SIP on FTTH systems
anders at abundo.se
Thu Feb 6 17:41:34 UTC 2014
On 2014-02-06 15:08, Mark Tinka wrote:
>> You need a bunch of stuff, proxy ND, proxy DAD, DHCPv6 inspection....
> If you have a reasonably intelligent AN (like some of
> today's Active-E devices), you can create so-called split
> horizons on the same bridge domain (VLAN, really) where
> customers will only communicate via the upstream BNG at
> Layer 3.
> At Layer 2, even though they are all sitting on the same
> VLAN, there is no inter-communication between them.
Ok, then you have not understood the problem with IPv6 in shared VLANs. You
need to allow some communication between the user ports on L2, to get the IPv6
control procotol to work. You do this on IPv4 today, with proxy arp etc. Its
much more complex in IPv6.
> I've also know Huawei OLT's support these split horizons too.
Many devices support what Cisco calls Private VLAN or MACFF as specificed in
RFC4562. There are IPv4 only implementations today - but not all these
protocols are standardized, and are not interoperable between vendors. I have
still not heard of any vendor shipping the same functionality to share VLANs
with IPv6, in a secure way.
>> Or do something bold, run L3 at the edge :)
> Cheap switches that have decent IP/MPLS support are mostly
> geared toward Metro-E deployments, i.e., business-grade
> services. So they are quite poor with regard to susbcriber
> management features and capabilities.
You need a basic L3 access switch, with some tweaks. I've been working at and
designing such devices for seven years at my former employeer PacketFront
Networks. Whole bunch of standard protocols. OSPF, PIM-SM, IGMPv2/v3 in the
edge, and now with OSPFv3, PIM-SMv6 and MLD/MLDv2. DHCPv4/v6 is relayed to the
correct service provider, unless its management traffic and should be handled
by the network.
Very easy, very few security issues since no L2 is allowed between customers,
no strange protocols (ARP inspection, proxy ARP, IP source guard, DHCP
Snooping/option82 or their IPv6 counterparts).
Open-access is done on the L3 layer, no VLANs. There are free seating in the
CPE so all equipment in the home can talk to each other. Important with todays
DLNA/TV sets and mobile phones.
It is very scalable, since that is how Internet is built :)
Of course, it needs a proper management system, so we built one as well.
We also pushed Python into the access device, so DHCPv4/DHCPv6, radius, 802.1x
functionality and how those are used can easily be adjusted in a script
instead of trying to express programming in a CLI.
On top of that some simple templates describing the services. The radius
server just returns the service name with needed parameters (bandwidth,
priority etc) and the python script installs/removes instances of the service
I promise this access device has NO problems with spoofed packets, see the
BCP38 discussion :)
So, it's a small BNG in the access device.
And no, it's not that expensive. We did look at sourcing a L2 switch from
Taiwan, we could get the switch with L2 or L3 forwarding in a Broadcom switch
ASIC, all the other features was equal. Cost difference was five dollars.
(PacketFronts access device uses a NPU, much more flexible)
Vendors charging both an arm and a leg for routers are doing that because they
can, doing L3 is not more expensive than L2 with todays technology.
PacketFront has sold over 1 miljon ports, and the largest installation is
>50000 ports, both in Sweden, Holland and Dubai. This can easily scale to
much bigger networks.
The biggest issue with selling L3 to the edge is not technical or economical,
its religious - people are just so used to build their networks in a specific
way and they don't want to change....
More information about the NANOG