[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Layer 2 access and Current Practices



In the Current Practices document, is it worth distinguishing between those providers that operate a L1/L2, especially Ethernet-over-XXX, customer access subsystem, as opposed to those that accept aggregates from separate broadband service providers? Should the document define a broadband aggregator as a type of provider? Consider this distinction with respect to:

2.4.4  Additional Considerations

   For layer 2 devices, MAC address filtering and authentication is not
   used.  This is due to the problems it can cause when troubleshooting
   networking issues.  Port security becomes unmanageable at a large
   scale where 1000s of switches are deployed.

In the case where the operator does support end user broadband connectivity, it is not arguable that certain forms of port security are unmanageable. At one time, when DSL and cable devices were installed by other than the customer, it was reasonable to let the customer ingress switch port learn the MAC address at installation, and filter on it. That is unrealistic with customer-installed direct computer connection, where the MAC address would change with any NIC replacement. It might be worth considering as a special case, where the CPE is provider controlled.

We do want to be clear about the scope of port security. Is the definition here strictly L2, or could it include a port-oriented 802.1x proxy to RADIUS?

   Rate limiting is used by some ISPs although other ISPs believe it is
   not really useful since attackers are not well behaved and it doesn't
   provide any operational benefit over the complexity.  Rate limiting
   can be improved by (need info)'

I'm not sure if this is the improvement you had in mind, Merike, but rate limiting at layer 2 will be much more important if the L2 connectivity includes end user, easily compromised hosts. L2 rate limiting within the provider infrastructure seems a much lower priority.

Even if the operator supports direct customer L2 connectivity at broadband rates, there is still a tradeoff between rate limiting at the port level and, assuming there is L2 aggregation before the ingress router, doing rate limiting at the access switch uplink.

Do the providers that rate limit do it on simple frame count, or do they have additional restrictions for multicasts and broadcasts?