AMPRNet – Lessons learned, things to consider

1. Don’t rely upon 44 Net/AMPRNet for connectivity. It’s no substitute for building out your local RF links or at least independent internet links. It’s simply too unpredictable long term and a major SPF (Single Point of Failure). If you want to experiment with 44 Net that’s fine, just remember to keep it at that. Use of 44 Net for EMCOMM is a bad idea for many reasons, several should be obvious for anyone with an IT security background.

2. I know a lot of the old hats like to use the 44.x.x.x AMPRNet IP’s on the RF side of packet radio even when there’s really no need for it. Often TCP/IP is deployed on RF just so folks can say they are doing TCP/IP over RF. Often done without a good reason to be adding that additional payload and administrative overhead to the RF side of things. No I’m not saying TCP/IP doesn’t have any place on RF, but often it’s deployed everywhere on RF when there is no real need for it.

3. Many of the state/region subnets taken from 44.x.x.x AMPRNet address space are mismanaged or basically in a free for all status.

4. I’ve personally dealt with some AMPRNet coordinators that clearly had no clue about TCP/IP fundamentals like subnets and so forth. This has likely “scared” off more than a few talented TCP/IP savvy folks to not even bother with 44 Net in their areas.

5. I don’t think there is any frequent verification of the ampr.org address space to verify what is actually on the air/net and where it is.

6. This will raise the hackles of many, but I just don’t see much need for AMPRNet (44 Net) anymore. In the 1990’s it was a viable idea, but not nearly so much today. This is due to a variety of reasons:

a. Security mandated changes to the routing infrastructure of the public internet makes widespread and straightforward deployment of 44.x.x.x addresses challenging at best.

b. With the proliferation of cheap (relatively) broadband access in most areas, the rules and options for internet access have changed drastically since the 1990’s. Stop and think about this. It’s amazing how far consumer internet access has come in a decade or so.

c. In most areas getting a static “public” IP address on a consumer broadband connection is no big deal anymore. All three providers in my area offer it for just a few bucks ($5-6) more a month.

d. For those that can’t get a static IP address, Dynamic DNS (DDNS) services are available for costs ranging from free to a few bucks a year.

e. Powerful DNS systems are available to us now. For costs ranging from $15-$50 a year you can have access to first class, highly distributed, fault tolerant DNS services that were only a wild dream a decade ago. Many of these come with DDNS as part of the package, sweet!

f. In many cases (if not most) there is little reason why TCP/IP packet networks can’t be built around the 10.0.0.0 /8, 172.16.0.0 /12, and 192.168.0.0 /16 private IP netblocks. Public internet access from these address spaces can be done via NAT and well controlled by local folks that probably know best regarding what their particular area’s needs are. The fact that these 3 private netblocks are not public internet routable may often be more beneficial than restrictive for what hams are doing. That said, I really don’t suggest building ham radio IP networks for EMCOMM anymore. If it’s only tinkering and non-EMCOMM use….then go for it.

g. Private VPN’s could be used for cases where more “open” links between gateways are needed. Yeah encryption adds some overhead to things, but I don’t think you’ll find too many cases of where RF networks are going to be faster than the slowest broadband based VPN link will be! The encrypted tunnels will also add some security to protocols that normally don’t have much security to them. For example, think POP3/SMTP/Telnet transactions where passwords are sent in the clear.

SMTP-AUTH for above. POP & Telnet security issues should be obvious.

h. The 10.0.0.0 /8 netblock is just as big as 44.0.0.0 /8 is, both are Class A netblocks. Yeah, you still would want some rhyme, reason, controls, and tracking of what is being used where.

i. The evolution of the “bad stuff” on the public internet shows no sign of slowing down. DDOS, aggressive netblock scans, and other evil/silliness will only continue to plague any public internet facing 44 Net gateway like mirrorshades.

j. mirrorshades.ampr.org is located at the University of California San Diego campus (UCSD). With the uncertain and worsening fiscal situation that California faces now, deep state budget cuts have occurred and more cuts are inevitable. Since mirrorshades.ampr.org has had a free ride for many years now, it’s reasonable to have some concern over it’s future out there in a state university.

k. Hopefully nothing ever does, but what happens if something unexpected happens with Brian Kantor? As the N1URO situation should teach us, such key wide area impacting infrastructure ran/provided by a single person creates a big risk of SPF (Single Point of Failure).

So outside of pure experimentation, I just can’t see much advantage to using 44 Net AMPRnet addresses in today’s world of packet radio. All you’re doing is adding another layer of potential failure and administration on top of an existing internet connection. Why do it twice? But that’s just my opinion.