7 Jan
2019
7 Jan
'19
7:27 a.m.
Hi all,
We are already announcing a subnet with BGP via a low-cost virtual
instance at Vultr. It works fine. As we'll soon deploy our second data
center, and we'll start migrating from our old-style 10.44.0.0/16
private addressing to full AMPRNet addressing, I was wondering if I
could find a second low-cost BGP provider for redundancy.
I saw that Amazon now provides "Bring your Own IP" features :
https://aws.amazon.com/fr/blogs/networking-and-content-delivery/introducing…
Did someone already tried it ? Would it be suitable for AMPRNet
announcement ? Is this feature available outside of the U.S ? Amazon
seems to provide free account during one year. Are there any volunteers
to try out ?
73 QRO & Happy New Year de TK1BI
7 Jan
7 Jan
7:38 a.m.
On Mon, Jan 7, 2019 at 1:28 PM Toussaint OTTAVI <t.ottavi(a)bc-109.com> wrote:
I saw that Amazon now provides "Bring your Own
IP" features :
https://aws.amazon.com/fr/blogs/networking-and-content-delivery/introducing…
Did someone already tried it ? Would it be suitable for AMPRNet
announcement ? Is this feature available outside of the U.S ? Amazon
seems to provide free account during one year. Are there any volunteers
to try out ?
Hello Toussaint,
The Amazon BYOIP product relies on using RPKI ROAs to reliably verify
the owner of the prefix is authorising AWS to announce it. Given there
is no AMPRNET RPKI infrastructure, e.g. trust anchors this is
unlikely. At work before Christmas I spoke to AWS about that product
and they were proud to be using RPKI to validate prefix origination.
It would be neat for AMPR to have its own RPKI ROA signing built into
the portal!
Kind regards,
--
Nat - MW7NAT
https://nat.ms
+44 7531 750292
8:44 a.m.
that could be fairly easily achieved:
https://github.com/dragonresearch/rpki.net/
On Mon, Jan 7, 2019 at 6:37 AM Nat Morris <nat(a)nuqe.net> wrote:
On Mon, Jan 7, 2019 at 1:28 PM Toussaint OTTAVI
<t.ottavi(a)bc-109.com>
wrote:
I saw that Amazon now provides "Bring your
Own IP" features :
https://aws.amazon.com/fr/blogs/networking-and-content-delivery/introducing…
Did someone already tried it ? Would it be suitable for AMPRNet
announcement ? Is this feature available outside of the U.S ? Amazon
seems to provide free account during one year. Are there any volunteers
to try out ?
Hello Toussaint,
The Amazon BYOIP product relies on using RPKI ROAs to reliably verify
the owner of the prefix is authorising AWS to announce it. Given there
is no AMPRNET RPKI infrastructure, e.g. trust anchors this is
unlikely. At work before Christmas I spoke to AWS about that product
and they were proud to be using RPKI to validate prefix origination.
It would be neat for AMPR to have its own RPKI ROA signing built into
the portal!
Kind regards,
--
Nat - MW7NAT
https://nat.ms
+44 7531 750292
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
9:10 a.m.
Le 07/01/2019 à 15:44, Darcy Buskermolen via 44Net a écrit :
that could be fairly easily achieved:
https://github.com/dragonresearch/rpki.net/
Hi Brian, we have a volunteer, HI :-)
73 de TK1BI
9:48 a.m.
On 1/7/19 9:44 AM, Darcy Buskermolen via 44Net wrote:
that could be fairly easily achieved:
https://github.com/dragonresearch/rpki.net/
No it cannot. ARIN will not do RPKI for legacy subnets unless they sign a
Legacy RSA and give up ownership of the space.
RPKI for 44/8 will never happen as long as ARINs policy stands.
--
Bryan Fields
727-409-1194 - Voice
http://bryanfields.net
8:50 a.m.
Le 07/01/2019 à 14:38, Nat Morris a écrit :
The Amazon BYOIP product relies on using RPKI ROAs to
reliably verify
the owner of the prefix is authorising AWS to announce it.
Thank you. I didn't really understand that part of the documentation.
Now I do.
So, let's forget Amazon for now ;-)
73 de TKABI
8:18 a.m.
Unfortunately, AWS's IP announcement service is currently incompatible
with AMPRnet space, as it requires RPKI to deploy (a feature which is
not available on legacy space such as AMPRnet).
Likely wouldn't be practical either as the IPs are assigned to AWS
instances and are not (as far as I know) routed to the end customer
directly under any circumstances.
Jacob Slater / K5AN
On Mon, Jan 7, 2019 at 8:30 AM Toussaint OTTAVI <t.ottavi(a)bc-109.com> wrote:
Hi all,
We are already announcing a subnet with BGP via a low-cost virtual
instance at Vultr. It works fine. As we'll soon deploy our second data
center, and we'll start migrating from our old-style 10.44.0.0/16
private addressing to full AMPRNet addressing, I was wondering if I
could find a second low-cost BGP provider for redundancy.
I saw that Amazon now provides "Bring your Own IP" features :
https://aws.amazon.com/fr/blogs/networking-and-content-delivery/introducing…
Did someone already tried it ? Would it be suitable for AMPRNet
announcement ? Is this feature available outside of the U.S ? Amazon
seems to provide free account during one year. Are there any volunteers
to try out ?
73 QRO & Happy New Year de TK1BI
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
9:06 a.m.
Le 07/01/2019 à 15:18, Jacob Slater via 44Net a écrit :
Likely wouldn't be practical either as the IPs are
assigned to AWS
instances and are not (as far as I know) routed to the end customer
directly under any circumstances.
The right question would be :
On an AWS instance, is it possible to have another public (non-AMPRNet)
IP, so that we can build a tunnel to where we want, and route our
AMPRNet subnet through it ?
Moreover, I never tried Amazon cloud services, but Microsoft Azure has a
built-in VPN system. It's possible to established IPSec tunnels between
Azure VMs and a local router. I saw Amazon has a feature called "VPC"
(Virtual Private Cloud). I don't know it it's the same thing, and if
it's suitable to connect AWS instances with local resources via a VPN.
9:14 a.m.
On Mon, 2019-01-07 at 16:06 +0100, Toussaint OTTAVI wrote:
The right question would be :
On an AWS instance, is it possible to have another public (non-
AMPRNet) IP, so that we can build a tunnel to where we want, and route
our AMPRNet subnet through it ?
Moreover, I never tried Amazon cloud services, but Microsoft Azure has
a built-in VPN system. It's possible to established IPSec tunnels
between Azure VMs and a local router. I saw Amazon has a feature
called "VPC" (Virtual Private Cloud). I don't know it it's the same
thing, and if it's suitable to connect AWS instances with local
resources via a VPN.
I think the general problems with doing any forwarding/routing on an AWS
instance is their layer 3 abstraction foo. AWS instances have private
IPs that are mapped (elsewhere) to a public IP, at no point does the
public IP/Network exist on the AWS instance.
-Jim P.
9:24 a.m.
Le 07/01/2019 à 16:14, Jim Popovitch via 44Net a écrit :
AWS instances have private
IPs that are mapped (elsewhere) to a public IP, at no point does the
public IP/Network exist on the AWS instance.
Then, making our own tunnel between an AWS instance and some local suff
may not be doable easily.
But maybe it's doable with Amazon integrated "VPC" feature ?
9:31 a.m.
On Mon, 2019-01-07 at 16:24 +0100, Toussaint OTTAVI wrote:
Le 07/01/2019 à 16:14, Jim Popovitch via 44Net a
écrit :
AFAIK, their VPC "feature" is really just internal/external DNS views.
A hostname blah.domain.tld (using their DNS system) will resolve with
the internal instance IP (which is only v4 btw) when queried from inside
AWS and with the external IP address when queried from the normal part
of the world.
-Jim P.
AWS instances have private
IPs that are mapped (elsewhere) to a public IP, at no point does the
public IP/Network exist on the AWS instance.
Then, making our own tunnel between an AWS instance and some local
suff may not be doable easily.
But maybe it's doable with Amazon integrated "VPC" feature ?
9:47 a.m.
Le 07/01/2019 à 16:31, Jim Popovitch via 44Net a écrit :
AFAIK, their VPC "feature" is really just
internal/external DNS views.
Wow !
The VPN feature of Azure is amazing, because VMs are not on Internet,
but can be integrated into an existing network. It's as if Azure was a
new remote site. This what I call "Private Cloud" ;-) I just thought
Amazon would provide a similar feature...
End of the game. Let's forget Amazon ;-)
73 de TK1BI
2148
days inactive
2148
days old
11 comments
6 participants
participants (6)
-
Bryan Fields -
Darcy Buskermolen -
Jacob Slater -
Jim Popovitch -
Nat Morris -
Toussaint OTTAVI