Security control in DSL access network
christian at kuhtz.com
Tue Mar 28 02:20:38 UTC 2006
On Mar 27, 2006, at 7:35 PM, William Caban wrote:
> Christian Kuhtz wrote:
>> At the very least, you're making a big assumption here, and that
>> is that there are no EMS in charge of managing configurations and
>> no provisioning system to trigger and not triggering EMS
>> configuration management. In effect, service provisioning
>> doesn't exist in what you describe.
> Being able to provision over point-and-clicks does not get away
> with the rest of the configuration. I know you can do (depending
> on the EMS) a certain types of security configurations. Personally,
> I haven't seen an EMS capable of do a very good hardening of the
> configurations of DSLAMs and CMTS's.
In a carrier environment with flow through(!) provisioning, humans
generally don't touch EMS. They can't, you can't hire that many
monkeys and still be in business. Instead, a service provisioning
system (or OSS) gets all warm and friendly with the EMS on its
northbound interface. Sometimes, OSS skip the EMS altogether because
it sucks so bad and can't handle the volume. And it's only as smart
(or stupid) as the professional (or moron) who designed it. So, if
there's a flaw in provisioning, it can be traced back to a human.
And DSL is not provisioned by hand at scale, that's just an absurd
concept. That was only true for carriers when DSL was first
introduced almost a decade ago now.
>> Btw, if you don't mind, please point out to me a large scale
>> deployment that actually has 10's of thousands of live customers
>> on a single DSLAM or which DSLAM you propose this is even
>> physically possible, as well as anticipated engineered bit rates
>> for such a deployment.
> 1) Point out? I know but I can't. This is a public list and I would
> get fired if I discuss in public anything from a client with name.
> But believe me when I say _it does_ exist.
Carriers can do some pretty dumb things, but in my experience they
don't do what you describe.
> 2) Well with a over subscription you can do it on the Junipers E
> Series (and I've seen it).
> It is on the technical docs of the ESeries but you can also see it
> in this URL: (http://www.thinkjuniper.net/isp/information.asp?
An E-Series is not a DSLAM, it's a BRAS. Totally different
function. A BRAS terminates subscriber sessions, a DSLAM terminates
xDSL lines. Some DSLAMs act as mini BRAS these days. But an E-
Series is not a DSLAM.
Is this where your confusion is? You really mean to be talking about
> 3) It is not a configuration I will ever recommend; but sometimes
> due to budget restrictions of what a provider set to spend for the
> servicing of a location, the provisioning division just "make it
> work" doing this.
Not in a carrier setting.
More information about the NANOG