ip-precedence for management traffic
jared at puck.nether.net
Tue Dec 29 11:19:32 CST 2009
On Dec 29, 2009, at 11:43 AM, Sachs, Marcus Hans (Marc) wrote:
> Yes, taking away the mechanisms will result in a "castrated" Internet experience for the clueful ones which is why I don't think this can be a one-size-fits-all model like the hotels try to do. Imagine a residential ISP that offers castration at a lower price point than what is currently charged for monthly "raw" access. I think that many consumers would opt for that choice, while those who need access to everything would continue to pay the same rate. The price drop would be the incentive to get castrated, and what you give up would be access to things you likely don't use anyway. This castration process would be a big help to spam-blocking, evilware-blocking, ddos-blocking, etc. in addition to mitigating attacks against the mechanisms from hijacked residential computers.
I think there are a few challenges here. What you are describing is a castrated/walled-garden internet. The technical nuances are lost on the average person. The same way that cybersecurity month, or others are lost on the average user. All they care about is the recent panic for the day.
I find it impossible to deal with some vendors that are stuck with their lock-in models. The way that the majority of $major_networks is managed is in a method that is not always congruent with their visions.
This is true from their ideas on how to manage devices (Hey, everyone sits at a corp controlled windows machine behind a firewall so you can keep the *exact* version of java installed, right?)
How does one reach the OOB network when you are not in the office? How do these "SCADA" for the "internet" networks get reached? Some people have implemented DSL or other vpn methods to reach their oob devices. Others use POTS. As others mentioned here the POTS over "NGN" (what marketing crap is that) may have fate sharing properties that are problematic. What if the vendor is horrible and you actually "need" console/video to run their win32 crapware to manage the devices? (Netgear comes to mind, can't upgrade my snmp capable switch at home without booting windoze so it can tftp).
The inband management is a direct result of needing a good method to tie the link failure directly into the control plane of the devices. Sure, we could do the DLCI/pvc/DS1 in parallel to each 10G/40G circuit installed, but is that cost-effective? Does it introduce more pain vs less? The average neteng clearly can't configure their devices correctly, while the additional complexity may provide some networks benefits, this does not reduce the systemic risk created by nobody implementing BCPs like simple route filtering.
I've watched BCPs be diluted at various companies due to market pressures. $major_provider did not require me to register my routes, why should I have to do that in order to give you $X MRC for the next 12-24-36 months?
I was asked recently by someone that operates a small wireless ISP what the deal was with this "Internet2" thing and how was it supposed to interact, etc.. Honestly, I wish we could have a "better" network. One where we have mutually agreed "I will filter my customers if you do". I've not seen many people step-up to improve the systems. It's the same small set of people that are trying to make things better.
Apparently I forgot the <rant> tag, but really, if you have sane CoPP policies, you are mostly protected. If the vendor does not provide this capability, please STOP BUYING THEIR CRAP.
More information about the NANOG