FAQ: Difference between revisions
No edit summary |
Mention that AMPRGW will throttle traffic to a tunnel when it detects errors related to that tunnel. |
||
Line 120: | Line 120: | ||
c) AmprGW originates RIP44 broadcasts containing routing information about gateways and the AMPRNet subnets they service. The RIP44 transmissions are sent as IPIP encapsulated UDP packets for port 520 from 169.228.34.84 and sent individually to the commercial (external) address of every gateway. The packets have an inner source address of 44.0.0.1 and an inner destination of 224.0.0.9, the RIP multicast address. They are IPIP encapsulated packets, so without de-encapsulating them, the RIP is not visible to conventional routing software. Specialized software such as 'ampr-ripd' may be employed to make use of the RIP44 broadcasts, to set up AMPRNet routes. | c) AmprGW originates RIP44 broadcasts containing routing information about gateways and the AMPRNet subnets they service. The RIP44 transmissions are sent as IPIP encapsulated UDP packets for port 520 from 169.228.34.84 and sent individually to the commercial (external) address of every gateway. The packets have an inner source address of 44.0.0.1 and an inner destination of 224.0.0.9, the RIP multicast address. They are IPIP encapsulated packets, so without de-encapsulating them, the RIP is not visible to conventional routing software. Specialized software such as 'ampr-ripd' may be employed to make use of the RIP44 broadcasts, to set up AMPRNet routes. | ||
'''I rebooted my router and now I can't talk to the Internet, what's going on?''' | |||
If AMPRGW detects errors when attempting to send traffic to a tunnel's configured gateway, it will automatically throttle traffic through that tunnel for approximately one hour. This is meant to prevent endlessly sending traffic to gateways that are no longer in service. An example of the sort of errors that will trigger this are ICMP Host Unreachable messages generated by an upstream provider, such as an ISP. Empirically, several users have observed that rebooting a gateway can pause traffic long enough for this to happen. However, traffic will start flowing again in an hour or so. | |||
'''Can BGP, VPN, and IP tunnel hosts inter-communicate?''' | '''Can BGP, VPN, and IP tunnel hosts inter-communicate?''' |
Latest revision as of 17:24, 3 May 2024
Frequently Asked Questions
What is AMPRNet?
AMPRNet stands for AMateur Packet Radio NETwork. It is a collection of amateur radio-oriented computers, connected together via a variety of technologies, including radio, Internet, and ethernet. However, all of these computers have an IP address that begins with 44 (that is, IP addresses of the form 44.0.0.0/9 or 44.128.0.0/10). For this reason, AMPRnet can also be referred to as 44Net.
Some further details can be found at https://en.wikipedia.org/wiki/AMPRNet and https://wiki.ampr.org/wiki/Main_Page
What is AMPRNet for?
The purpose of AMPRNet is to permit experimentation by amateurs in digital networking and to provide computer services to other amateurs using AMPRNet.
What does it cost to use AMPRNet?
There is no cost for using any AMPRNet facilities, however, there may be costs associated with Internet access to reach AMPRNet and/or amateur radio equipment costs.
How do I connect to AMPRNet?
There are four main methods people use:
- VPN
- BGP routing (See Also Announcing your allocation directly)
- Direct radio links.
- IP Tunneling
Note: Functionally, a VPN and a tunnel do much the same thing, except a VPN is designed for privacy (i.e. strong authentication and encryption), whilst IP tunnelling in the AMPRNet context is actually an all-to-all interconnected mesh of tunnels and is not encrypted (as often the data is transferred over radio).
What is IP Tunneling?
The information that traverses the Internet does so as "packets" of data, traveling over a variety of routes, between a source and a destination. Each packet contains a header, which tells all the devices along the route information such as the source and destination, plus the payload, which is the data to actually be transferred. Clearly, there must be a path all the way from the sources to the destination, and back. AMPRNet consists of small, non-connected groups of computers, that would otherwise not be able to connect to one another. However, since internet devices along the route really don't care about the contents of the payload section, you can put a completely new packet into that section, including an entirely different header, and its own payload section. That second header has source and destination addresses completely different from the first header - all that is required is that the first destination recognizes the encapsulated packet, de-encapsulates it, and forwards it to the second header destination. Return traffic follows a corresponding process. In that way, 44-net hosts can communicate with other 44-net hosts, by means of encapsulating their data packets in packets to non-44net hosts. This is called tunneling (or encapsulating). A later section in this FAQ discusses installing a tunnel. Tunneling is probably the most commonly used method of accessing AMPRNet.
How does AMPR over IP tunnel actually work?
AMPR nodes are actually not connected via a single tunnel but via a large mesh network of tunnels. Suppose user1 has public IP address 198.51.100.1 and user2 has 203.0.113.1. These two can normally communicate over the internet. However, if both users have a 44net IP address, user1 can encapsulate the 44 packet into an outer packet and send it to 203.0.113.1. Similarly, user2 can encapsulate the IP packet with the 44net addresses and send it to 198.51.100.1. In Linux (and most other systems), this is accomplished using a single ipip device and adding a route using the "nexthop" statement. When a packet is pushed into the ipip device, the outer IP header is added and sent to the router in the nexthop statement. A list of all AMPR users is required and this can be either accomplished by downloading a simple textfile and adding the routes manually or by using RIP44, as discussed in the FAQ section below.
What is a VPN?
VPN stands for Virtual Private Network. It is a facility that enables a computer to act (using the Internet) as though is physically connected to another computer network. There are many different ways to set up a VPN, so this is beyond the scope of this FAQ. However, it always involves configuring software and accounts on a computer, to connect to the VPN server. Some amateurs who have connections to AMPRNet have set up VPN servers so that other amateurs can achieve a "virtual" connection to AMPRNet. The technical details, account details, and IP address details must be obtained from the operator of that VPN. One such VPN is listed at https://wiki.ampr.org/wiki/AMPRNet_VPN.
What is BGP Routing?
The Internet has millions of different computers connected to it, each having an address. Devices called routers deliver traffic between computers and can send "advertisements" to other routers to tell those other routers about the locations of some of those addresses. The protocol used is called BGP, Border Gateway Protocol. If you are fortunate enough to have a computer that can send BGP advertisements, then you can advertise that your computer is part of the AMPRNet address range, and hence receive AMPRNet traffic.
Unfortunately, most companies and most commercial ISPs will not permit their users to originate BGP advertisements (especially for address ranges that are not in their usual address range), so BGP is not a viable means to connect to AMPRNet for most people. There are Virtual Private Server (VPS) Providers (or Cloud Providers) who will announce your AMPRNet allocation without the need for your own Autonomous System (AS) number. Routing your allocation via BGP has a list of VPS/Cloud Providers.
Installing BGP is beyond the scope of this FAQ. Note however that you must have written permission from the administrator of the ARDC 44 address space, before you BGP advertise any part of that space.
What about radio links?
In many places, groups of amateurs have established networks of radio links, and often have used one of the preceding approaches so that those radio networks connect to and become part of AMPRNet. You would need to contact those groups regarding frequencies, modes, and address allocations.
Do I need to consider security?
Yes! Any computer connected to the Internet must be configured and maintained in a secure fashion, and this includes any computer connected to AMPRNet (regardless of the connection technique). Repeat - you MUST secure your computer! This includes using firewalls, keeping software up to date, using strong passwords, etc etc. In some cases, encryption may also be used.
How to maintain security is beyond the scope of this FAQ. Searching for "How to secure my computer" will return many, many hits though!
How do I get an address allocation?
If you connect to an existing VPN or existing radio network, it is likely that the operators of those facilities will already have address ranges established and will allocate your address(es). If you wish to establish a new tunnel or BGP-based link, then the process is handled by a semi-automated process on our portal. The steps are:
1. Register using your callsign on the portal https://portal.ampr.org 2. Log in and navigate to the Networks page. 3. Click on your country. A list of regions/subnets may appear; if so, click on the appropriate one. 4. Click on the subnet and you'll be presented with a simple form to complete. 5. If you are requesting a single address for a host, leave the netmask as /32; 6. if you are requesting a block/subnet, select the appropriate netwidth. E.g. for a 256 host subnet, select /24. 7. Put a short message explaining your request in the Message area of the form. Be sure to indicate if you are planning to directly route a subnet as these require special handling 8. Click Send. Your request will be forwarded to the coordinator for your region/subnet. You'll receive a confirming email. The coordinator may contact you for further details if required.
Can I have a domain name entry for my AMPRNet host?
Yes. Currently, domain name requests are handled by the area coordinators - contact details are on the portal. Note: the old email robot facility no longer functions.
What about IPv6?
There is no IPv6 equivalent of AMPRNet at present.
How do I configure a Tunnel?
The technique varies according to the Operating System you use. However, all involve the creation of a new "pseudo" interface - unlike your normal ethernet network connection, this one doesn't actually exist on the back panel of your computer. However, it exists as far as the Operating System is concerned. A normal ethernet device accepts a data packet (consisting of a header and payload, as previously discussed) and sends it out the ethernet cable (often via a modem, to the Internet). A "pseudo" interface however accepts a data packet, encapsulates it in the data portion of a new packet, adds a new and different header, and passes all that to the ethernet device, which then processes this new data packet as normal, sending it to a recipient who will de-encapsulate it. Reception of tunneled traffic is the reverse process.
Consequently, two requirements apply:
a) The computer must have full connectivity to the non-44 hosts that will send or receive the tunneled packets containing 44-net traffic. You cannot route ALL traffic to the pseudo interface!
b) The pseudo driver must have a mechanism to tell it which non-44 net hosts can handle particular subsets of 44-net traffic - very few can handle the entire 44-net range! It should be noted that the information changes quite frequently, as tunnel hosts come and go, so must be updated as described below.
https://wiki.ampr.org/wiki/Main_Page has links to several different ways of configuring tunnels.
How do I obtain and maintain a list of tunnel hosts?
There are three main mechanisms:
a) log on to the portal (as described above) and navigate to the "Gateways/List" section that permits downloading of the "encap" file. Download that file, and use a script on the computer to turn it into commands that update the configuration of the tunnel device.
b) receive the encap file by mail, and use a script to process it. You can register for this email on the portal "Gateways/Options" page.
c) Receive and process "broadcasts" of configuration data that are available. This information is broadcast to all gateways listed on the portal. There is a software package called "ampr-ripd" that enables this process
Can I just route all 44net traffic via a single tunnel?
No. The main AMPRNet gateway does not provide this functionality - you must have a tunnel to each system you wish to contact.
What is the AmprGW?
The AmprGW is a server run by ARDC at UCSD as part of a long-running Internet research project. It has a number of functions:
a) It provides a selective gateway between non-AMPRNet internet devices and the IPIP (mesh) AMPRNet. For this traffic, it filters at the per-host(/32) level. Each host which is to receive traffic from the Internet into AMPRNet must individually be listed in the permissions file, which is built from the AMPR.ORG DNS 'A' records. If there is no DNS A record for a tunneled amprnet destination host, the traffic is not forwarded in either direction. Therefore, if you want hosts on your subnet to be able to communicate with the Internet, you will need to have your local coordinator add them to the AMPR.ORG DNS for you.
b) It forwards traffic between Internet hosts (including those AMPRNet that are directly connected to the Internet [BGP-routed]) and IPIP tunneled AMPRNet hosts. Some "validity" filtering is applied during this process - traffic that is invalid or misconfigured will be dropped. Note: AmprGW does NOT forward between different IPIP tunneled AMPRNet hosts. That is why you cannot have just a single IPIP tunnel for all of AMPRNet. Thus the tunneled AMPRNet as a whole forms a fully-connected mesh, not a 'star' configuration.
c) AmprGW originates RIP44 broadcasts containing routing information about gateways and the AMPRNet subnets they service. The RIP44 transmissions are sent as IPIP encapsulated UDP packets for port 520 from 169.228.34.84 and sent individually to the commercial (external) address of every gateway. The packets have an inner source address of 44.0.0.1 and an inner destination of 224.0.0.9, the RIP multicast address. They are IPIP encapsulated packets, so without de-encapsulating them, the RIP is not visible to conventional routing software. Specialized software such as 'ampr-ripd' may be employed to make use of the RIP44 broadcasts, to set up AMPRNet routes.
I rebooted my router and now I can't talk to the Internet, what's going on?
If AMPRGW detects errors when attempting to send traffic to a tunnel's configured gateway, it will automatically throttle traffic through that tunnel for approximately one hour. This is meant to prevent endlessly sending traffic to gateways that are no longer in service. An example of the sort of errors that will trigger this are ICMP Host Unreachable messages generated by an upstream provider, such as an ISP. Empirically, several users have observed that rebooting a gateway can pause traffic long enough for this to happen. However, traffic will start flowing again in an hour or so.
Can BGP, VPN, and IP tunnel hosts inter-communicate?
Yes. The AMPRNet gateway has been configured to support this functionality.
Can I put my tunnel on my home LAN and use NAT?
Yes. However, in general, a home modem using NAT won't be able to correctly process inbound tunneled 44-net traffic and forward it to the correct host - the "port forward" facility in most NAT devices relies on a port number, but there are no port numbers for a tunnel packet! However, most modems have a "DMZ" facility, whereby all unrecognized traffic (and this includes tunneled traffic) can be forwarded to one particular host on the LAN. That host can then be configured to recognize and correctly process tunneled data. However - security alert! - it will also be exposed to all sorts of other, unwanted traffic as well! See the Security section above.
Can I use an AMPRNet VPN on my home LAN?
Generally, yes. Most home modem/routers have good support for VPN usage, although you mustn't use it for general internet access as it is for amateur radio use only!
How can I get help with AMPRNet issues?
Many amateurs are willing to assist other hams. You can find some of them on the groups.io 44Net group here https://ardc.groups.io/g/44net
What about 44.128.0.0/16?
Subnet 44.128.0.0/16 is currently reserved for testing. No operational subnets are planned for this address space. Older documentation incorrectly referred to this block of addresses as "private", that is, unrouted like the 192.168.0.0/16 RFC1918 subnet. This is incorrect; the 44.128.0.0/16 subnet can be routed, but do not use it except for brief test purposes.
Credits
This FAQ was originally commenced by Steve VK5ASF, using material from earlier FAQs, from various contributors to the 44net mailing list, and from Brian Kantor.