Hi all,
We are already announcing a subnet with BGP via a low-cost virtual instance at Vultr. It works fine. As we'll soon deploy our second data center, and we'll start migrating from our old-style 10.44.0.0/16 private addressing to full AMPRNet addressing, I was wondering if I could find a second low-cost BGP provider for redundancy.
I saw that Amazon now provides "Bring your Own IP" features : https://aws.amazon.com/fr/blogs/networking-and-content-delivery/introducing-...
Did someone already tried it ? Would it be suitable for AMPRNet announcement ? Is this feature available outside of the U.S ? Amazon seems to provide free account during one year. Are there any volunteers to try out ?
73 QRO & Happy New Year de TK1BI
On Mon, Jan 7, 2019 at 1:28 PM Toussaint OTTAVI t.ottavi@bc-109.com wrote:
I saw that Amazon now provides "Bring your Own IP" features : https://aws.amazon.com/fr/blogs/networking-and-content-delivery/introducing-...
Did someone already tried it ? Would it be suitable for AMPRNet announcement ? Is this feature available outside of the U.S ? Amazon seems to provide free account during one year. Are there any volunteers to try out ?
Hello Toussaint,
The Amazon BYOIP product relies on using RPKI ROAs to reliably verify the owner of the prefix is authorising AWS to announce it. Given there is no AMPRNET RPKI infrastructure, e.g. trust anchors this is unlikely. At work before Christmas I spoke to AWS about that product and they were proud to be using RPKI to validate prefix origination.
It would be neat for AMPR to have its own RPKI ROA signing built into the portal!
Kind regards,
that could be fairly easily achieved:
https://github.com/dragonresearch/rpki.net/
On Mon, Jan 7, 2019 at 6:37 AM Nat Morris nat@nuqe.net wrote:
On Mon, Jan 7, 2019 at 1:28 PM Toussaint OTTAVI t.ottavi@bc-109.com wrote:
I saw that Amazon now provides "Bring your Own IP" features :
https://aws.amazon.com/fr/blogs/networking-and-content-delivery/introducing-...
Did someone already tried it ? Would it be suitable for AMPRNet announcement ? Is this feature available outside of the U.S ? Amazon seems to provide free account during one year. Are there any volunteers to try out ?
Hello Toussaint,
The Amazon BYOIP product relies on using RPKI ROAs to reliably verify the owner of the prefix is authorising AWS to announce it. Given there is no AMPRNET RPKI infrastructure, e.g. trust anchors this is unlikely. At work before Christmas I spoke to AWS about that product and they were proud to be using RPKI to validate prefix origination.
It would be neat for AMPR to have its own RPKI ROA signing built into the portal!
Kind regards,
-- Nat - MW7NAT
https://nat.ms +44 7531 750292 _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Le 07/01/2019 à 15:44, Darcy Buskermolen via 44Net a écrit :
that could be fairly easily achieved:
Hi Brian, we have a volunteer, HI :-)
73 de TK1BI
On 1/7/19 9:44 AM, Darcy Buskermolen via 44Net wrote:
that could be fairly easily achieved:
No it cannot. ARIN will not do RPKI for legacy subnets unless they sign a Legacy RSA and give up ownership of the space.
RPKI for 44/8 will never happen as long as ARINs policy stands.
Le 07/01/2019 à 14:38, Nat Morris a écrit :
The Amazon BYOIP product relies on using RPKI ROAs to reliably verify the owner of the prefix is authorising AWS to announce it.
Thank you. I didn't really understand that part of the documentation. Now I do.
So, let's forget Amazon for now ;-)
73 de TKABI
Unfortunately, AWS's IP announcement service is currently incompatible with AMPRnet space, as it requires RPKI to deploy (a feature which is not available on legacy space such as AMPRnet). Likely wouldn't be practical either as the IPs are assigned to AWS instances and are not (as far as I know) routed to the end customer directly under any circumstances. Jacob Slater / K5AN
On Mon, Jan 7, 2019 at 8:30 AM Toussaint OTTAVI t.ottavi@bc-109.com wrote:
Hi all,
We are already announcing a subnet with BGP via a low-cost virtual instance at Vultr. It works fine. As we'll soon deploy our second data center, and we'll start migrating from our old-style 10.44.0.0/16 private addressing to full AMPRNet addressing, I was wondering if I could find a second low-cost BGP provider for redundancy.
I saw that Amazon now provides "Bring your Own IP" features : https://aws.amazon.com/fr/blogs/networking-and-content-delivery/introducing-...
Did someone already tried it ? Would it be suitable for AMPRNet announcement ? Is this feature available outside of the U.S ? Amazon seems to provide free account during one year. Are there any volunteers to try out ?
73 QRO & Happy New Year de TK1BI _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Le 07/01/2019 à 15:18, Jacob Slater via 44Net a écrit :
Likely wouldn't be practical either as the IPs are assigned to AWS instances and are not (as far as I know) routed to the end customer directly under any circumstances.
The right question would be : On an AWS instance, is it possible to have another public (non-AMPRNet) IP, so that we can build a tunnel to where we want, and route our AMPRNet subnet through it ?
Moreover, I never tried Amazon cloud services, but Microsoft Azure has a built-in VPN system. It's possible to established IPSec tunnels between Azure VMs and a local router. I saw Amazon has a feature called "VPC" (Virtual Private Cloud). I don't know it it's the same thing, and if it's suitable to connect AWS instances with local resources via a VPN.
On Mon, 2019-01-07 at 16:06 +0100, Toussaint OTTAVI wrote:
The right question would be : On an AWS instance, is it possible to have another public (non- AMPRNet) IP, so that we can build a tunnel to where we want, and route our AMPRNet subnet through it ?
Moreover, I never tried Amazon cloud services, but Microsoft Azure has a built-in VPN system. It's possible to established IPSec tunnels between Azure VMs and a local router. I saw Amazon has a feature called "VPC" (Virtual Private Cloud). I don't know it it's the same thing, and if it's suitable to connect AWS instances with local resources via a VPN.
I think the general problems with doing any forwarding/routing on an AWS instance is their layer 3 abstraction foo. AWS instances have private IPs that are mapped (elsewhere) to a public IP, at no point does the public IP/Network exist on the AWS instance.
-Jim P.
Le 07/01/2019 à 16:14, Jim Popovitch via 44Net a écrit :
AWS instances have private IPs that are mapped (elsewhere) to a public IP, at no point does the public IP/Network exist on the AWS instance.
Then, making our own tunnel between an AWS instance and some local suff may not be doable easily.
But maybe it's doable with Amazon integrated "VPC" feature ?
On Mon, 2019-01-07 at 16:24 +0100, Toussaint OTTAVI wrote:
Le 07/01/2019 à 16:14, Jim Popovitch via 44Net a écrit :
AWS instances have private IPs that are mapped (elsewhere) to a public IP, at no point does the public IP/Network exist on the AWS instance.
Then, making our own tunnel between an AWS instance and some local suff may not be doable easily.
But maybe it's doable with Amazon integrated "VPC" feature ?
AFAIK, their VPC "feature" is really just internal/external DNS views. A hostname blah.domain.tld (using their DNS system) will resolve with the internal instance IP (which is only v4 btw) when queried from inside AWS and with the external IP address when queried from the normal part of the world.
-Jim P.
Le 07/01/2019 à 16:31, Jim Popovitch via 44Net a écrit :
AFAIK, their VPC "feature" is really just internal/external DNS views.
Wow !
The VPN feature of Azure is amazing, because VMs are not on Internet, but can be integrated into an existing network. It's as if Azure was a new remote site. This what I call "Private Cloud" ;-) I just thought Amazon would provide a similar feature...
End of the game. Let's forget Amazon ;-)
73 de TK1BI
-
Bryan Fields -
Darcy Buskermolen -
Jacob Slater -
Jim Popovitch -
Nat Morris -
Toussaint OTTAVI