What specifically does the gateway need to do?

Date: Sun, 14 Jun 2015 18:20:22 -0700 From: Brian Kantor <Brian(a)ucsd.edu> Reply-To: AMPRNet working group <44net(a)hamradio.ucsd.edu> To: AMPRNet working group <44net(a)hamradio.ucsd.edu> Subject: Re: [44net] AMPRNet Interoperability with BGP (Please trim inclusions from previous messages) _______________________________________________ On Sun, Jun 14, 2015 at 05:26:26PM -0700, Tim Osburn wrote: I'm willing but not able. The server 'amprgw' is an old FreeBSD system that doesn't understand GRE. We have been discussing updating it to a more modern system (both hardware and software) but at this point it doesn't seem like that's going to happen. We've not been able to identify ANY router product that can do what the gateway needs to do in order to replace 'amprgw'. I have an alternative suggestion, which would be to find an ISP or two that are willing to take over the IPIP tunnel routing. They would BGP advertise /24 summary routes for the smaller tunnels, as well as appropriate routes for the wider tunneled subnets. That way there is no fixed route that blinds the tunnels to the BGP subnets. UCSD could still advertise the 44/8 overarching route (which I strongly believe is essential to preventing prefix hijacks), but since there would be more specific routes for the BGP and tunnel subnets, that wouldn't matter. It would only be necessary for the tunneled gateways to change their tunnel endpoint address -- there is no need for tunneled gateways to suddenly have to change software or overall configuration. Flaws? - Brian

Date: Sun, 14 Jun 2015 21:45:44 -0700 From: Brian Kantor <Brian(a)ucsd.edu> Reply-To: AMPRNet working group <44net(a)hamradio.ucsd.edu> To: AMPRNet working group <44net(a)hamradio.ucsd.edu> Subject: Re: [44net] AMPRNet Interoperability with BGP (Please trim inclusions from previous messages) _______________________________________________ On Sun, Jun 14, 2015 at 08:44:05PM -0700, Tim Osburn wrote: What you seem to suggest would be to put the SHIM essentially in series with the telescope and have amprgw forward all outbound 44/8 traffic to the SHIM - where some of it would be encapsulated to the various tunnel gateways. If I understand what you're proposing, the traffic to the BGP-routed 44 subnets would travel from the SHIM over the GRE tunnel to the ISPs who would then route it appropriately. All inbound 44/8 traffic which didn't pass the filters would be routed to the telescope. This requires that TWO boxes know about the gateway subnets, as well as having the SHIM learn about the BGP-routed subnets via BGP from the ISP over the GRE tunnel. This seems needlessly complex. It also means that all telescope data has to pass through the SHIM box, which could tax an underpowered box. (I'm not familiar with the SHIM box itself.)

A year or more ago we discussed a scheme where each BGP-routed subnet would simply register a route in the gateways table that pointed to a cooperating router (off the UCSD network) which was capable of decapsulating the tunneled packets and routing them appropriately. This has two advantages: it doesn't require any additional hardware and it doesn't require any changes in the UCSD gateway or network. I don't know how hard it would be to set up a general decapsulator in an existing router, but if it's not too difficult this is a simple step to get where we want to go, don't you think? True, it means that each new BGP subnet would have to register a single entry in the portal, but I don't see that as a hassle. What do you think of this alternative?

In the grand scheme of things, even rounded up to /24s, the total allocated ham radio space is miniscule compared to the unallocated space anyway. I think the researchers already factor this in. I also see the number of tunnel gateways decreasing in future. - Brian

Date: Mon, 15 Jun 2015 07:37:56 +0200 From: Jann Traschewski <jann(a)gmx.de> Reply-To: AMPRNet working group <44net(a)hamradio.ucsd.edu> To: AMPRNet working group <44net(a)hamradio.ucsd.edu> Subject: Re: [44net] AMPRNet Interoperability with BGP (Please trim inclusions from previous messages) _______________________________________________ On 15.06.2015 07:17, Tim Osburn wrote: +1 Once that's working it would be nice to let the maintainers of the current 53 authorized BGP prefixes decide (e.g. through the AMPRNet Portal) whether they want to add an IPIP route for their prefix pointing to router Z which is decapsulating traffic directed to these nets or not (some do setup an IPIP endpoint theirself already). This way we are able to keep End-to-End-Communication (Source-44 to Dest-44) alive and source-route-filtered gateways do not net to NAT through their ISPs commercial address(es).

Btw: My current workaround would be to parse the BGP-table of the Internet for net44-prefixes and do it myself (I have something similar to "router Z"). I would be happy if there is a non-private solution... 73, Jann

I remember that, I setup a tunnel but I don't think anyone did any testing with it.

Maybe it is time for some crowdfunding?

(Please trim inclusions from previous messages) _______________________________________________ On 6/15/15 2:22 AM, Brian Kantor wrote: 10g interfaces? What is the utilization of the interfaces? If it's a transiting an old freeBSD box (still need details on this), surely we're unable to do 10g Ethernet in something that old (5.3 was the time 10g was introduced for the Intel driver), and since that's the choke point, a raspberry PI or router-board would be able to handle 1g. I have a quad xeon server I'd be willing to donate to it if need be. It's even got an IPMI in it and 6 x1g copper interfaces, and I use it as my backup virtual router lab. How about a donation from the network telescope people, since they are using 44/8 for free? If they are unable to provide even the smallest help, what benefit does it give ham radio/ARDC for them to use the netblock? -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net _________________________________________ 44Net mailing list 44Net(a)hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net

People typically don't have rackmount servers sitting around

(Please trim inclusions from previous messages) _______________________________________________ On Sun, Jun 14, 2015 at 08:44:05PM -0700, Tim Osburn wrote: well [...] [...] I want to say that I think that this is the best of the three solutions that have been proposed, for several reasons: First, it completely solves the problem. Full end-to-end connectivity between the legacy tunneled subnets and the modern BGP-advertised subnets would be restored. Second, it is flexible. Assuming that the routing in the ISP's router is generated by automated scripts from the encap table data, no manual intervention is necessary when tunnel gateways come or go. Updates could occur as often as desired, whether hourly or daily at the ISP's discretion. Third, it's compatable. No one has to do anything on the BGP side of the house, and the only thing the tunneled folk have to do is a one-time update of their configuration to reflect the new tunnel endpoint address. Fourth, it's inexpensive. No hardware needs to be purchased/donated and very little software needs to be developed or configured (scripts to convert the encap data to Cisco and Mikrotik routers already exist). Fifth, it's not very disruptive. There would not be much of a outage; none for the BGP folk and only the one config change for the tunnel folk. Sixth, it takes UCSD and me both out of the loop. We'd simply shut down the UCSD tunnel gateway system after the conversion is complete. Seventh, it's not much of a burden on the ISP that takes over the tunnel routing. The amount of additional traffic they'd be handling is small since the tunnel subnets are small as well. Downside: the tunnel folks would see a small increase in the amount of IBR they have to contend with as the filtering that the current tunnel router does would be reduced to subnet-only selection, rather than being ANDed with the DNS. I think this would be acceptable, and it removes the existing dependency on the DNS. I would appreciate it if people were to give this proposal serious consideration, including whether an ISP will come forward that would be willing to do this. I'm hoping there is; after all, the burden on the ISP is little different from that of the 'shim' proposal and I got the distinct impression that at least one ISP had already volunteered to host that solution. I'd like to get this underway as soon as practical. The existing lack of connectivity has obtained for too long already. Comments please? - Brian _________________________________________ 44Net mailing list 44Net(a)hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net

(Please trim inclusions from previous messages) _______________________________________________ On Tue, Jun 16, 2015 at 07:09:45AM -0700, Cory (NQ1E) wrote: After summarizing the smaller routes at the /24 level, the number of subnet routes that would have to be advertised is about 350. If we summarize at the /16 level, there would have to be about 12. We *know* that most of the approx 475 gateways in the database are no longer active. These are still contributing to this total. Despite multiple requests by Chris, so far no one with PHP programming experience has stepped forward to help write the program that is necessary to clear them out. I would wager that the number of subnet routes necessary would drop precipitously if we were to eliminate the inactive gateways. - Brian _________________________________________ 44Net mailing list 44Net(a)hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net

(Please trim inclusions from previous messages) _______________________________________________ On Tue, Jun 16, 2015 at 09:25:01AM -0700, K7VE - John wrote: So you're doing exactly what I'm proposing except that you're using modern VPN technology instead of legacy IPIP. - Brian