Internet Tunnels

Internet Tunnels are a way to connect two or more disjointed network segments together through the Internet. Essentially, what is done is to set up a tunnel gateway on each segment and have them take packets which are destined for a different segment, “wrap” each packet into an enclosing packet, send that across the Internet, and “unwrap” the inner packet, restoring it to its pre-transport shape but now on another segment of the network. No changes are made to the inner packet; it is simply “encapsulated” and “decapsulated” one or more times on its journey from initial source to final destination.

This is very much like what would happen if someone were to take a postcard and instead of mailing it directly, put it in an envelope, mail it part way to its destination, where someone would open the envelope, extract the postcard, and put it back into the mail to be delivered.

IPIP encapsulation is the process of doing this by enclosing the packet to be sent in a simple IP datagram without any additional headers or other protocol overhead. An IP datagram carrying an encapsulated packet in this manner is identified by its “protocol id” field being set to the value 4 (whereas if it were carrying TCP, the value would be 6, or for UDP, 17).

This encap/decap process can be carried out by software running on an ordinary computer, or by dedicated hardware, or as a feature of commercial router products. Perhaps the earliest common program to do this was the KA9Q NOS package created by Phil Karn, KA9Q, for the early IBM PC and other hobby computers. Later, IPIP encapsulation became a native mode in the Linux and BSD Unix operating systems, and later still, in commercial router products such as those by Cisco and Mikrotik.

The AMPRNet Tunnel Mesh

Because there aren’t a lot of ham radio operators experimenting with the AMPRNet, subnets are often sparse and far apart. To connect them together, a system of IPIP Tunnels was developed where each subnet has a “gateway” router on it which has tunnels to all other AMPRNet subnets. This forms a mesh through which any AMPRNet host can reach or connect to any other AMPRNet host. Because there is no central connection point, there is no central single point of failure.

AMPRGW

However, because the directly-connected (BGP) AMPRNet hosts generally don’t participate in the tunnel mesh, and of course non-AMPRNet hosts don’t either, a gateway between the tunnel mesh and the main Internet was needed. Through a no-cost cooperative arrangement courtesy of the CAIDA network research group at the University of California, San Diego [UCSD] and ARDC, a low-bandwidth gateway exists that performs this function. AMPRGW, as it’s known, is a small dedicated computer running custom-written software on the FreeBSD operating system. It forwards packets between the Internet and the AMPRNet, while the CAIDA scientists analyze the traffic being received for the many many AMPRNet addresses which are not in use. This so-called background radiation has yielded invaluable data with great value to the computer and network security community. See The UCSD Network Telescope for more information on this project.