Re: ip-precedence for management traffic

[Jared Mauch <jared () puck nether net>]

On Dec 29, 2009, at 11:43 AM, Sachs, Marcus Hans (Marc) wrote:

> Yes, taking away the mechanisms will result in a "castrated" Internet experience for the clueful ones which is why I 
> don't think this can be a one-size-fits-all model like the hotels try to do.  Imagine a residential ISP that offers 
> castration at a lower price point than what is currently charged for monthly "raw" access.  I think that many 
> consumers would opt for that choice, while those who need access to everything would continue to pay the same rate.  
> The price drop would be the incentive to get castrated, and what you give up would be access to things you likely 
> don't use anyway.  This castration process would be a big help to spam-blocking, evilware-blocking, ddos-blocking, 
> etc. in addition to mitigating attacks against the mechanisms from hijacked residential computers.  

I think there are a few challenges here.  What you are describing is a castrated/walled-garden internet.  The technical 
nuances are lost on the average person.  The same way that cybersecurity month, or others are lost on the average user. 
 All they care about is the recent panic for the day.

I find it impossible to deal with some vendors that are stuck with their lock-in models.  The way that the majority of 
$major_networks is managed is in a method that is not always congruent with their visions.

This is true from their ideas on how to manage devices (Hey, everyone sits at a corp controlled windows machine behind 
a firewall so you can keep the *exact* version of java installed, right?)

How does one reach the OOB network when you are not in the office?  How do these "SCADA" for the "internet" networks 
get reached?  Some people have implemented DSL or other vpn methods to reach their oob devices.  Others use POTS.  As 
others mentioned here the POTS over "NGN" (what marketing crap is that) may have fate sharing properties that are 
problematic.  What if the vendor is horrible and you actually "need" console/video to run their win32 crapware to 
manage the devices? (Netgear comes to mind, can't upgrade my snmp capable switch at home without booting windoze so it 
can tftp).

The inband management is a direct result of needing a good method to tie the link failure directly into the control 
plane of the devices.  Sure, we could do the DLCI/pvc/DS1 in parallel to each 10G/40G circuit installed, but is that 
cost-effective?  Does it introduce more pain vs less?  The average neteng clearly can't configure their devices 
correctly, while the additional complexity may provide some networks benefits, this does not reduce the systemic risk 
created by nobody implementing BCPs like simple route filtering.

I've watched BCPs be diluted at various companies due to market pressures.  $major_provider did not require me to 
register my routes, why should I have to do that in order to give you $X MRC for the next 12-24-36 months?

I was asked recently by someone that operates a small wireless ISP what the deal was with this "Internet2" thing and 
how was it supposed to interact, etc..  Honestly, I wish we could have a "better" network.  One where we have mutually 
agreed "I will filter my customers if you do".  I've not seen many people step-up to improve the systems.  It's the 
same small set of people that are trying to make things better.

Apparently I forgot the <rant> tag, but really, if you have sane CoPP policies, you are mostly protected.  If the 
vendor does not provide this capability, please STOP BUYING THEIR CRAP.

</rant>

- Jared