ip-precedence for management traffic

Nope, not joking. Quite serious about this.

Glad we agree about the residential customers. Perhaps that's the first place to start and could generate some interesting lessons.

Properly dual-homed customers are what I'd lump into the "clueful" category so they are not the ones I'm talking about. Just the basic customers who have no Earthly idea how all of this magic comes together, and who really don't care or have a need to know.

New applications, by the way, should not be a problem if they are allowed to adapt to a new networking model. Innovation flourishes when the status quo changes.

(I see that Chris Morrow just posted some supportive comments. Thanks Chris!)

I'm going to skip the "proxy" angle - already addressed by others -
and just think about actual OOB management for a second...

There's nothing that requires you to make management of most of these
services in-band, or in a manner that's accessible to the average user.
On the other hand, IP is a least-common denominator and there is no
guarantee that a protocol has been made easy to proxy.

I realize that the OP was talking about the "Internet management plane"
but the problem may be more general than that. There are all sorts of
devices that can be managed out of band but shouldn't be accessible to
end users.

As an example, I was disappointed to discover that HP's iLO2 lights out
management implementation is lacking in a variety of ways; for example,
it does not appear to be easy to put all your iLO2 devices behind a
web proxy (Squid, etc) on a private network. Having the ability to do
that, rather than setting up a VPN gateway, would be nice for allowing
strict access controls to the management of those devices. To heap on
some more unhappiness, HP apparently didn't actually try their own web
management interface with SSL; it's impossible to generate a proper cert
without mucking around with turning JavaScript on and off to defeat their
poorly-coded input sanity checking... sigh

But the point is, on one hand, we already have ways to separate the
management of networks from the in-band stuff, and at the same time, IP
is such an enabling thing, it's useful for management as well. It's
great to be able to use a browser to chat with devices, for example.

If we really envision separating management out, do we use the same
IP protocol for it, to be able to take advantage of existing tools and
technologies like SSL for encryption, etc?

If so, I'd note that we largely have the ability to separate management
into out-of-band networks today, and have had this for many years.

If not, I think the proposal's a non-starter, because then you're
talking about significant re-engineering of lots of things.

Getting back to the OP's message, I keep having these visions of the
castrated "Internet" access some hotels provide. You know the ones.
The ones where everything goes through a Web proxy and you're forced
to have IE6 as a browser. For some people, who just want to log on
to Yahoo or Hotmail or whatever to check their e-mail, that's fine.
However, some of us might want to be able to VNC somewhere, or do
VoIP, or run a VPN connection... these are all well-known Internet
capabilities, and yet some providers of so-called "Internet" access
at hotels haven't allowed for them.

Do we really want to spread that sort of model to the rest of the
Internet? All it really encourages is for more and more things to
be ported to HTTP, including, amusingly, management of devices...
at which point we have not really solved the problem but we have
succeeded at doing damage to the potential of the Internet.

... JG

I can remember at one time, some of the same players who argued against
IPv6 adoption because the long addresses would increase network overhead
were the same ones championing the insane firewalling that started the
"everything over HTTP" insanity. Guess which adds more bits to the total
packet?

Joe wrote:

Getting back to the OP's message, I keep having these visions of the
castrated "Internet" access some hotels provide. You know the ones.
The ones where everything goes through a Web proxy and you're forced
to have IE6 as a browser. For some people, who just want to log on
to Yahoo or Hotmail or whatever to check their e-mail, that's fine.
However, some of us might want to be able to VNC somewhere, or do
VoIP, or run a VPN connection... these are all well-known Internet
capabilities, and yet some providers of so-called "Internet" access
at hotels haven't allowed for them.

Do we really want to spread that sort of model to the rest of the
Internet? All it really encourages is for more and more things to
be ported to HTTP, including, amusingly, management of devices...
at which point we have not really solved the problem but we have
succeeded at doing damage to the potential of the Internet.

Yes, taking away the mechanisms will result in a "castrated" Internet experience for the clueful ones which is why I don't think this can be a one-size-fits-all model like the hotels try to do. Imagine a residential ISP that offers castration at a lower price point than what is currently charged for monthly "raw" access. I think that many consumers would opt for that choice, while those who need access to everything would continue to pay the same rate. The price drop would be the incentive to get castrated, and what you give up would be access to things you likely don't use anyway. This castration process would be a big help to spam-blocking, evilware-blocking, ddos-blocking, etc. in addition to mitigating attacks against the mechanisms from hijacked residential computers.

Marc

The gene pool needed some chlorine anyhow, but this is a creative approach.

But seriously - would this be significantly different than the model that
many ISPs already use, where "consumer" connections get port 25 blocked, no
servers allowed, etc, and "business grade" skip those restrictions? Or are
you saying that ISPs should go *further* in blocking stuff, and use the
resulting support savings to lower the consumer grade price point?

Only big stumbling block is what percent of customers will be willing to
skip file-sharing networks and online games that use oddball ports? Any
ideas there?

From: Sachs, Marcus Hans (Marc) [mailto:marcus.sachs@verizon.com]
Sent: Tuesday, December 29, 2009 11:43
To: Joe Greco
Cc: NANOG list
Subject: RE: ip-precedence for management traffic

Joe wrote:

>Getting back to the OP's message, I keep having these visions of the
>castrated "Internet" access some hotels provide. You know the ones.
>The ones where everything goes through a Web proxy and you're forced
>to have IE6 as a browser. For some people, who just want to log on
>to Yahoo or Hotmail or whatever to check their e-mail, that's fine.
>However, some of us might want to be able to VNC somewhere, or do
>VoIP, or run a VPN connection... these are all well-known Internet
>capabilities, and yet some providers of so-called "Internet" access
>at hotels haven't allowed for them.
>
>Do we really want to spread that sort of model to the rest of the
>Internet? All it really encourages is for more and more things to
>be ported to HTTP, including, amusingly, management of devices...
>at which point we have not really solved the problem but we have
>succeeded at doing damage to the potential of the Internet.

Yes, taking away the mechanisms will result in a "castrated" Internet
experience for the clueful ones which is why I don't think this can be a

one-

size-fits-all model like the hotels try to do. Imagine a residential ISP

that

offers castration at a lower price point than what is currently charged

for

monthly "raw" access. I think that many consumers would opt for that

choice,

while those who need access to everything would continue to pay the same

rate.

The price drop would be the incentive to get castrated, and what you give

up

would be access to things you likely don't use anyway. This castration
process would be a big help to spam-blocking, evilware-blocking, ddos-
blocking, etc. in addition to mitigating attacks against the mechanisms

from

hijacked residential computers.

Marc

My $.02 or so - This "widespread castration" would force application
developers to jump through the same NAT-traversal hoops all over again,
adding more code-bloat / operational overhead and stifling innovation.
Naturally, once created, this lower-class of internet user would probably
become the "norm" and force a race to the bottom in terms of capabilities
and performance (or perhaps, another "arms race" between the proxy
implementations and the proxy avoidance implementations) ...
rinse-repeat-fail_to_learn, all over again.

/TJ
PS - could we choose a different term; "cut-rate castration" brings
unpleasant medical-accidents to mind ...

I think there are a few challenges here. What you are describing is a castrated/walled-garden internet. The technical nuances are lost on the average person. The same way that cybersecurity month, or others are lost on the average user. All they care about is the recent panic for the day.

I find it impossible to deal with some vendors that are stuck with their lock-in models. The way that the majority of $major_networks is managed is in a method that is not always congruent with their visions.

This is true from their ideas on how to manage devices (Hey, everyone sits at a corp controlled windows machine behind a firewall so you can keep the *exact* version of java installed, right?)

How does one reach the OOB network when you are not in the office? How do these "SCADA" for the "internet" networks get reached? Some people have implemented DSL or other vpn methods to reach their oob devices. Others use POTS. As others mentioned here the POTS over "NGN" (what marketing crap is that) may have fate sharing properties that are problematic. What if the vendor is horrible and you actually "need" console/video to run their win32 crapware to manage the devices? (Netgear comes to mind, can't upgrade my snmp capable switch at home without booting windoze so it can tftp).

The inband management is a direct result of needing a good method to tie the link failure directly into the control plane of the devices. Sure, we could do the DLCI/pvc/DS1 in parallel to each 10G/40G circuit installed, but is that cost-effective? Does it introduce more pain vs less? The average neteng clearly can't configure their devices correctly, while the additional complexity may provide some networks benefits, this does not reduce the systemic risk created by nobody implementing BCPs like simple route filtering.

I've watched BCPs be diluted at various companies due to market pressures. $major_provider did not require me to register my routes, why should I have to do that in order to give you $X MRC for the next 12-24-36 months?

I was asked recently by someone that operates a small wireless ISP what the deal was with this "Internet2" thing and how was it supposed to interact, etc.. Honestly, I wish we could have a "better" network. One where we have mutually agreed "I will filter my customers if you do". I've not seen many people step-up to improve the systems. It's the same small set of people that are trying to make things better.

Apparently I forgot the <rant> tag, but really, if you have sane CoPP policies, you are mostly protected. If the vendor does not provide this capability, please STOP BUYING THEIR CRAP.

</rant>

- Jared

Valdis said:

The gene pool needed some chlorine anyhow, but this is a creative

approach.

But seriously - would this be significantly different than the model

that

many ISPs already use, where "consumer" connections get port 25

blocked, no

servers allowed, etc, and "business grade" skip those restrictions? Or

are

you saying that ISPs should go *further* in blocking stuff, and use the
resulting support savings to lower the consumer grade price point?

Only big stumbling block is what percent of customers will be willing

to

skip file-sharing networks and online games that use oddball ports? Any
ideas there?

Better than the typical "block outbound 25" filtering we do now. In
fact, in a perfect world ISPs would offer residential customers "reduced
experience" versions of castration that decrease the cost along with
decreasing what you have access to. At the bottom level it would be
essentially a thin client running a terminal service (or an emulated
thin client using a web browser) with all applications "in the cloud"
and nothing sitting on the home PC; mid-level would be web plus common
email clients and chat/IM; high level adds popular apps like Skype, P2P,
games, etc.

I think that a fairly large percentage of homes that only want access to
online content and email would be very happy with the bottom tiers.
Many would probably like the cloud approach where all of the crazy
updating, rebooting, etc. is taken out of the hands of the consumer.
WebTV, meet the 21st century....

Marc

The customers in the market for such a service would be least likely to
understand your explanation of the service.

Do you offer a new lower tier service, or rebrand your residential
service, and try to explain how you're taking away services they probably
don't need. It's been my experience that if you tell someone you're taking
away something, they tend to value it even if they don't know what it is.

As well they should. As well we all should.
None of us knows precisely what we're going to absolutely require, or merely want/prefer, tomorrow or the next day, much less a year or two from now. Unless, of course, we choose to optimize (constrain) functionality so tightly around what we want/need today that the prospect of getting anything different is effectively eliminated.

TV

None of us knows precisely what we're going to absolutely require, or
merely want/prefer, tomorrow or the next day, much less a year or two
from now. Unless, of course, we choose to optimize (constrain)
functionality so tightly around what we want/need today that the
prospect of getting anything different is effectively eliminated.

this is the telco solution to the nasty disruptive technologies spawned
by the internet

randy

I could be mistaken, but I think Tom's point was "we could give people
the ebony black bell phone, that'd really suck for us as a
business/community."

-chris

None of us knows precisely what we're going to absolutely require, or
merely want/prefer, tomorrow or the next day, much less a year or two
from now. Unless, of course, we choose to optimize (constrain)
functionality so tightly around what we want/need today that the
prospect of getting anything different is effectively eliminated.

this is the telco solution to the nasty disruptive technologies spawned
by the internet

I could be mistaken, but I think Tom's point was "we could give people
the ebony black bell phone, that'd really suck for us as a
business/community."

sorry, i should have been more clear that i was agreeing with tom.
replies might not be assumed to be in opposition.

randy

I got that

Chris is right, but so is Randy.
IMO if the net is ultimately diminished in this manner, either through commission or omission, eating anything other than our own dog food would be neither defensible, nor sustainable for long.

The rotary phone was great in its time, but that time has passed -- today there's lot more at stake than handset color.

TV

I've watched BCPs be diluted at various companies due to market pressures. $major_provider did not require me to register my routes, why should I have to do that in order to give you $X MRC for the next 12-24-36 months?

[...]

Honestly, I wish we could have a "better" network. One where we have mutually agreed "I will filter my customers if you do".

You can (should) still filter their prefixes - the customer get added pain because changes have to be done by hand, through tickets, maybe as a billable incident.

Andy

It surely is. Also, when was the last time you had a customer ring up and ask
for a product "like the Internet but with bits missing"? Nobody wants it, and
the evidence of this is that nobody asks for it, and further that nobody's
started an ISP that provides it, although people have been talking about it
for years.

The support for "the Internet but not quite" is usually from either:
1) Telcos who secretly wish the Internet would go away
2) Security/morals bureaucrats (who secretly wish it would go away)
3) Engineers noodling on the idea, who don't have a business model for it

Note that this list doesn't include "users" or "customers" or anyone willing
to offer "money" for it.

Also, I don't think it's at all clear that Internet-minus service would be
cheaper to provide. Basically, if you have an IP network you can provide all
the applications over it by default. Therefore, if you want to get rid of
some, you've got to make an effort, which implies cost. There is no such thing
as a Web DSL modem or a Web router.

In terms of traffic, as over 50% of the total is WWW these days, and a sizable
chunk of the rest is Web-video streaming, once you've chucked in the e-mail,
it's far from clear that you'd save significant amounts of bandwidth.
Obviously, if you were intending to offer proper Internet service as an extra-
cost option, you wouldn't have two lots of access lines, backhaul, transit -
you'd filter more ports for some subset of your addressing scheme, or put the
less-than-Internet customers on a different layer 2 vlan. So you'd still need
the extra bandwidth for the other customers.

Where is the saving? Fewer support calls due to...what exactly? aren't the
biggest malware vectors now web-based drive by download, sql injection and the
like? Of course, there'll be a fair few wanting to know why slingbox, skype,
IM protocol of choice, work vpns etc don't work.

The exercise is pointless.

[snip]

Apparently I forgot the <rant> tag, but really, if you have sane
CoPP policies, you are mostly protected. If the vendor does not
provide this capability, please STOP BUYING THEIR CRAP.

Another fine example of broken fate-sharing when management plane
(executives with purse strings) is strictly segmented from control
plane (engineers and operators).