FAQ: Difference between revisions

From 44Net Wiki
Jump to navigation Jump to search
mNo edit summary
No edit summary
(5 intermediate revisions by 3 users not shown)
Line 33: Line 33:
AMPRNET consists of small, non-connected groups of computers, that would otherwise not be able to connect to one another. However, since internet devices along the route really don't care about the contents of the payload section, you can put a complete new packet into that section, including an entirely different header, and it's own payload section. That second header has source and destination addresses completely different to the first header - all that is required is that the first destination recognises the encapsulated packet, de-encapsulates it, and forwards it the the second header destination. Return traffic follows a corresponding process. In that way, 44-net hosts can communicate with other 44-net hosts, by means of encapsulating their data packets in packets to non-44net hosts. This is called tunneling (or encapsulating). A later section in this FAQ discusses installing a tunnel. This diagram http://ericleahy.com/wp-content/uploads/2011/08/IP-Tunnel-Encp-300x256.jpg shows tunnelling another way.
AMPRNET consists of small, non-connected groups of computers, that would otherwise not be able to connect to one another. However, since internet devices along the route really don't care about the contents of the payload section, you can put a complete new packet into that section, including an entirely different header, and it's own payload section. That second header has source and destination addresses completely different to the first header - all that is required is that the first destination recognises the encapsulated packet, de-encapsulates it, and forwards it the the second header destination. Return traffic follows a corresponding process. In that way, 44-net hosts can communicate with other 44-net hosts, by means of encapsulating their data packets in packets to non-44net hosts. This is called tunneling (or encapsulating). A later section in this FAQ discusses installing a tunnel. This diagram http://ericleahy.com/wp-content/uploads/2011/08/IP-Tunnel-Encp-300x256.jpg shows tunnelling another way.
Tunneling is probably the most commonly used method of accessing AMPRNET.
Tunneling is probably the most commonly used method of accessing AMPRNET.
'''How does AMPR over IP tunnel actually work?'''
AMPR nodes are actually not connected via a single tunnel but via a large mesh network of tunnels. Suppose user1 has public IP address 198.51.100.1 and user2 has 203.0.113.1. These two can normally communicate over the internet. However, if both users habe a 44net IP address, user1 can encapsulate the 44 packet into an outer packet and send it to 203.0.113.1. Similarly, user2 can encapsulate the IP packet with the 44net addresses and send it to 198.51.100.1. In Linux (and most other systems), this is accomplished using a single ipip device and adding a route using the "nexthop" statement. When a packet is pushed into the ipip device, the outer IP header is added and sent to the router in the nexthop statement. A list of all AMPR users is required and this can be either accomplished by downloading a simple textfile and adding the routes manually or using RIP44, as discussed in a FAQ section below.


'''What is a VPN?'''
'''What is a VPN?'''
Line 95: Line 100:


There are three main mechanisms:
There are three main mechanisms:
a) log on to the portal (as described above) and navigate to the "Gateways/List" section that permits downloading of the "encap" file. Download that file, and use a script on the computer to turn it into commands that update the configuration of the tunnel device.
a) log on to the portal (as described above) and navigate to the "Gateways/List" section that permits downloading of the "encap" file. Download that file, and use a script on the computer to turn it into commands that update the configuration of the tunnel device.
b) receive the encap file by mail, and use a script to process it. You can register for this email on the portal "Gateways/Options" page.
b) receive the encap file by mail, and use a script to process it. You can register for this email on the portal "Gateways/Options" page.
c) Receive and process "broadcasts" of configuration data that are available.  This information is broadcast to all gateways listed on the portal. There is a software package called "ampr-ripd" that enables this process
c) Receive and process "broadcasts" of configuration data that are available.  This information is broadcast to all gateways listed on the portal. There is a software package called "ampr-ripd" that enables this process


Line 102: Line 110:


No. The main AMPRNET gateway does not provide this functionality - you must have a tunnel to each system you wish to contact.
No. The main AMPRNET gateway does not provide this functionality - you must have a tunnel to each system you wish to contact.
'''What is the AmprGW?'''
The AmprGW is a server run by Brian Kantor at UCSD as part of a long-running Internet research project. It has a number of functions:
a) It provides a selective gateway between non-AMPRNet internet devices and the IPIP (mesh) AMPRNet. For this traffic, it filters at the per-host(/32) level. Each host which is to receive traffic from the Internet into AMPRNet must individually be listed in the permissions file, which is built from the AMPR.ORG DNS 'A' records. If there is no DNS A record for a tunneled amprnet destination host, the traffic is not forwarded in either direction. Therefore, if you want hosts on your subnet to be able to communicate with the Internet, you will need to have your local coordinator add them to the AMPR.ORG DNS for you.
b) It forwards traffic between Internet hosts (including those AMPRNet that are directly connected to the Internet [BGP-routed]) and IPIP tunneled AMPRNet hosts. Some "validity" filtering is applied during this process - traffic which is invalid or mis-configured will be dropped. Note: AmprGW does NOT forward between different IPIP tunneled AMPRNet hosts. That is why you cannot have just a single IPIP tunnel for all of AMPRNet. Thus the tunneled AMPRNet as a whole forms a fully-connected mesh, not a 'star' configuration.
c) AmprGW originates RIP44 broadcasts containing routing information about gateways and the AMPRNet subnets they service. The RIP44 transmissions are sent as IPIP encapsulated UDP packets for port 520 from 169.228.34.84 and sent  individually to the commercial (external) address of every gateway. The packets have an inner source address of 44.0.0.1 and an inner destination of 224.0.0.9, the RIP multicast address. They are IPIP encapsulated packets, so without  de-encapsulating them, the RIP is not visible to conventional routing software. Specialized software such as 'ampr-ripd' may be employed to make use of the RIP44 broadcasts, to set up AMPRNET routes.


'''Can BGP, VPN and IP tunnel hosts inter-communicate?'''
'''Can BGP, VPN and IP tunnel hosts inter-communicate?'''
Line 117: Line 137:
'''How can I get help with AMPRNET issues?'''
'''How can I get help with AMPRNET issues?'''


Many amateurs are willing to assist other hams. There is also a very active mailing list - see http://hamradio.ucsd.edu/mailman/listinfo/44net. The wiki at http://wiki.ampr.org/ has a great deal of information.
Many amateurs are willing to assist other hams. There is also a very active mailing list - see http://mailman.ampr.org/mailman/listinfo/44net. The wiki at http://wiki.ampr.org/ has a great deal of information.
 
'''What about 44.128.0.0/16?'''
 
Subnet 44.128.0.0/16 is currently reserved for testing.  No operational subnets are planned for this address space. Older documentation incorrectly referred to this block of addresses as "private", that is, unrouted like the 192.168.0.0/16 RFC1918 subnet. This is incorrect; the 44.128.0.0/16 subnet can be routed.  Do not use it except for brief test purposes.


'''Credits'''
'''Credits'''


This FAQ originally commenced by Steve VK5ASF, using material from earlier FAQ's, from various contributors to the 44net mailing list, and from Brian Kantor.
This FAQ originally commenced by Steve VK5ASF, using material from earlier FAQ's, from various contributors to the 44net mailing list, and from Brian Kantor.

Revision as of 00:18, 18 October 2021

Frequently Asked Questions

What is AMPRNET?

AMPRNET stands for Amateur Radio Packet Radio Network. It is a collection of amateur radio-oriented computers, connected together via a variety of technologies, including radio, Internet, and ethernet. However, all of these computers have an IP address that begins with 44 (that is, IP addresses of the form 44.x.x.x). For this reason, AMPRnet can also be referred to as 44-net. Some further details can be found at https://en.wikipedia.org/wiki/AMPRNet and http://wiki.ampr.org/wiki/Main_Page

What is AMPRNET for?

The purpose of AMPRNET is to permit experimentation by amateurs in digital networking, and to provide computer services to other amateurs using AMPRNET.

What does it cost to use AMPRNET?

There is no cost for using any AMPRNET facilities, however there may be costs associated with Internet access to reach AMPRNET and/or amateur radio equipment costs.

How do I connect to AMPRNET?

There are four main methods people use:

a) IP Tunneling

b) VPN

c) BGP routing

d) Direct radio links.

Note: Functionally, a VPN and a tunnel do much the same thing, except a VPN is designed for privacy (i.e. strong authentication and encryption), while a tunnel is for the transfer of packets, not necessarily encrypted. However, in the AMPRNET world, they tend to get used quite separately and so are discussed separately in this FAQ.

What is IP Tunneling?

The information that traverses the Internet does so as "packets" of data, traveling over a variety of routes, between a source and a destination. Each packet contains a header, which tells all the devices along the route information such as the source and destination, plus the payload, which is the data to actually be transferred. Clearly, there must be a path all the way from the sources to the destination, and back. AMPRNET consists of small, non-connected groups of computers, that would otherwise not be able to connect to one another. However, since internet devices along the route really don't care about the contents of the payload section, you can put a complete new packet into that section, including an entirely different header, and it's own payload section. That second header has source and destination addresses completely different to the first header - all that is required is that the first destination recognises the encapsulated packet, de-encapsulates it, and forwards it the the second header destination. Return traffic follows a corresponding process. In that way, 44-net hosts can communicate with other 44-net hosts, by means of encapsulating their data packets in packets to non-44net hosts. This is called tunneling (or encapsulating). A later section in this FAQ discusses installing a tunnel. This diagram http://ericleahy.com/wp-content/uploads/2011/08/IP-Tunnel-Encp-300x256.jpg shows tunnelling another way. Tunneling is probably the most commonly used method of accessing AMPRNET.

How does AMPR over IP tunnel actually work?

AMPR nodes are actually not connected via a single tunnel but via a large mesh network of tunnels. Suppose user1 has public IP address 198.51.100.1 and user2 has 203.0.113.1. These two can normally communicate over the internet. However, if both users habe a 44net IP address, user1 can encapsulate the 44 packet into an outer packet and send it to 203.0.113.1. Similarly, user2 can encapsulate the IP packet with the 44net addresses and send it to 198.51.100.1. In Linux (and most other systems), this is accomplished using a single ipip device and adding a route using the "nexthop" statement. When a packet is pushed into the ipip device, the outer IP header is added and sent to the router in the nexthop statement. A list of all AMPR users is required and this can be either accomplished by downloading a simple textfile and adding the routes manually or using RIP44, as discussed in a FAQ section below.


What is a VPN?

VPN stands for Virtual Private Network. It is a facility that enables a computer to act (using the Internet) as though is is physically connected to another computer network. There are many different ways to set up a VPN, so this is beyond the scope of this FAQ. However it always involves configuring software and accounts on a computer, to connect to the VPN server. Some amateurs who have connections to AMPRNET have set up VPN servers, so that other amateurs can achieve a "virtual" connection to AMPRNET. The technical details, account details and IP address details must be obtained from the operator of that VPN. One such VPN is listed at http://wiki.ampr.org/wiki/AMPRNet_VPN.


What is BGP Routing?

The Internet has millions of different computers connected to it, each having an address. Devices called routers deliver traffic between computers, and can send "advertisements" to other routers to tell those other routers about the locations of some of those addresses. The protocol used is called BGP, Border Gateway Protocol. If you are fortunate enough to have a computer that can send BGP advertisements, then you can advertise that your computer is part of the AMPRNET address range, and hence receive AMPRNET traffic.

Unfortunately, most most companies and most commercial ISP's will not permit their users to originate BGP advertisements (especially for address ranges that are not in their usual address range), so BGP is not a viable means to connect to AMPRNET for most people.

Installing BGP is beyond the scope of this FAQ. Note however that you must have written permission from Brian Kantor, the administrator of the 44 address space, before you BGP advertise any part of that space.

What about radio links?

In many places, groups of amateurs have established networks of radio links, and often have used one of the preceding approaches so that those radio networks connect to and become part of AMPRNET. You would need to contact those groups regarding frequencies, modes, and address allocations.

Do I need to consider security?

Yes! Any computer connected to the Internet must be configured and maintained in a secure fashion, and this includes any computer connected to AMPRNET (regardless of the connection technique). Repeat - you MUST secure your computer! This includes using firewalls, keeping software up to date, using strong passwords, etc etc. In some cases, encryption may also be used.

How to maintain security is beyond the scope of this FAQ. Searching for "How to secure my computer" will return many, many hits though!

How do I get an address allocation?

If you connect to an existing VPN or existing radio network, it is likely that the operators of those facilities will already have address ranges established and will allocate your address(es). If you wish to establish a new tunnel or BGP-based link, then the process is handled by a semi-automated process on our portal. The steps are:

   1. Register using your callsign on the portal https://portal.ampr.org
   2. Log in and navigate to the  Networks page.
   3. Click on your country.  A list of regions/subnets may appear; if so, click on the appropriate one.
   4. Click on the subnet and you'll be presented with a simple form to complete.
   5. If you are requesting a single address for a host, leave the netmask as /32;
   6. if you are requesting a  block/subnet, select the appropriate netwidth. E.g. for a 256 host subnet, select /24.
   7. Put a short message explaining your request in  the Message area of the form.  Be sure to indicate
   if you are planning to directly route a subnet as these require special handling
   8. Click Send.  Your request will be forwarded  to the coordinator for your region/subnet.  You'll
   receive a confirming email.  The coordinator may  contact you for further details if required.

Can I have a domain name entry for my AMPRNET host?

Yes. Currently domain name requests are handled by the area coordinators - contact details are on the portal. Note: the old email robot facility no longer functions.

What about IPv6?

There is no IPv6 equivalent of AMPRNET at present.

How do I configure a Tunnel?

The technique varies according to the Operating System you use. However, all involve the creation of a new "pseudo" interface - unlike your normal ethernet network connection, this one doesn't actually exist on the back panel of your computer. However, it exists as far as the Operating System is concerned. A normal ethernet device accepts a data packet (consisting of a header and payload, as previously discussed) and sends it out the ethernet cable (often via a modem, to the Internet). A "pseudo" interface however accepts a data packet, encapsulates it in the data portion of a new packet, adds a new and different header, and passes all that to the ethernet device, which then processes this new data packet as normal, sending it to a recipient who will de-encapsulate it. Reception of tunneled traffic is the reverse process.


Consequently, two requirements apply:

a) The computer must have full connectivity to the non-44 hosts that will send or receive the tunneled packets containing 44-net traffic. You cannot route ALL traffic to the pseudo interface!

b) The pseudo driver must have a mechanism to tell it which non-44 net hosts can handle particular subsets of 44-net traffic - very few can handle the entire 44-net range! It should be noted that the information changes quite frequently, as tunnel hosts come and go, so must be updated as described below.

http://wiki.ampr.org/wiki/Main_Page has links to several different ways of configuring tunnels.

How do I obtain and maintain a list of tunnel hosts?

There are three main mechanisms:

a) log on to the portal (as described above) and navigate to the "Gateways/List" section that permits downloading of the "encap" file. Download that file, and use a script on the computer to turn it into commands that update the configuration of the tunnel device.

b) receive the encap file by mail, and use a script to process it. You can register for this email on the portal "Gateways/Options" page.

c) Receive and process "broadcasts" of configuration data that are available. This information is broadcast to all gateways listed on the portal. There is a software package called "ampr-ripd" that enables this process

Can I just route all 44net traffic via a single tunnel?

No. The main AMPRNET gateway does not provide this functionality - you must have a tunnel to each system you wish to contact.


What is the AmprGW?

The AmprGW is a server run by Brian Kantor at UCSD as part of a long-running Internet research project. It has a number of functions:

a) It provides a selective gateway between non-AMPRNet internet devices and the IPIP (mesh) AMPRNet. For this traffic, it filters at the per-host(/32) level. Each host which is to receive traffic from the Internet into AMPRNet must individually be listed in the permissions file, which is built from the AMPR.ORG DNS 'A' records. If there is no DNS A record for a tunneled amprnet destination host, the traffic is not forwarded in either direction. Therefore, if you want hosts on your subnet to be able to communicate with the Internet, you will need to have your local coordinator add them to the AMPR.ORG DNS for you.

b) It forwards traffic between Internet hosts (including those AMPRNet that are directly connected to the Internet [BGP-routed]) and IPIP tunneled AMPRNet hosts. Some "validity" filtering is applied during this process - traffic which is invalid or mis-configured will be dropped. Note: AmprGW does NOT forward between different IPIP tunneled AMPRNet hosts. That is why you cannot have just a single IPIP tunnel for all of AMPRNet. Thus the tunneled AMPRNet as a whole forms a fully-connected mesh, not a 'star' configuration.

c) AmprGW originates RIP44 broadcasts containing routing information about gateways and the AMPRNet subnets they service. The RIP44 transmissions are sent as IPIP encapsulated UDP packets for port 520 from 169.228.34.84 and sent individually to the commercial (external) address of every gateway. The packets have an inner source address of 44.0.0.1 and an inner destination of 224.0.0.9, the RIP multicast address. They are IPIP encapsulated packets, so without de-encapsulating them, the RIP is not visible to conventional routing software. Specialized software such as 'ampr-ripd' may be employed to make use of the RIP44 broadcasts, to set up AMPRNET routes.


Can BGP, VPN and IP tunnel hosts inter-communicate?

Yes. The AMPRNET gateway has been configured to support this functionality.

Can I put my tunnel on my home LAN and use NAT?

Yes. However, in general, a home modem using NAT won't be able to correctly process inbound tunneled 44-net traffic and forward it to the correct host - the "port forward" facility in most NAT devices relies on a port number, but there are no port numbers for a tunnel packet! However, most modems have a "DMZ" facility, whereby all unrecognised traffic (and this includes tunneled traffic) can be forwarded to one particular host on the LAN. That host can then be configured to recognise and correctly process tunneled data. However - security alert! - it will also be exposed to all sorts of other, unwanted traffic as well! See the Security section above.

Can I use an AMPRNET VPN on my home LAN?

Generally, yes. Most home modem/routers have good support for VPN usage.

How can I get help with AMPRNET issues?

Many amateurs are willing to assist other hams. There is also a very active mailing list - see http://mailman.ampr.org/mailman/listinfo/44net. The wiki at http://wiki.ampr.org/ has a great deal of information.

What about 44.128.0.0/16?

Subnet 44.128.0.0/16 is currently reserved for testing. No operational subnets are planned for this address space. Older documentation incorrectly referred to this block of addresses as "private", that is, unrouted like the 192.168.0.0/16 RFC1918 subnet. This is incorrect; the 44.128.0.0/16 subnet can be routed. Do not use it except for brief test purposes.

Credits

This FAQ originally commenced by Steve VK5ASF, using material from earlier FAQ's, from various contributors to the 44net mailing list, and from Brian Kantor.