Proper authentication model

Hannigan, Martin hannigan at verisign.com
Thu Jan 13 03:44:40 UTC 2005


Think methodology, as least amount of failure points, less capex, to protect
the sla, real or imagined.

Bellcore/Telcordia guidelines for RBOC CO's are very suitable for
datacenters/colo.
Hybrids.

---
Martin Hannigan
hannigan at verisign.com
Verisign, Inc.


-----Original Message-----
From: owner-nanog at merit.edu <owner-nanog at merit.edu>
To: erik at office.is.nl <erik at office.is.nl>
CC: NANOG list <nanog at merit.edu>
Sent: Wed Jan 12 14:35:21 2005
Subject: RE: Proper authentication model


On Wed, 12 Jan 2005, Hannigan, Martin wrote:

> Out of band management isn't telnetting from your desktop to
> the serial port.
>
> Mgmt and surveillance is the Bellcore standard for out of band.
> It means your M/S is not riding your customer or public networks, and
> it's physically seperate. Yes, this is the cadillac method, but the
> only way to support five nines IMHO.
>
> If you have 3 sites and they're interconnected via an OC3
> and the internet, you would also have 2 frame or ppp circuits
> seperately connecting the terminal server network. You'd do the
> different path, different provider, etc. on these circuits.

Recently I've been doing this by tunneling over ADSL circuits from the
local telco.  At around $60 per month per location with static IP
addresses it's cheap.  Since the tunnels go between two ADSL lines,
they're limited to circuits' 128Kb/s upload speeds, but that's generally
ok for management traffic.

I've also been connecting bastion hosts to the DSL lines.  This way, all
that's required to get into the OOB network is Internet connectivity
through some other network, rather than having to hunt around for a POTS
phone line to plug a modem into in an emergency.

Obviously, if you are the local telco this isn't really out of band, but
works well for others who aren't sharing the local telco's infrastructure.

Is it as secure as having your own diverse-path management network of
private point to point circuits?  Probably not, but with sufficient
firewalling and encryption on the tunnels, it's good enough, and cheap
enough that it's possible to talk ISP owners into paying for it.

-Steve



More information about the NANOG mailing list