You wouldn't do BGP over tunnels. BGP is for the "border" nodes, e.g. those nodes which connect the pieces of 44 into the Internet. If you want to use IPIP behind the BGP, or GRE, L2TP, within your subnets, nobody should care -- but this every node has an "encap.txt" file is, IMHO, crazy. BGP node provides endpoint for tunnels (VPN, IPIP, etc.) subnet nodes connect to the BGP node via tunnel, the BGP node routes to the rest of 44.x.x.x and the Internet. Then the simple node is easy. Who is my BGP border node? How do I VPN to it? Set up VPN (or Tunnel) to it. Done. ________________________________ John D. Hays K7VE PO Box 1223, Edmonds, WA 98020-1223 On Thu, Apr 24, 2014 at 4:24 PM, Don Fanning <don(a)00100100.net> wrote: > (Please trim inclusions from previous messages) > _______________________________________________ > I'm of the opinion that it should be kept the simplest possible and let > people deal with their own networks. Give the people the basics needed to > create a connection and get the routes. Then if they want to block people, > they can add a static route dropping them or a firewall rule. > > I feel BGP over GRE or DMVPN is overkill as beyond the extra functionality > of GRE being able to do multicast and other kinds of traffic, there is no > added value to what we already have with IPIP and RIP44d/encap. Within > 44net, it's a different story - go RIP/OSPF and IPSec for all I care. But > setting up tunnels should be kept simplistic. >

You would still need to have at least one "master" tunnel to be able to get the VPN information to form tunnels. All DMVPN connections have one dedicated link to a "hub" router. Which means having to keep a fleet of machines (assuming you don't want a SPOF) that will act as the "master" routers serving all the "spoke" routers. On Thu, Apr 24, 2014 at 4:32 PM, K7VE - John <k7ve(a)k7ve.org> wrote: > (Please trim inclusions from previous messages) > _______________________________________________ > You wouldn't do BGP over tunnels. BGP is for the "border" nodes, e.g. > those nodes which connect the pieces of 44 into the Internet. If you > want to use IPIP behind the BGP, or GRE, L2TP, within your subnets, > nobody should care -- but this every node has an "encap.txt" file is, > IMHO, crazy. > > BGP node provides endpoint for tunnels (VPN, IPIP, etc.) > subnet nodes connect to the BGP node via tunnel, the BGP node routes > to the rest of 44.x.x.x and the Internet. > > Then the simple node is easy. > > Who is my BGP border node? > How do I VPN to it? > Set up VPN (or Tunnel) to it. > Done. > > > > ________________________________ > John D. Hays > K7VE > PO Box 1223, Edmonds, WA 98020-1223 > > > > On Thu, Apr 24, 2014 at 4:24 PM, Don Fanning <don(a)00100100.net> wrote: > > (Please trim inclusions from previous messages) > > _______________________________________________ > > I'm of the opinion that it should be kept the simplest possible and let > > people deal with their own networks. Give the people the basics needed > to > > create a connection and get the routes. Then if they want to block > people, > > they can add a static route dropping them or a firewall rule. > > > > I feel BGP over GRE or DMVPN is overkill as beyond the extra > functionality > > of GRE being able to do multicast and other kinds of traffic, there is no > > added value to what we already have with IPIP and RIP44d/encap. Within > > 44net, it's a different story - go RIP/OSPF and IPSec for all I care. > But > > setting up tunnels should be kept simplistic. > >

On Thu, Apr 24, 2014 at 5:25 PM, Eric Fort <eric.fort(a)gmail.com> wrote: It allows flexible routing... but I still stand by BGP being overkill for 44net and adds additional hassles of AS numbers to manage and keep track of along with hard limits of AS numbers unless you start doing 4-byte ASN's... which increases more information to keep track of and manage. We're having enough issues keeping DNS managed in a global sense as it is... once BGP peered to the internet cloud, let the cloud do the routing and I think John means this would be a private BGP and AS and not something requiring something from IANA/RIR's. You would still need a tunnel back to a master hub to get GRE tunnel information via NHRP as that information isn't obtain by BGP magic. With most any routing protocol... BGP for instance it would advertise that your network is available via AS numbers. But most routing protocols do exactly the same thing. BGP just adds alot of extra options like a luxury car so that you can tune your traffic as you'd like (for instance you can advertise that you want most of your ingress traffic to come over RF unless the link is over 80% utilization in which case you can have them come over another network connection.

On Thu, 24 Apr 2014 20:02:26 -0700, K7VE - John <k7ve(a)k7ve.org> wrote: The same rationale would and should apply to companies like GE. They have 3.x.x.x/8 and they use them internally, not just the Internet facing hosts, but every host in their system. Then they pile VLANs on top of the same hardware and run 10.x's all over for "security" or "legacy" purposes.It makes no sense to me to see them using net 3 for hosts that are behind firewalls and proxies or which are never intended to be reachable from anywhere outside their systems. Exactly how do big corporations interconnect their islands of facilities? Isn't their topology exactly like the one we face? -- Geoff Joy - ke6qh - AmprNet IP Address Coordinator for San Bernardino & Riverside Counties. (44.18/16)

On Thu, Apr 24, 2014 at 8:02 PM, K7VE - John <k7ve(a)k7ve.org> wrote: Most people wouldn't be able to take advantage of this sort of connection because most people aren't running datacenters in their houses or have that level of connectivity at their fingertips. In this configuration, all these BGP routers would not only have to take in the load for the entire network and figure out between them where the traffic goes, but also pump out the traffic. Since many places charge for bandwidth, it becomes a network system running at a financial loss to those operators instead of a cost neutral basis which it is now. I'm willing to bet that the FCC is going to walk away from net neutrality therefore it's only a matter of time before traffic is metered on both ends. Additionally, this configuration would also have no mitigation against DoS attacks as likely the target is within the network so should you try and blacklist the target or shun at a peer upstream, the DoS traffic will just redirect to one of the BGP routers that states it is accepting traffic for it that you don't control and the same thing happens. Larger groups of people are affected instead of smaller islands. But if you're saying we should just consolidate 44net into a bank of geographically located routers owned and managed and billed by ARDC, then maybe it should be brought up to the directors as discussed in last week's thread. Personally, this may be the better way of going as getting more than two people to agree on here seems almost impossible... In a DMVPN configuration, you can get away with having smaller numbers of VPN's as they're dynamically built and disconnected. But these routers don't support DMVPN or GRE. One would be better off with a RaspberryPi and a custom linux build vs buying one of these devices. We should always keep in mind that there are many of us that aren't as well connected as others and may not have access to data centers. Having a simpler network lowers the bar of entry so that everyone who doesn't have access to a colocation or a willing ISP that can broadcast BGP announcements can at least participate at a peer level without someone getting stuck for the check at the end of the day or being subject to gatekeepers. 44.x.x.x is part of the Internet's addressable space. If we don't use Except for when you are already using 10/8 as it's private non-routable space. The whole point is that it should be routable to all. Not just select network segments who can afford it.

On 2014-04-24 23:07, K7VE - John wrote: Don't be too sure; some of the German sites are running webcams refreshed every ten minutes ... and yes, I've viewing them.

On Thu, Apr 24, 2014 at 11:07:32PM -0700, K7VE - John wrote: The ham-related two-way traffic, perhaps. The probes and backscatter amount to quite a bit more traffic than that. - Brian

On 25.4.2014 5:02, K7VE - John wrote: Actually there is a big difference. Within 44.x.x.x you have safe IP addressing. It is impossible to have address conflicts with any other network if you interconnect. 10.x.x.x is reused all over the planet, whenever someone needs addresses for private network. Conflicts are inevitable. Pedja YT9TP --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com

The University of Iowa being one of them (128.255.0.0/16) :-). It's where I work. On Fri, Apr 25, 2014 at 1:44 AM, Dean Gibson AE7Q <ampr(a)ae7q.com> wrote: -- Neil Johnson http://erudicon.com

+1 I have just joined the list and received my new 44 ip again, about 17 years I left my old one. We can not define our network having to trust ISP to announce parts of the 44 network for free. I think that most we could do may be asking universities and so to route those kind of 44 address blocks, maybe per country (or bigger blocks if possible)... and then try to route the traffic tunneling (GRE probed to be a good solution some years ago with the open wireless free network projects) or via radio if the distance allow us to do it. Of course, asking one individual to arrange with his DSL provider one /32 or a /24 announced ... is not realistic. At least in Spain, EA. Jaime, EA4TV El 25/04/2014 17:09, "Neil Johnson" <neil.johnson(a)erudicon.com> escribió:

Yes but... If we group subnets, we can reduce the number of peers and group subnets though tunnels. Then running ospf inside the subnets and bgp between big 44 islands. :-)

On 25.4.2014 8:45, Eric Fort wrote: It's not that simple. It might work if amateurs are only one to use it, but they are not. I have 10.* in my home. I have 10.* in my company, actually 10.* in each company's office. I have 10.* in our city wireless community. I have 10.* in our national wireless network that connects all local wireless communities. I have 10.* in most private lans of my clients that I connect to via VPN. It is really hard to avoid conflicts there. 44/8 is blessing. --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com

It's not just hard to avoid conflicts -- It's impossible to avoid conflicts. So, can we finally dispense with the 10.x discussion? I think we've had to endure that silliness long enough. Michael N6MEF -----Original Message----- From: 44net-bounces+n6mef=mefox.org(a)hamradio.ucsd.edu [mailto:44net-bounces+n6mef=mefox.org@hamradio.ucsd.edu] On Behalf Of Don Fanning Sent: Friday, April 25, 2014 12:07 AM To: AMPRNet working group Subject: Re: [44net] What is 44net? (Please trim inclusions from previous messages) _______________________________________________ On Fri, Apr 25, 2014 at 12:03 AM, YT9TP Pedja <yt9tp(a)uzice.net> wrote: Amen to that.

Let me just make this clear as I can. Using BGP to bring islands of net-44 into the Internet -- Does not mean end users need BGP Does not mean end users need BGP Does not mean end users need BGP Does not mean end users need BGP Does not mean end users need BGP Does not mean end users need BGP A few, maybe as little as 10, border nodes might run BGP and *provide VPN/Tunnel services to everyone else* and not everyone needs to run the same VPN/Tunnel protocol. Routing takes care of getting from point A to point B. The idea is to have a fully connected address space using the Internet/BGP to interconnect. There can be multi-homing and tiers to minimize single points of failure. How many of you can say your 'home' ampr-lan doesn't have a single point of failure? Encap/IPIP and RIP tables could theoretically have 16 million entries for Net-44, why not use aggregation and a tiered network instead? As I see it, the end user would use a router (a cheap Mikrotik or RasPi) with one or more upstream VPN connections to a border node or sub-tier router and would route all non-local 44net traffic over that connection/those connections. All the user needs is a VPN/Tunnel configuration and credentials provided by the border node/tier router operator. So much simpler. Think big net, not personal net. ------------------------------ John D. Hays K7VE PO Box 1223, Edmonds, WA 98020-1223 <http://k7ve.org/blog> <http://twitter.com/#!/john_hays> <http://www.facebook.com/john.d.hays>

On Fri, Apr 25, 2014 at 11:29 AM, YT9TP - Pedja &lt;yt9tp(a)uzice.net&gt; wrote: Yes. ------------------------------ John D. Hays K7VE PO Box 1223, Edmonds, WA 98020-1223 <http://k7ve.org/blog> <http://twitter.com/#!/john_hays> <http://www.facebook.com/john.d.hays>

On 25.4.2014 20:31, K7VE - John wrote: Does that mean we can use single ASN and advertize all routes using that one, and subnets do not even need to use BGP, just simple default gateway through their internet links? Pedja YT9TP --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com

On Fri, Apr 25, 2014 at 8:29 PM, YT9TP - Pedja &lt;yt9tp(a)uzice.net&gt; wrote: This is already happening: 44/8 gets announced by UCSD then there are a few smaller networks that get announced. Like 44.144/16 in Belgium, 44.140/16 in Sweden, a 44.x /16 in italy, and a few /24's of individual hams here and there who probably have BGP at their work. Routing will always prefer the smaller subnet, meaning that traffic for 44.144 will be send to the BGP gateway in belgium while the USCD gateway also covers this network with 44/8 If someone starts announcing eg 44.144.124.0/24 on another BGP gateway, the traffic will go to that gateway even though there is also a 44.144/16 gateway and a 44/8 gateway. 73s Robbie ON4SAX

On Fri, Apr 25, 2014 at 11:36 AM, Don Fanning &lt;don(a)00100100.net&gt; wrote: So how do you do it now? You use an IPIP tunnel (another type of VPN), nothing changes for the end user except, his tables get much smaller, she routes local 44.x.x.x traffic locally and uses an IPIP tunnel to a tier or border router. I'm not talking about one basket, but even if I was, it probably would have greater overall reliability than the 386 JNOS machine with hundreds of IPIP rules. It doesn't, but that should be a choice left to the endpoints. As already stated there are such routers already in place in Sweden, Belgium, Germany, US, Canada, and other locations. The people that run them have arrangements to do so, and the "masses" don't have to worry about that. If you want a TOS of 5 9's you aren't talking amateur radio. Don't overlay business/government network requirements to what is essentially an experimenter's network, that may have some need for reliable services which can be addressed in data centers and by replication and other methods. Data center resources are getting uber-cheap -- check out http://www.cloudatcost.com ________________________________ John D. Hays K7VE PO Box 1223, Edmonds, WA 98020-1223

-----Original Message----- So you're creating multiple new single points of failure. With your plan, I can get to a few other local gateways. Anything else has to go through this new single point of failure locally, plus, presumably, and another single point of failure near my destination. So most worldwide connectivity would now have to traverse two single points of failure that currently don't exist. This is good because ...? Michael N6MEF

In the IPIP tunnels, on both ends, you have a single point of failure since you cannot multihome (as discussed 25 MAR "Can't add redundant AMPR gateway to portal"). I know that the network I'm building as well as a few other BGP announced networks are multihomed -- no single point of failure to the internet. In fact, we have planned for one of the BGP announcements and peering to take place at one of our RF point of presences. Another advantage is latency... having traffic travel from Memphis to San Diego and back just to get from my cellphone to a 44net-connected server in the same room is disappointing. On Fri, Apr 25, 2014 at 6:01 PM, K7VE - John &lt;k7ve(a)k7ve.org&gt; wrote: > (Please trim inclusions from previous messages) > _______________________________________________ > Most failures are localized and temporary. > > > ------------------------------ > John D. Hays > K7VE > PO Box 1223, Edmonds, WA 98020-1223 > <http://k7ve.org/blog> <http://twitter.com/#!/john_hays> > <http://www.facebook.com/john.d.hays> > > > On Fri, Apr 25, 2014 at 3:41 PM, Michael E Fox - N6MEF &lt;n6mef(a)mefox.org > >wrote: > > > (Please trim inclusions from previous messages) > > _______________________________________________ > > > > > > -----Original Message----- > > > > >So how do you do it now? You use an IPIP tunnel (another type of > > >VPN), nothing changes for the end user except, his tables get much > > >smaller, she routes local 44.x.x.x traffic locally and uses an IPIP > > >tunnel to a tier or border router. > > > > So you're creating multiple new single points of failure. With your > plan, > > I > > can get to a few other local gateways. Anything else has to go through > > this > > new single point of failure locally, plus, presumably, and another single > > point of failure near my destination. So most worldwide connectivity > would > > now have to traverse two single points of failure that currently don't > > exist. This is good because ...? > > > > Michael > > N6MEF > > > > > > > > _________________________________________ > > 44Net mailing list > > 44Net(a)hamradio.ucsd.edu > > http://hamradio.ucsd.edu/mailman/listinfo/44net > > >

_______________________________________________ In the IPIP tunnels, on both ends, you have a single point of failure since you cannot multihome (as discussed 25 MAR "Can't add redundant AMPR gateway to portal"). N6MEF: Apples and oranges. For my own end-points, I don't have to rely on anyone else if they need attention. The plan that's being discussed would put two additional points of failure between my end points and most other end points and the keeper of those points of failure has no contractual obligation to do anything. If he's away for the summer on vacation or sick or at the movies or out to dinner or ... oh, well. N6MEF: As for redundant end points, I see nothing in the proposal that fixes that. The proposal merely take one full mesh and breaks it into multiple full meshes, each with the same problem (non-redundant end-points) as before, with the added bonus of two new single points of failure in between. I know that the network I'm building as well as a few other BGP announced networks are multihomed -- no single point of failure to the internet. In fact, we have planned for one of the BGP announcements and peering to take place at one of our RF point of presences. N6MEF: Perhaps that's true of the one you're building. I don't see that listed as a requirement in general. And will you have backup sysops? And monitoring? And how will people report problems to you? What happens when you go on vacation or are sick or asleep or on a business trip or ... Today, by the good graces of UCSD, we have a gateway that Brian supports well, when he can. There have been outages, but because of the full-mesh design, they have had ZERO impact on tunnel traffic. So if the volunteer can't work on it right away, only Internet traffic is impacted. And we all have the option to send Internet traffic (NATed) out our own home router. This plan would create intermediaries such that an outage WOULD impact tunnel traffic and we're at the mercy of whoever pushes his way into being that middle man. No thank you. Another advantage is latency... having traffic travel from Memphis to San Diego and back just to get from my cellphone to a 44net-connected server in the same room is disappointing. N6MEF: Yes, THAT is a problem worth solving (in addition to allowing alternate endpoint gateways). But we need a solution that doesn't create additional problems. Let's take a step forward, not two steps backward. There is an ENOURMOUS difference between a multi-homed AS, with multiple BGP external gateways (as large corporations would have with multiple sites interconnected by VPN ) and making multiple AS's by inserting BGP gateways in the middle of "internal" (44-to-44) traffic. Michael N6MEF

You are making a big leap here. Nobody is going to tell you who you are going to have for neighbors or up stream. Find someone you trust, that has the contingency plan you feel comfortable with and connect to them. They don't even have to be in your neighborhood. N6MEF: Then I choose nothing. Currently, when my packets leave my gateway, they travel through commercial carrier networks to reach the destination gateway. Those carriers have service level agreements, redundancy, diversity, 24x7 NOCs, 24x7 technicians, caches of spare equipment, help desks, etc. Your proposal would cause my traffic to ride some of those same carrier networks but then exit to some amateur near me who has none of those capabilities, then back onto the commercial networks, then back off to some other amateur near my destination, then back onto the commercial carrier to the destination. Do you really not see how silly that is? When a problem happens, either one or both of those amateurs may be at work, asleep, away on vacation, out to dinner, away on a business trip, or just not interesting in working on it at the time because he's watching the Star Trek marathon that weekend. Then there's always, "sorry guys, I'm being transferred for work, so I'm going to have to shut down my system." That's a huge step backward in reliability. I mean, seriously, why would anyone choose to add amateur operations into the middle of the existing all commercial/professional forwarding path that our full mesh of tunnels currently traverses? N6MEF: One of the nice things about AMPRnet over the old BBS network is we don't need to rely on each amateur in the path keeping their system running and configured properly. Anyone with experience in both will tell you there is simply no comparison. The old-style reliance on amateurs in the forwarding path is far, far less reliable. You would have us go backwards to that approach. Any plan will have the potential for failures. You might control your IPIP tunnel but what if your ISP goes away? Is the device that is running your tunnel on redundant power? Does it have redundant networking with failover and portability of your encapsulating IP address? Does very end point you want to talk to have those capabilities? N6MEF: Strawman arguments, all. If my ISP goes away, so would my connection to any local BGP hub in your plan. Or, if the remote endpoint dies, so does connectivity to that location, both in the existing mesh and in your plan. So let's not play games. Pointing out existing failure modes does nothing to mask the fact that your proposal has the same failure modes, plus it would add a pile of new ones. N6MEF: Bottom line, you plan introduces new/additional failure modes which have been pointed out by several people on this list and you've done nothing but dismiss them. I doubt anyone will want their traffic to have to traverse the facilities managed by someone with such a lack of appreciation for the problems that can occur and so little regard for their desire/need for stability and reliability. At my day job, every dollar that comes into our company arrives on an RJ-45, and it falls into my area of responsibility to make sure it stays up and we have failover and contingency plans. I understand these things. (I use geographically dispersed data centers, multiple carriers, redundant servers, etc. but there is still the potential to go down, at least temporarily, even even with service level agreements.) N6MEF: Got it. As I suspected, not a commercial/carrier network architect/engineer. Carrier network operations is an entirely different set of issues. Still, I'll bet your company doesn't rely on an amateur, with no service level agreement, no NOC, no backup staff, no 24x7 operations to manage connectivity between your data centers. I also understand that ham radio is a hobby.. N6MEF: Yes, amateur RADIO is a hobby. So knock yourself out experimenting with radio. But the last thing any of us needs is to have some amateur insert himself into the commercial networking path between gateways. Michael N6MEF

On 04/25/2014 03:41 PM, Michael E Fox - N6MEF wrote: I'd like to keep the IPIP mesh (perhaps enhanced with other protocols laid on top of each IPIP), since it is the fastest way of getting from network A to network B, where both are non-Internet-BGP'd 44nets. What I would like to see in addition though are VPN dial-ins (perhaps IPIP based, perhaps not) that provide the Internet transit, not inter-44net transit. This is so 44net users aren't having to spend lots of money arranging Internet BGP peers. A heirarchy of such gateways can be established. For example, Western Washington can run a gateway that serves its populace and announces 44.24/16. This is less-specific than user announcements but more-specific than the UCSD announcement. So it would simultaneously not deprive end-users of Internet BGP, and jump in front of UCSD needing to handle the traffic. Should UCSD fail, the Western Washington gateway stays up and any 44net<->Internet traffic for Western Washington users is unaffected by the UCSD failure. Should the Western Washington gateway fail, UCSD can take over (via its 44/8) and relay packets to users as it gets them. Users would need to hold connections with both gateways. I think this is how my proposal and John's proposals differ. I'd like to keep the IPIP mesh, not replace it with VPN concentrators. I'd just like to augment the UCSD single point of Internet transit with additional regional Internet transit points. Lastly, it's also possible for a regional gateway like the Western Washington one, to also announce 44/8 and provide Internet transit for all 44nets. It would then compete (based on a least-hop basis, and some other BGP attributes) with other such gateways (eg: UCSD) for the duty of delivering Internet traffic. This fixes the single point of failure right now @ UCSD. There are some open design questions in the implementation of these 44/8 gateways, but those details can be worked out. --Bart

On 2014-04-25 10:15, K7VE - John wrote: Well, what happens is that people get burned with conflicts using 192.168.0.x/24 or 192.168.1.x/24, when they add a new device to their network, and they seek to escape to 10.x.x.x/8, planning to avoid such conflicts, and run straight into VPN issues with everyone else that thinks that way. It doesn't take much effort or equipment to run a DMZ in a separate private-IP space from your LAN, and then if you have a VPN IP-address conflict in your DMZ, you can change IP addresses (or even network address space) there without affecting your LAN. Also, just because the 192.168.x.x block is 256 /24 networks, doesn't mean that you have to use it that way (ditto for 172.1x.x.x needing to be 16 /16 networks). I run a DMZ using 192.168.0.x/18, but only one host is in 192.168.0.x/24 (to deal with devices new to the network). Yes, I know this is all old-hat to most of us, but since the subject came up ... ps: If anyone ever intends to network with, to, or through D-Star DD-mode nodes, note that those are hard-allocated to the 10.x.x.x/8 block.