Re: Customer-facing ACLs

[Adrian Chadd <adrian () creative net au>]

On Fri, Mar 07, 2008, Justin Shore wrote:
> Scott Weeks wrote:
> > We need to take this off-line.  All long timers are groaning, rolling 
> > their eyes and putting this in their kill file.
>
> Are the long-timers groaning and ignoring this thread?  I certainly hope 
> not.  It's threads like these that need the benefit of their experience 
> the most.  Perhaps the long-timers could recommend a better destination 
> for queries like these because I have more questions I want to ask (my 
> next being about walled gardens).  If they're tired of answering the 
> same threads over and over again, then the query must be common enough 
> to warrant a BCP or at the very least a couple documents in a 
> knowledgebase somewhere.  Perhaps my Google-fu isn't what it used to be 
> but I couldn't manage to find any relevant docs online; not even a NANOG 
> presentation.

*waves* hai, I'm not an old-timer, but I'm still peripherally involved in this.

As another poster pointed out, the access-list (and shaping! heh) rules
available via RADIUS Vendor AV extensions are very, very useful.
The little ISP I poke from time to time makes extensive use of them.

The accounting software has some rudimentary profile support, so there's
various "types" of customers which get certain RADIUS attributes. This allows
for "smart", "home", "business", and "adrian" users. Each gets different
ACLs and shaping rules. There's a "walled garden" subnet for clients who
haven't paid their bills.

I haven't yet sat down and figured out how to drop users into a VRF based
on something in the RADIUS reply, as this'd make for some very useful
VPN and walled garden implementations, but its certainly on my todo list.
Right after "figure out IPv6", which is next on my list.

Those running larger Cisco bbagg setups aren't rolling the old-school
RADIUS authentication; Cisco apparently have some "better" stuff available now.
I can't comment on its effectiveness for accounting/authorisation/filtering.

> > Try convincing your product managers to create a new product just to 
> > appease 'sysadmin types'.
>
> We're not in the business of alienating any customers.  If we can create 
> a bundle that meets a group of potential customers' needs we will.  It's 
> just another paragraph on the sales literature that we give our CSRs and 
> a little more work that I'll have to do in configuration.  I'm planning 
> on rolling out SOHO and Gamer packages this year.  Adding a SysAdmin 
> package wouldn't be much additional work.  I predict the adoption rate 
> to be the highest with the Gamer package, followed by the SOHO package 
> and finally the SysAdmin package.
>
> I hope this thread isn't destined for an untimely death.  I've received 
> a number of off-list queries for summary information because those 
> individuals are also interested in customer-facing ACLs.  The 
> information I have to summarize at this point is brief and incomplete.

I'll update the NANOG Wiki with whatever information pops up.

Amusingly, a newish WISP out here in Western Australia seems to have
not implemented this sort of stuff, and wireless clients on the same
node can see other local customers. I think their CPE device is a "bridge",
and this is about as dangerous as it sounds. It would be nice to have
a BCP or presentation covering the how's and why's for the newer entrants
into ths market.

(Although that said, why would you help them? In business, you may just
want (some of) your competitors to fail. :)



Adrian