to) to send an e-mail to Brian, requesting the block to be advertised over BGP (needs to be /24+, or collection of networks /24+) and Cc me in this e-mail. I reply with the ASN, route objects that need to be created, etc. Brian hopefully approves the request.
Afterwards, I advertise the /24 via BGP to the Internet.
Then, I arrange with the IP space owner how the space will be router to them. I can support OpenVPN, PPTP, L2TP, GRE, IPSec, etc.
I think he means "after I connect to a VPN server in the USA or e.g. in Greece, how do I make it send the traffic for my Israelian subnet to me over that connection". That is by far not that complicated.
He only needs to connect to that VPN server, he will get an IP from the address space of that server, and setup BGP over that connection (using an agreed-upon private AS number) and announce his own Israelian subnet. The BGP protocol will then exchange this information with all other interconnected VPN servers and they will all route his subnet to the VPN server he is connected to, and that will route it to him.
Traffic from internet will still be routed to UCSD as part of the default network announcement, and the router there will first route it to the VPN server he is connected to, then to him. No need to announce his /24 on internet explicitly!
Of course this gets more difficult when the IPIP mesh is kept in place and is used as backbone. Then the VPN gateway he connects to needs to add his subnet to its list of handled subnets, via the portal. This means he can connect only to a single VPN server and have working routing. When that server goes down, he would have to arrange that the portal information is changed, the subnet being removed from that gateway and added to another.
Without IPIP, he could simply connect to two or more VPN servers at the same time, and as long as one of them is working he has connectivity to everywhere.
Rob _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
What I would do is the following:
Ask the IP space owner (person allocated to) to send an e-mail to Brian, requesting the block to be advertised over BGP (needs to be /24+, or collection of networks /24+) and Cc me in this e-mail. I reply with the ASN, route objects that need to be created, etc. Brian hopefully approves the request.
-----------------
Can we make a test case ? if yes what is needed ? 44.138.x/24 IP for tests ? i can apply for that I have a Mikrotik router at home for the current IPIP that work is that enough good ? if yes im willing to test let me know and ill contact you off topic keep in mind im not sure i will be able to configure the router myself probably you will need to direct me or (preferred ) you will have to get access to the router and configure it remotely Regards Ronen - 4Z4ZQ
________________________________ From: 44Net 44net-bounces+ronenp=hotmail.com@mailman.ampr.org on behalf of Antonios Chariton via 44Net 44net@mailman.ampr.org Sent: Monday, July 22, 2019 2:55 AM To: AMPRNet working group Cc: Antonios Chariton; Rob Janssen Subject: Re: [44net] Adding VPN server at UCSD ?
Oh, I misunderstood maybe. I considered that the Israelian BGP subnet will be announced from the VPN Server’s ASN. It will not go to UCSD and traffic to it will not come via UCSD.
Having UCSD in the middle for non-North America is 200+ ms bonus per packet, so most people want to avoid it.
On 22 Jul 2019, at 12:32, Rob Janssen via 44Net 44net@mailman.ampr.org wrote:
What I would do is the following:
Ask the IP space owner (person allocated to) to send an e-mail to Brian, requesting the block to be advertised over BGP (needs to be /24+, or collection of networks /24+) and Cc me in this e-mail. I reply with the ASN, route objects that need to be created, etc. Brian hopefully approves the request.
Afterwards, I advertise the /24 via BGP to the Internet.
Then, I arrange with the IP space owner how the space will be router to them. I can support OpenVPN, PPTP, L2TP, GRE, IPSec, etc.
I think he means "after I connect to a VPN server in the USA or e.g. in Greece, how do I make it send the traffic for my Israelian subnet to me over that connection". That is by far not that complicated.
He only needs to connect to that VPN server, he will get an IP from the address space of that server, and setup BGP over that connection (using an agreed-upon private AS number) and announce his own Israelian subnet. The BGP protocol will then exchange this information with all other interconnected VPN servers and they will all route his subnet to the VPN server he is connected to, and that will route it to him.
Traffic from internet will still be routed to UCSD as part of the default network announcement, and the router there will first route it to the VPN server he is connected to, then to him. No need to announce his /24 on internet explicitly!
Of course this gets more difficult when the IPIP mesh is kept in place and is used as backbone. Then the VPN gateway he connects to needs to add his subnet to its list of handled subnets, via the portal. This means he can connect only to a single VPN server and have working routing. When that server goes down, he would have to arrange that the portal information is changed, the subnet being removed from that gateway and added to another.
Without IPIP, he could simply connect to two or more VPN servers at the same time, and as long as one of them is working he has connectivity to everywhere.
Rob _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
July 22, 2019 10:32 AM, "Rob Janssen via 44Net" 44net@mailman.ampr.org wrote:
Of course this gets more difficult when the IPIP mesh is kept in place and is used as backbone. Then the VPN gateway he connects to needs to add his subnet to its list of handled subnets, via the portal. This means he can connect only to a single VPN server and have working routing.
I don't think BGP has a problem working over IPIP tunnels. In the end it is just a TCP connection to one or mre endpoints.
Marius, YO2LOJ
-
Antonios Chariton -
marius@yo2loj.ro -
R P -
Rob Janssen