[aprssig] Precedence Bit and IP Encapsulation

Iain R. Learmonth irl at hambsd.org
Tue May 19 16:16:31 EDT 2020


Hi Jason,

On 19/05/2020 21:08, Jason KG4WSV wrote:
> If you're talking about putting this protocol on "_the_ Internet" be
> advised the packet will probably get dropped at the first firewall it
> gets to. firewalls generally whitelist known and accepted protocols and
> drop everything else.  we're at the point where ICMP gets dropped in
> many places, and that's well known and quite useful.

Aha! I actually spent many years of my life on this problem, and even
produced a whole framework for quantifying the problem to be able to
argue with real data.

https://pathspider.net/pathspider-anrw2016.pdf

I'm pleased to say that for the most part, the core of the Internet will
not drop things. You're most likely to find problems in the network
closest to you (or to the other end), and that's also the network that
you're going to have a relationship with and might be able to get fixed.

The draft strongly recommends the use of IPSec ESP (albeit with NULL
encryption, to permit transmission via amateur radio links). This means
that firewalls will not see protocol 93, but instead will see protocol
50 for IPSec ESP.

IPSec VPNs are common in enterprise environments and generally can
travel across the Internet, including in residential ISPs. In the even
that you can't get IPSec through there is a mode for UDP encapsulation
of IPSec which would permit using protocol 93 encapsulation, and
delegating the UDP stuff to the IPSec layer.

> of course if we're talking about a local / isolated network that may not
> be an issue.

Right, and I want to cover both use cases, and other use cases I did not
think of.

Thanks,
Iain.

--
https://hambsd.org/



More information about the aprssig mailing list