[120625] in North American Network Operators' Group
Re: ip-precedence for management traffic
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Dec 29 12:21:01 2009
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <81D582C724CA1046A279A7EE1299638B02AC1A9A@FHDP1LUMXCV24.us.one.verizon.com>
Date: Tue, 29 Dec 2009 12:19:32 -0500
To: "Sachs, Marcus Hans (Marc)" <marcus.sachs@verizon.com>
Cc: NANOG list <nanog@nanog.org>, Joe Greco <jgreco@ns.sol.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 29, 2009, at 11:43 AM, Sachs, Marcus Hans (Marc) wrote:
> Yes, taking away the mechanisms will result in a "castrated" Internet =
experience for the clueful ones which is why I don't think this can be a =
one-size-fits-all model like the hotels try to do. Imagine a =
residential ISP that offers castration at a lower price point than what =
is currently charged for monthly "raw" access. I think that many =
consumers would opt for that choice, while those who need access to =
everything would continue to pay the same rate. The price drop would be =
the incentive to get castrated, and what you give up would be access to =
things you likely don't use anyway. This castration process would be a =
big help to spam-blocking, evilware-blocking, ddos-blocking, etc. in =
addition to mitigating attacks against the mechanisms from hijacked =
residential computers. =20
I think there are a few challenges here. What you are describing is a =
castrated/walled-garden internet. The technical nuances are lost on the =
average person. The same way that cybersecurity month, or others are =
lost on the average user. All they care about is the recent panic for =
the day.
I find it impossible to deal with some vendors that are stuck with their =
lock-in models. The way that the majority of $major_networks is managed =
is in a method that is not always congruent with their visions.
This is true from their ideas on how to manage devices (Hey, everyone =
sits at a corp controlled windows machine behind a firewall so you can =
keep the *exact* version of java installed, right?)
How does one reach the OOB network when you are not in the office? How =
do these "SCADA" for the "internet" networks get reached? Some people =
have implemented DSL or other vpn methods to reach their oob devices. =
Others use POTS. As others mentioned here the POTS over "NGN" (what =
marketing crap is that) may have fate sharing properties that are =
problematic. What if the vendor is horrible and you actually "need" =
console/video to run their win32 crapware to manage the devices? =
(Netgear comes to mind, can't upgrade my snmp capable switch at home =
without booting windoze so it can tftp).
The inband management is a direct result of needing a good method to tie =
the link failure directly into the control plane of the devices. Sure, =
we could do the DLCI/pvc/DS1 in parallel to each 10G/40G circuit =
installed, but is that cost-effective? Does it introduce more pain vs =
less? The average neteng clearly can't configure their devices =
correctly, while the additional complexity may provide some networks =
benefits, this does not reduce the systemic risk created by nobody =
implementing BCPs like simple route filtering.
I've watched BCPs be diluted at various companies due to market =
pressures. $major_provider did not require me to register my routes, =
why should I have to do that in order to give you $X MRC for the next =
12-24-36 months?
I was asked recently by someone that operates a small wireless ISP what =
the deal was with this "Internet2" thing and how was it supposed to =
interact, etc.. Honestly, I wish we could have a "better" network. One =
where we have mutually agreed "I will filter my customers if you do". =
I've not seen many people step-up to improve the systems. It's the same =
small set of people that are trying to make things better.
Apparently I forgot the <rant> tag, but really, if you have sane CoPP =
policies, you are mostly protected. If the vendor does not provide this =
capability, please STOP BUYING THEIR CRAP.
</rant>
- Jared=
