Now that we are all going to have to dive into our router configurations, wouldn't it be a good time to make some changes that are long overdue?
Like getting rid of the IPIP mesh and replace it with something more modern and supported by off-the-shelf routers, works behind NAT, etc? I would say setup some routers with VPN of different types around the world, have everyone connect to there using a suitable VPN protocol, run BGP on it to announce the gateway subnets.
A $50 MikroTik can do those jobs, for those that still want to run a JNOS system on MS-DOS they can put one in front of their box and still use it. People are already using it for IPIP mesh, a change in topology would be only a config change for them. And other routers mentioned here can do it too, without having to get external programs installed on them.
Those that want direct connection without a centralized system in the path can simply setup a VPN connection between them and configure the BGP peers, it will automatically work. There is no need to use only a single protocol in such a network, only the peers have to agree, so you can select from anything like L2TP/IPsec, OpenVPN, Wireguard, just plain GRE or even IPIP, etc etc. Just at this time I am trying to move my colocated machine that runs as an IPIP mesh member and I face that stupid "protocol 4 is not passed by the firewall" problem again. Arghh!!
Also we could get that IPv6 idea going. Remember it has been discussed many times and the only things we still need is some agreement on how to register and distribute the "list of AMPRnet prefixes in IPv6 space". Again that could be done using BGP, no need to setup yet another registration portal with downloadable files.
Note that Daniel EA4GPZ put some ideas around IPv6 on his site: https://destevez.net/ipv6-for-amateur-radio/
Rob
First thought would be that BGP is too difficult for 90% of the HAM operators. Although I do applaud the idea and do think it would be a better setup, 90% of the operators don't know anything about routing, let alone dynamic routing protocols.
The ease of the IPIP tunnels using a modified RIP daemon that can easily be downloaded makes the current setup so easy to deploy and get online. Also seeing that a lot of questions coming in are from users complaining that they are not reachable to/from the internet (when they haven't set up reverse DNS) shows that even reading the wiki is too hard for some of them.
73,
Ruben - ON3RVH
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Rob Janssen Sent: vrijdag 19 juli 2019 11:43 To: 44net@mailman.ampr.org Subject: [44net] Time to restructure the network?
Now that we are all going to have to dive into our router configurations, wouldn't it be a good time to make some changes that are long overdue?
Like getting rid of the IPIP mesh and replace it with something more modern and supported by off-the-shelf routers, works behind NAT, etc? I would say setup some routers with VPN of different types around the world, have everyone connect to there using a suitable VPN protocol, run BGP on it to announce the gateway subnets.
A $50 MikroTik can do those jobs, for those that still want to run a JNOS system on MS-DOS they can put one in front of their box and still use it. People are already using it for IPIP mesh, a change in topology would be only a config change for them. And other routers mentioned here can do it too, without having to get external programs installed on them.
Those that want direct connection without a centralized system in the path can simply setup a VPN connection between them and configure the BGP peers, it will automatically work. There is no need to use only a single protocol in such a network, only the peers have to agree, so you can select from anything like L2TP/IPsec, OpenVPN, Wireguard, just plain GRE or even IPIP, etc etc. Just at this time I am trying to move my colocated machine that runs as an IPIP mesh member and I face that stupid "protocol 4 is not passed by the firewall" problem again. Arghh!!
Also we could get that IPv6 idea going. Remember it has been discussed many times and the only things we still need is some agreement on how to register and distribute the "list of AMPRnet prefixes in IPv6 space". Again that could be done using BGP, no need to setup yet another registration portal with downloadable files.
Note that Daniel EA4GPZ put some ideas around IPv6 on his site: https://destevez.net/ipv6-for-amateur-radio/
Rob _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Setting up some kind of vpn tunnel and running BGP over it is much easier then setting up a full mesh ipip network. Nobody asks anybody to be a big network hub. On linux, basically it comes down to configure a virtual network interface of some kind and add 4 lines to the quagga configuration file. On routers, its not a bigger endeavour either. We have all the 32bit ASs available, and a rational assignement and usage is already in place in the DE hamnet and workig for years (42+itu_prefix+...).
And after such a reorganization, even switching to another prefix, e.g. private addressing, would be a walk in the park.
Btw, this would be a nice first project to use some of that money...
Marius, YO2LOJ
July 19, 2019 10:50 AM, "Ruben ON3RVH" on3rvh@on3rvh.be wrote:
First thought would be that BGP is too difficult for 90% of the HAM operators. Although I do applaud the idea and do think it would be a better setup, 90% of the operators don't know anything about routing, let alone dynamic routing protocols.
The ease of the IPIP tunnels using a modified RIP daemon that can easily be downloaded makes the current setup so easy to deploy and get online. Also seeing that a lot of questions coming in are from users complaining that they are not reachable to/from the internet (when they haven't set up reverse DNS) shows that even reading the wiki is too hard for some of them.
73,
Ruben - ON3RVH
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Rob Janssen Sent: vrijdag 19 juli 2019 11:43 To: 44net@mailman.ampr.org Subject: [44net] Time to restructure the network?
Now that we are all going to have to dive into our router configurations, wouldn't it be a good time to make some changes that are long overdue?
Like getting rid of the IPIP mesh and replace it with something more modern and supported by off-the-shelf routers, works behind NAT, etc? I would say setup some routers with VPN of different types around the world, have everyone connect to there using a suitable VPN protocol, run BGP on it to announce the gateway subnets.
A $50 MikroTik can do those jobs, for those that still want to run a JNOS system on MS-DOS they can put one in front of their box and still use it. People are already using it for IPIP mesh, a change in topology would be only a config change for them. And other routers mentioned here can do it too, without having to get external programs installed on them.
Those that want direct connection without a centralized system in the path can simply setup a VPN connection between them and configure the BGP peers, it will automatically work. There is no need to use only a single protocol in such a network, only the peers have to agree, so you can select from anything like L2TP/IPsec, OpenVPN, Wireguard, just plain GRE or even IPIP, etc etc. Just at this time I am trying to move my colocated machine that runs as an IPIP mesh member and I face that stupid "protocol 4 is not passed by the firewall" problem again. Arghh!!
Also we could get that IPv6 idea going. Remember it has been discussed many times and the only things we still need is some agreement on how to register and distribute the "list of AMPRnet prefixes in IPv6 space". Again that could be done using BGP, no need to setup yet another registration portal with downloadable files.
Note that Daniel EA4GPZ put some ideas around IPv6 on his site: https://destevez.net/ipv6-for-amateur-radio
Rob _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
I do agree that we do not need one big hub, maintaining the central - or several bgp backbone links should be handled by ppl who know what their doing, that's a given.
But setting up Marius' script on Mikrotik is easy as pie and it configures the rest "automagically" whereas configuring BGP on a tik, although easy for those of us that do such things daily, is not that easy for non network-technical folks
Even installing and configuring quagga on linux and editing the configuration file is not that easy for those who don't know a thing about networking.
It could mean a lot of work for us maintainers to help all the non network technical folks to configure (and maintain) their routers. I for one am not shy of the work, nor do I mind helping them, but everyone should be aware that it could fall onto them to set it up for those that don't know how. (or can't/won't read a wiki article)
73,
Ruben - ON3RVH
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of marius@yo2loj.ro Sent: vrijdag 19 juli 2019 12:12 To: AMPRNet working group 44net@mailman.ampr.org Subject: Re: [44net] Time to restructure the network?
Setting up some kind of vpn tunnel and running BGP over it is much easier then setting up a full mesh ipip network. Nobody asks anybody to be a big network hub. On linux, basically it comes down to configure a virtual network interface of some kind and add 4 lines to the quagga configuration file. On routers, its not a bigger endeavour either. We have all the 32bit ASs available, and a rational assignement and usage is already in place in the DE hamnet and workig for years (42+itu_prefix+...).
And after such a reorganization, even switching to another prefix, e.g. private addressing, would be a walk in the park.
Btw, this would be a nice first project to use some of that money...
Marius, YO2LOJ
July 19, 2019 10:50 AM, "Ruben ON3RVH" on3rvh@on3rvh.be wrote:
First thought would be that BGP is too difficult for 90% of the HAM operators. Although I do applaud the idea and do think it would be a better setup, 90% of the operators don't know anything about routing, let alone dynamic routing protocols.
The ease of the IPIP tunnels using a modified RIP daemon that can easily be downloaded makes the current setup so easy to deploy and get online. Also seeing that a lot of questions coming in are from users complaining that they are not reachable to/from the internet (when they haven't set up reverse DNS) shows that even reading the wiki is too hard for some of them.
73,
Ruben - ON3RVH
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Rob Janssen Sent: vrijdag 19 juli 2019 11:43 To: 44net@mailman.ampr.org Subject: [44net] Time to restructure the network?
Now that we are all going to have to dive into our router configurations, wouldn't it be a good time to make some changes that are long overdue?
Like getting rid of the IPIP mesh and replace it with something more modern and supported by off-the-shelf routers, works behind NAT, etc? I would say setup some routers with VPN of different types around the world, have everyone connect to there using a suitable VPN protocol, run BGP on it to announce the gateway subnets.
A $50 MikroTik can do those jobs, for those that still want to run a JNOS system on MS-DOS they can put one in front of their box and still use it. People are already using it for IPIP mesh, a change in topology would be only a config change for them. And other routers mentioned here can do it too, without having to get external programs installed on them.
Those that want direct connection without a centralized system in the path can simply setup a VPN connection between them and configure the BGP peers, it will automatically work. There is no need to use only a single protocol in such a network, only the peers have to agree, so you can select from anything like L2TP/IPsec, OpenVPN, Wireguard, just plain GRE or even IPIP, etc etc. Just at this time I am trying to move my colocated machine that runs as an IPIP mesh member and I face that stupid "protocol 4 is not passed by the firewall" problem again. Arghh!!
Also we could get that IPv6 idea going. Remember it has been discussed many times and the only things we still need is some agreement on how to register and distribute the "list of AMPRnet prefixes in IPv6 space". Again that could be done using BGP, no need to setup yet another registration portal with downloadable files.
Note that Daniel EA4GPZ put some ideas around IPv6 on his site: https://destevez.net/ipv6-for-amateur-radio
Rob _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
On Fri, 19 Jul 2019, Ruben ON3RVH wrote:
The ease of the IPIP tunnels using a modified RIP daemon that can easily be downloaded makes the current setup so easy to deploy and get online. Also seeing that a lot of questions coming in are from users complaining that they are not reachable to/from the internet (when they haven't set up reverse DNS) shows that even reading the wiki is too hard for some of them.
The difficulty is that one has to remind firewall vendors and open-source developers that protocols like IPIP even exist and just how large a community of potential users they are eliminating from using their software by simply not making an option available on a drop-down box (e.g. pfSense). Another way our options are limited is by not loading a kernel module in certain environments or not distributing a kernel module that supports the technology.
There is no way to "port forward" GRE or IPIP. It terminates on the edge, or it doesn't. That can be complex in today's provider networks thanks to the use of PPPoE, 802.1x, or Customer Premises Equipment (CPE) which heavily favors TCP and UDP communications into or out of a designated "DMZ" and throws away everything else. On the other hand, it's still possible to setup a VPN to a remote host and interface with the IPIP mesh there. It's not idea, but it's a solution. As long as all the nearby sites have a route over VPN, it can work. By tuning the VPN parameters, latency can be kept down.
This may not be the time to re-engineer everything, but start the ideas now and something should be possible to start in six months.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager
I'm a Mikrotik certified consultant and would be willing to help anyone out (for free) with BGP, VPNs, etc like I'm currently using. I could also build a wiki page somewhere.
On Fri, Jul 19, 2019 at 5:51 AM Ruben ON3RVH on3rvh@on3rvh.be wrote:
First thought would be that BGP is too difficult for 90% of the HAM operators. Although I do applaud the idea and do think it would be a better setup, 90% of the operators don't know anything about routing, let alone dynamic routing protocols.
The ease of the IPIP tunnels using a modified RIP daemon that can easily be downloaded makes the current setup so easy to deploy and get online. Also seeing that a lot of questions coming in are from users complaining that they are not reachable to/from the internet (when they haven't set up reverse DNS) shows that even reading the wiki is too hard for some of them.
73,
Ruben - ON3RVH
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Rob Janssen Sent: vrijdag 19 juli 2019 11:43 To: 44net@mailman.ampr.org Subject: [44net] Time to restructure the network?
Now that we are all going to have to dive into our router configurations, wouldn't it be a good time to make some changes that are long overdue?
Like getting rid of the IPIP mesh and replace it with something more modern and supported by off-the-shelf routers, works behind NAT, etc? I would say setup some routers with VPN of different types around the world, have everyone connect to there using a suitable VPN protocol, run BGP on it to announce the gateway subnets.
A $50 MikroTik can do those jobs, for those that still want to run a JNOS system on MS-DOS they can put one in front of their box and still use it. People are already using it for IPIP mesh, a change in topology would be only a config change for them. And other routers mentioned here can do it too, without having to get external programs installed on them.
Those that want direct connection without a centralized system in the path can simply setup a VPN connection between them and configure the BGP peers, it will automatically work. There is no need to use only a single protocol in such a network, only the peers have to agree, so you can select from anything like L2TP/IPsec, OpenVPN, Wireguard, just plain GRE or even IPIP, etc etc. Just at this time I am trying to move my colocated machine that runs as an IPIP mesh member and I face that stupid "protocol 4 is not passed by the firewall" problem again. Arghh!!
Also we could get that IPv6 idea going. Remember it has been discussed many times and the only things we still need is some agreement on how to register and distribute the "list of AMPRnet prefixes in IPv6 space". Again that could be done using BGP, no need to setup yet another registration portal with downloadable files.
Note that Daniel EA4GPZ put some ideas around IPv6 on his site: https://destevez.net/ipv6-for-amateur-radio/
Rob _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Now that we are all going to have to dive into our router configurations, wouldn't it be a good time to make some changes that are long overdue?
Like getting rid of the IPIP mesh and replace it with something more modern and supported by off-the-shelf routers, works behind NAT, etc?
As long as it doesn’t create failure points!
This event is the perfect example. The entire worldwide 44.x community didn't even know there was a problem for about 8 hours! And, once reported, everyone was more interesting in griping about the address sale than fixing the DNS problem. In fact, no one even knew how to/who could fix the problem because the 44.in-addr.arpa server is handled by a very select few (one?).
The IPIP mesh may be non-standard, but it is distributed, without any single point of failure. To get between two points, the two gateways have to have IP connectivity to each other. That's it. The two end-points can troubleshoot directly.
But every proposal I've seen on this list involves adding at least two other ham points of failure. For example, I would presumably connect to some other ham's BGP node and the other end of the connection would do the same. Why? Do these hubs have 24x7 support, like my ISP does? Do the responsible people ever go to work, go out to eat, get sick, go on vacation, ...? Are they going to be available to troubleshoot on my schedule? What if they just don't feel like it today?
The six gateway machines in our network don't even use the single-point-of-failure 44-style RIP server. We download the gateway/route list every 6 hours (suitable for our needs). If FTP fails, file doesn't exist, file has zero size, number of changes seems unreasonable, etc., (all of which have happened over the years), we send an alert to our folks and continue on with the previous list of routes and try again later. As a result, since 2009, we have had exactly zero outages!
So: Standard protocols? Absolutely! If it doesn't add failure points between peers/gateways, I'm for it!
As you say, we'll need some reliable way to distribute the peer info. Perhaps a few mirrored servers spread around the world, enabling us to try another one if our closest server fails. But for peer info, not for forwarding. Requiring some artificial overlay routing hierarchy or forwarding hop between end-points smells like taking a step back to the 80s and hop-by-hop BBS forwarding.
Michael, N6MEF
On 20/07/19 09:57, Michael Fox - N6MEF wrote:
The IPIP mesh may be non-standard, but it is distributed, without any single point of failure. To get between two points, the two gateways have to have IP connectivity to each other. That's it. The two end-points can troubleshoot directly.
The other thing I like about the IPIP mesh is that the routing is as good as it can possibly be, because each endpoint is connected to each other. This is an issue that is critically important for us in VK. I've had to implement my own link between my IPIP and BGP connected subnets to improve both reliability and latency of interconnectivity between them. I'm not using IPIP on the BGP connected subnet, because it's one of the 44.190.8/24 subnets, and there were objects from some parts to it being in the mesh. So instead, I made my own private arrangements to bridge them.
Being forced to route through some other host (especially if it's on the other side of the world) would seriously degrade the performance of the network as seen from here, because physics (that pesky Relativity) limits RTTs to around 200 mS at best. The round trip via UCSD was 400mS at best, if it worked at all.
On 7/19/19 2:42 AM, Rob Janssen wrote:
Now that we are all going to have to dive into our router configurations, wouldn't it be a good time to make some changes that are long overdue?
Like getting rid of the IPIP mesh and replace it with something more modern and supported by off-the-shelf routers, works behind NAT, etc? I would say setup some routers with VPN of different types around the world, have everyone connect to there using a suitable VPN protocol, run BGP on it to announce the gateway subnets.
Take a look at how DN42 is doing something like this. https://dn42.net/home
They even offer it as a testbed to learn routing protocols like BGP wihtout the "fear" of having someone yell at you for a mistake.
KG7QIN
-Stacy
Hi Rob,
Le 19/07/2019 à 11:42, Rob Janssen a écrit :
Now that we are all going to have to dive into our router configurations, wouldn't it be a good time to make some changes that are long overdue?
Of course, testing new things, trying to "modernize" our old network topology, and start thinking about IPv6, is probably the most clever thing we can do.
That's what we're trying to do (quite modestly) here, in Corsica. We are using Plug and Play TKBoxes, with OpenWRT, OpenVPN and internal OSPF routing. Doing NAT traversal is easy for outbound, but it does not work for inbound connections. That's why our setup relies on a central gateway, which manages all the in/out communications. It's less fault-tolerant than a full-mesh. But for now, I do not see how to do a full mesh with automatic NAT traversal. This topology works fine for us, because we're an island with two big cities. So, a dual-star network, with two redundant entry points, seems quite natural. But this may not apply everywhere. Maybe it's possible to create some "regional" or "country-wide" platforms ? Before, we had a full-mesh and a gateway in San Diego. Maybe we can have more distributed platforms and gateways over the world... Communications from/to Internet are mandatory nowadays; we can't just ignore them and continue working in "closed" networks.
There are a lot of technical things to investigate and try here... * **But my main question is WHY ? Why should we continue spending our time and our money, with the risk of being sold as old socks ?*
If I clearly understand, and agree, with the sale of 1/4 of the AMPRNet address range, I don't really understand why we were not informed before, which would have allowed everybody to contribute to the debate, and to be involved in the final decision. I'm from a tiny country who initiated what is probably the first democratic constitution of the modern era in 1755, and it's known that it inspired the United States constitution. So, this kind of "monarchical" decision makes me very disappointed and sad. * **More threatening : I discussed on Facebook "Ham Radio Operators" group with a guy (Bill HORNE) which clearly advocates for the sale of the full AMPRNet range, and which even tries to give arguments for that !*
That makes me say : What am I doing here, and shouldn't I switch to something else before I'm sold to Amazon or Google ?
This is nothing more than a (disappointed and sad) personal feeling...
PS : Sorry if I can't answer in the next 10 days, I'll switch to a more brain-cleaner activity : a music festival ;-)
73 de TK1BI
(Re-post in plain text)
Not my most productive message of the year, but as Ronen 4Z4ZQ just said (in an empty message), "it comes from the heart"...
I have huge respect for people who have been managing AMPRNet on their free time for years, I agree with the sale decision, but I clearly do not agree with what some "ARDC Board Members" said publicly (see below).
Just a personal feeling, and I wanted to say it. I won't add anything else to the advocacy. Sorry for the inconenience.
73 de TK1BI
-------- Message transféré -------- Sujet : Re: [44net] Time to restructure the network ? For what ? Being sold like old socks ? Date : Sun, 21 Jul 2019 08:32:20 +0200 De : Toussaint OTTAVI t.ottavi@bc-109.com Pour : AMPRNet working group 44net@mailman.ampr.org
Hi Rob,
Le 19/07/2019 à 11:42, Rob Janssen a écrit :
Now that we are all going to have to dive into our router configurations, wouldn't it be a good time to make some changes that are long overdue?
Of course, testing new things, trying to "modernize" our old network topology, and start thinking about IPv6, is probably the most clever thing we can do.
That's what we're trying to do (quite modestly) here, in Corsica. We are using Plug and Play TKBoxes, with OpenWRT, OpenVPN and internal OSPF routing. Doing NAT traversal is easy for outbound, but it does not work for inbound connections. That's why our setup relies on a central gateway, which manages all the in/out communications. It's less fault-tolerant than a full-mesh. But for now, I do not see how to do a full mesh with automatic NAT traversal. This topology works fine for us, because we're an island with two big cities. So, a dual-star network, with two redundant entry points, seems quite natural. But this may not apply everywhere. Maybe it's possible to create some "regional" or "country-wide" platforms ? Before, we had a full-mesh and a gateway in San Diego. Maybe we can have more distributed platforms and gateways over the world... Communications from/to Internet are mandatory nowadays; we can't just ignore them and continue working in "closed" networks.
There are a lot of technical things to investigate and try here... * **But my main question is WHY ? Why should we continue spending our time and our money, with the risk of being sold as old socks ?*
If I clearly understand, and agree, with the sale of 1/4 of the AMPRNet address range, I don't really understand why we were not informed before, which would have allowed everybody to contribute to the debate, and to be involved in the final decision. I'm from a tiny country who initiated what is probably the first democratic constitution of the modern era in 1755, and it's known that it inspired the United States constitution. So, this kind of "monarchical" decision makes me very disappointed and sad. * **More threatening : I discussed on Facebook "Ham Radio Operators" group with a guy (Bill HORNE) which clearly advocates for the sale of the full AMPRNet range, and which even tries to give arguments for that !*
That makes me say : What am I doing here, and shouldn't I switch to something else before I'm sold to Amazon or Google ?
This is nothing more than a (disappointed and sad) personal feeling...
PS : Sorry if I can't answer in the next 10 days, I'll switch to a more brain-cleaner activity : a music festival ;-)
73 de TK1BI
-
Kris Kirby -
marius@yo2loj.ro -
Michael Fox - N6MEF -
Rob Janssen -
Ruben ON3RVH -
Stacy -
Tony Langdon -
Toussaint OTTAVI -
Ty Bermea