Security control in DSL access network

Christian Kuhtz christian at kuhtz.com
Tue Mar 28 02:20:38 UTC 2006


On Mar 27, 2006, at 7:35 PM, William Caban wrote:

>
> Christian Kuhtz wrote:
>> At the very least, you're making a big assumption here, and that  
>> is that there are no EMS in charge of managing configurations and  
>> no provisioning system to trigger and not triggering EMS  
>> configuration management.   In effect, service provisioning  
>> doesn't exist in what you describe.
> Being able to provision over point-and-clicks does not get away  
> with the rest of the configuration. I know you can do  (depending  
> on the EMS) a certain types of security configurations. Personally,  
> I haven't seen an EMS capable of do a very good hardening of the  
> configurations of DSLAMs and CMTS's.

In a carrier environment with flow through(!) provisioning, humans  
generally don't touch EMS.  They can't, you can't hire that many  
monkeys and still be in business.  Instead, a service provisioning  
system (or OSS) gets all warm and friendly with the EMS on its  
northbound interface.  Sometimes, OSS skip the EMS altogether because  
it sucks so bad and can't handle the volume.  And it's only as smart  
(or stupid) as the professional (or moron) who designed it.  So, if  
there's a flaw in provisioning, it can be traced back to a human.

And DSL is not provisioned by hand at scale, that's just an absurd  
concept.  That was only true for carriers when DSL was first  
introduced almost a decade ago now.

>> Btw, if you don't mind, please point out to me a large scale  
>> deployment that actually has 10's of thousands of live customers  
>> on a single DSLAM or which DSLAM you propose this is even  
>> physically possible, as well as anticipated engineered bit rates  
>> for such a deployment.
> 1) Point out? I know but I can't. This is a public list and I would  
> get fired if I discuss in public anything from a client with name.  
> But believe me when I say _it does_ exist.

Carriers can do some pretty dumb things, but in my experience they  
don't do what you describe.

> 2) Well with a over subscription you can do it on the Junipers E  
> Series (and I've seen it).
> It is on the technical docs of the ESeries but you can also see it  
> in this URL: (http://www.thinkjuniper.net/isp/information.asp? 
> page=239)

An E-Series is not a DSLAM, it's a BRAS.  Totally different  
function.  A BRAS terminates subscriber sessions, a DSLAM terminates  
xDSL lines.  Some DSLAMs act as mini BRAS these days.  But an E- 
Series is not a DSLAM.

Is this where your confusion is?  You really mean to be talking about  
BRAS?

> 3) It is not a configuration I will ever recommend; but sometimes  
> due to budget restrictions of what a provider set to spend for the  
> servicing of a location, the provisioning division just "make it  
> work" doing this.

Not in a carrier setting.

Thanks,
Christian




More information about the NANOG mailing list