Re: SIP on FTTH systems

[Anders Löwinger <anders () abundo se>]

On 2014-02-06 15:08, Mark Tinka wrote:

> > You need a bunch of stuff, proxy ND, proxy DAD, DHCPv6 inspection....
>
> If you have a reasonably intelligent AN (like some of
> today's Active-E devices), you can create so-called split
> horizons on the same bridge domain (VLAN, really) where
> customers will only communicate via the upstream BNG at
> Layer 3.
>
> At Layer 2, even though they are all sitting on the same
> VLAN, there is no inter-communication between them.

Ok, then you have not understood the problem with IPv6 in shared VLANs. You 
need to allow some communication between the user ports on L2, to get the IPv6 
control procotol to work. You do this on IPv4 today, with proxy arp etc. Its 
much more complex in IPv6.

> I've also know Huawei OLT's support these split horizons too.

Many devices support what Cisco calls Private VLAN or MACFF as specificed in 
RFC4562. There are IPv4 only implementations today - but not all these 
protocols are standardized, and are not interoperable between vendors. I have 
still not heard of any vendor shipping the same functionality to share VLANs 
with IPv6, in a secure way.

> > Or do something bold, run L3 at the edge :)
>
> Cheap switches that have decent IP/MPLS support are mostly
> geared toward Metro-E deployments, i.e., business-grade
> services. So they are quite poor with regard to susbcriber
> management features and capabilities.

You need a basic L3 access switch, with some tweaks. I've been working at and 
designing such devices for seven years at my former employeer PacketFront 
Networks. Whole bunch of standard protocols. OSPF, PIM-SM, IGMPv2/v3 in the 
edge, and now with OSPFv3, PIM-SMv6 and MLD/MLDv2. DHCPv4/v6 is relayed to the 
correct service provider, unless its management traffic and should be handled 
by the network.

Very easy, very few security issues since no L2 is allowed between customers, 
no strange protocols (ARP inspection, proxy ARP, IP source guard, DHCP 
Snooping/option82 or their IPv6 counterparts).

Open-access is done on the L3 layer, no VLANs. There are free seating in the 
CPE so all equipment in the home can talk to each other. Important with todays 
DLNA/TV sets and mobile phones.

It is very scalable, since that is how Internet is built :)

Of course, it needs a proper management system, so we built one as well.

We also pushed Python into the access device, so DHCPv4/DHCPv6, radius, 802.1x 
functionality and how those are used can easily be adjusted in a script 
instead of trying to express programming in a CLI.

On top of that some simple templates describing the services. The radius 
server just returns the service name with needed parameters (bandwidth, 
priority etc) and the python script installs/removes instances of the service 
as needed.

I promise this access device has NO problems with spoofed packets, see the 
BCP38 discussion :)

So, it's a small BNG in the access device.

And no, it's not that expensive. We did look at sourcing a L2 switch from 
Taiwan, we could get the switch with L2 or L3 forwarding in a Broadcom switch 
ASIC, all the other features was equal. Cost difference was five dollars.

(PacketFronts access device uses a NPU, much more flexible)

Vendors charging both an arm and a leg for routers are doing that because they 
can, doing L3 is not more expensive than L2 with todays technology.

PacketFront has sold over 1 miljon ports, and the largest installation is 
>50000 ports, both in Sweden, Holland and Dubai. This can easily scale to 
much bigger networks.

The biggest issue with selling L3 to the edge is not technical or economical, 
its religious - people are just so used to build their networks in a specific 
way and they don't want to change....

/Anders