ip-precedence for management traffic

Tomas L. Byrnes tomb at byrneit.net
Tue Dec 29 17:29:24 UTC 2009


I actually proposed this (bounced it off Paul Mockapetris and Dave
Roberts at the time), and we did it for our internal routing in the
co-lo/hosted apps, when I was CTO at American Digital Network
(1996-1998). Basically, SNMP and our IGPs as well as IBGP rode a totally
private RFC 1918 network that had higher priority at layer 2 if it was
on the same physical (always a different VC) circuit. For Ethernet, we
used a separate layer 2 network for this internally. If we exposed any
IGPs to clients, it was on a per link basis. We also had a hosted
firewall service that was provisioned on a per-Radius profile for ISDN
clients where the "routing" was handled by some layer 2 tricks in ATM
before the arrival of MPLS. We were working on some tests with peers and
subscribers when the FirstWorld merger came along, and the rest is
history.

To answer Steve's questions:

1: Where you can have a different circuit (physical or virtual ) for the
mgt/routing traffic, you provision the traffic ONLY on those links (and
filter it on all others), and only to peers who speak that particular
protocol. Give those VCs highest priority.

2: Where 1 is not possible, use a local-only network, preferably IPV6,
for the mgt/routing, and set priority to highest for that source/dest
net.

This could be provisioned even for those end users who DO need to
sprecken BGP, and who do not have separate (virtual) circuits for
management.



> -----Original Message-----
> From: Sachs, Marcus Hans (Marc) [mailto:marcus.sachs at verizon.com]
> Sent: Tuesday, December 29, 2009 7:22 AM
> To: Steven Bellovin
> Cc: NANOG list
> Subject: RE: ip-precedence for management traffic
> 
> Nope, not joking.  Quite serious about this.
> 
> Glad we agree about the residential customers.  Perhaps that's the
> first place to start and could generate some interesting lessons.
> 
> Properly dual-homed customers are what I'd lump into the "clueful"
> category so they are not the ones I'm talking about.  Just the basic
> customers who have no Earthly idea how all of this magic comes
> together, and who really don't care or have a need to know.
> 
> New applications, by the way, should not be a problem if they are
> allowed to adapt to a new networking model.  Innovation flourishes
when
> the status quo changes.
> 
> (I see that Chris Morrow just posted some supportive comments.  Thanks
> Chris!)
> 
> Marc
> 
> 
> -----Original Message-----
> From: Steven Bellovin [mailto:smb at cs.columbia.edu]
> Sent: Tuesday, December 29, 2009 10:09 AM
> To: Sachs, Marcus Hans (Marc)
> Cc: NANOG list
> Subject: Re: ip-precedence for management traffic
> 
> 
> On Dec 29, 2009, at 9:29 AM, Sachs, Marcus Hans (Marc) wrote:
> 
> > Totally out of the box, but here goes:  why don't we run the entire
> Internet management plane "out of band" so that customers have minimal
> ability to interact with routing updates, layer 3/4 protocols, DNS,
> etc.?  I don't mean 100% exclusion for all customers, but for the
> average Joe-customer (residential, business, etc., not the researcher,
> network operator, or clueful content provider) do they really need to
> have full access to the Internet mechanisms (routing, naming,
> numbering, etc.)?
> >
> > We already provide lots of proxy services for end users, so why not
> finish the job and move all of the management mechanisms out of plain
> sight?
> 
> I hope you're joking.  If not, I have two questions: how can this be
> done, and what will the side-effects be?
> 
> Take BGP, for example.  The average residential consumer doesn't need
> BGP, doesn't speak it, and has no real ability to interfere with it,
so
> there's no problem.  But a multihomed customer *must* speak it.
> Perhaps you could assert that their ISPs should announce it -- but why
> trust random ISPs?  Is that ISP 12 hops away from you trustworthy, or
a
> front for the Elbonian Business Network?
> 
> As for side-effects -- how can you proxy everything?  Do you know
every
> application your customers are running?  Must someone who invents a
new
> app first develop a proxy and persuade every ISP that it's safe,
> secure, high-enough performance, and worth their while to run?  It's
> worth remembering that most of the innovative applications have come
> from folks whom no one had ever heard of.
> 
> 		--Steve Bellovin, http://www.cs.columbia.edu/~smb
> 
> 
> 
> 
> 





More information about the NANOG mailing list