Difference between revisions of "Why can't I just route my AMPRNet allocation directly myself ?"

From AMPRNet
Jump to: navigation, search
m
m (Work arounds)
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
  
Because in the 1990's and early 2000's many networks began to experience [http://en.wikipedia.org/wiki/Denial-of-service_attack denial of service attacks] due to [http://en.wikipedia.org/wiki/IP_address_spoofing IP address spoofing].
+
== Reason #1: Because of ISP Ingress Filtering ==
 +
In the 1990's and early 2000's many networks began to experience [http://en.wikipedia.org/wiki/Denial-of-service_attack denial of service attacks] due to [http://en.wikipedia.org/wiki/IP_address_spoofing IP address spoofing].
  
In order to combat these attacks, most Internet Service Providers have adopted practices defined by the Internet Standards [http://tools.ietf.org/html/bcp38 BCP38] and [https://tools.ietf.org/html/bcp84 BCP84]. Two of these practices are [http://en.wikipedia.org/wiki/Ingress_filtering ingress filtering] and [http://en.wikipedia.org/wiki/Reverse_path_forwarding#Unicast_RPF_.28uRPF.29 Unicast Reverse Path Forwarding].
+
In order to combat these attacks, most Internet Service Providers (ISPs) have adopted practices defined by the Internet Standards [http://tools.ietf.org/html/bcp38 BCP38] and [https://tools.ietf.org/html/bcp84 BCP84].  
 +
 
 +
Two of these practices are [http://en.wikipedia.org/wiki/Ingress_filtering ingress filtering] and [http://en.wikipedia.org/wiki/Reverse_path_forwarding#Unicast_RPF_.28uRPF.29 Unicast Reverse Path Forwarding].
  
 
These practices prevent IP address spoofing by blocking packets whose IP source address is not the in the IP subnet range where the packet originated.
 
These practices prevent IP address spoofing by blocking packets whose IP source address is not the in the IP subnet range where the packet originated.
  
If your ISP implements these practices, you will be unable to transmit packets using your AMPRNet allocation as the source address directly from your home network.
+
If your ISP implements these practices (and they should), you will be unable to transmit packets using your AMPRNet allocation as the source address directly from your home network.
 +
 
 +
== Reason #2: Restrictions on who can announce routes ==
 +
In order to prevent chaos on the Internet only ISP's and other authorized networks can announce routes globally. Your ISP will block any attempts by you to advertise your AMPRNet allocation without their permission. In addition, announcing your AMPRNet allocation directly, without the permission of the AMPRNet network administrator is a violation of AMPRNet's Terms of Service and Acceptable Use Policy.
  
The two ways around these restrictions are:
+
== Work arounds ==
 +
The three ways around these restrictions are:
  
# [[Setting up a gateway on Linux| Creating tunnels to other AMPRNet subnets using a gateway]].
+
# [[Setting up a gateway on Linux| Creating direct tunnels to other AMPRNet subnets using a gateway]].
# [[Announcing your allocation directly| Working with AMPRNet and your ISP to announce your allocation directly]].
+
# [[Announcing your allocation directly| Working with AMPRNet and your ISP to properly announce your allocation directly]].
 +
# [[AMPRNet VPN| Accessing AMPRNet via VPN]]

Latest revision as of 17:59, 23 April 2014

Reason #1: Because of ISP Ingress Filtering

In the 1990's and early 2000's many networks began to experience denial of service attacks due to IP address spoofing.

In order to combat these attacks, most Internet Service Providers (ISPs) have adopted practices defined by the Internet Standards BCP38 and BCP84.

Two of these practices are ingress filtering and Unicast Reverse Path Forwarding.

These practices prevent IP address spoofing by blocking packets whose IP source address is not the in the IP subnet range where the packet originated.

If your ISP implements these practices (and they should), you will be unable to transmit packets using your AMPRNet allocation as the source address directly from your home network.

Reason #2: Restrictions on who can announce routes

In order to prevent chaos on the Internet only ISP's and other authorized networks can announce routes globally. Your ISP will block any attempts by you to advertise your AMPRNet allocation without their permission. In addition, announcing your AMPRNet allocation directly, without the permission of the AMPRNet network administrator is a violation of AMPRNet's Terms of Service and Acceptable Use Policy.

Work arounds

The three ways around these restrictions are:

  1. Creating direct tunnels to other AMPRNet subnets using a gateway.
  2. Working with AMPRNet and your ISP to properly announce your allocation directly.
  3. Accessing AMPRNet via VPN