[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Layer 2 access and Current Practices

To: gmj@pobox.com
Subject: Re: Layer 2 access and Current Practices
From: "Howard C. Berkowitz" <hcb@gettcomm.com>
Date: Thu, 3 Mar 2005 15:01:31 -0500
Cc: opsec@ops.ietf.org, George Jones <eludom@gmail.com>
In-reply-to: <c1468ac505030212302f1936ce@mail.gmail.com>
References: <20050216142906.54C653C03BD@berkshire.machshav.com> <42136137.903@aol.com> <a45c96fe9cc6383eec029adb8b2aadb9@mac.com> <421394A7.5000209@aol.com> <026223dbb1352dc99cd7fee1fd22f2e3@mac.com> <p06110434be398abd2a53@192.168.0.2> <c1468ac505030212302f1936ce@mail.gmail.com>

At 3:30 PM -0500 3/2/05, George Jones wrote:

The WG Charter says:

The working group will list capabilities appropriate for
devices use in:

* Internet Service Provider (ISP) Networks
* Enterprise Networks

The following areas are excluded from the charter at this time:

* Wireless devices
* Small-Office-Home-Office (SOHO) devices
* Security devices (firewalls, Intrusion Detection Systems,
Authentication Servers)
* Hosts

I think that means most of the broadband aggrigator and CPE questions below
are out of scope.

I certainly can see excluding SOHO, with all of its specialized problems. There is a remaining concern for large enterprises and hosting centers with gigabit Ethernet or POS/SONET/SDH acceess to their upstream IP providers. The huge bandwidth available to certain organization could make them, if compromised by miscreants, huge threats to SP network stability.

To protect the SP network from a compromised high-bandwidth site, security measures may be implemented in provider-operated equipment at the site, or, more likely, at the POP. As a rule of thumb, if a given site has bandwidth comparable to a midsize ISP, I believe it has to be given special consideration as a risk, and also a major revenue source to be protected.

I think the fact that port security is not used (per Merike's survey) in larger ISPs speaks to either A) it's difficulty to use or B) it's lack of preceieved benfit.


Agreed that we can drop port security.


I could be argued into paying more attention to it in the drafts
(well, those that I'm
involved in such as filtering) if it can be shown that A) it would be
used if made
more simple/effective B) operators can be shown to see a precieved benefit.

Since many large providers are exploring very-high-speed "Ethernet" access to firms in metropolitan areas, or large isolated sites, I believe that some consideration should be given.


Thanks,
---George Jones


On Wed, 16 Feb 2005 18:56:37 -0500, Howard C. Berkowitz
<hcb@gettcomm.com> wrote:

 In the Current Practices document, is it worth distinguishing between
 those providers that operate a L1/L2, especially Ethernet-over-XXX,
 customer access subsystem, as opposed to those that accept aggregates
 from separate broadband service providers?  Should the document
 define a broadband aggregator as a type of provider? Consider this
 distinction with respect to:

 2.4.4  Additional Considerations

     For layer 2 devices, MAC address filtering and authentication is not
     used.  This is due to the problems it can cause when troubleshooting
     networking issues.  Port security becomes unmanageable at a large
     scale where 1000s of switches are deployed.

 In the case where the operator does support end user broadband
 connectivity, it is not arguable that certain forms of port security
 are unmanageable. At one time, when DSL and cable devices were
 installed by other than the customer, it was reasonable to let the
 customer ingress switch port learn the MAC address at installation,
 and filter on it. That is unrealistic with customer-installed direct
 computer connection, where the MAC address would change with any NIC
 replacement. It might be worth considering as a special case, where
 the CPE is provider controlled.


 We do want to be clear about the scope of port security. Is the
 definition here strictly L2, or could it include a port-oriented
 802.1x proxy to RADIUS?

     Rate limiting is used by some ISPs although other ISPs believe it is
     not really useful since attackers are not well behaved and it doesn't
     provide any operational benefit over the complexity.  Rate limiting
     can be improved by (need info)'

 I'm not sure if this is the improvement you had in mind, Merike, but
 rate limiting at layer 2 will be much more important if the L2
 connectivity includes end user, easily compromised hosts.  L2 rate

> limiting within the provider infrastructure seems a much lower

 priority.

 Even if the operator supports direct customer L2 connectivity at
 broadband rates, there is still a tradeoff between rate limiting at
 the port level and, assuming there is L2 aggregation before the
 ingress router, doing rate limiting at the access switch uplink.

 Do the providers that rate limit do it on simple frame count, or do
 they have additional restrictions for multicasts and broadcasts?

Follow-Ups:
- Re: Layer 2 access and Current Practices
  - From: John Kristoff <jtk@northwestern.edu>
- Re: Layer 2 access and Current Practices
  - From: John Kristoff <jtk@northwestern.edu>

References:
- Re: TCP small fragments
  - From: "Steven M. Bellovin" <smb@cs.columbia.edu>
- Re: TCP small fragments
  - From: Greg Sayadian <gsayadian@aol.com>
- Re: TCP small fragments
  - From: pmrn <pmrn@mac.com>
- Re: TCP small fragments
  - From: Greg Sayadian <gsayadian@aol.com>
- Re: TCP small fragments
  - From: pmrn <pmrn@mac.com>
- Re: Layer 2 access and Current Practices
  - From: George Jones <eludom@gmail.com>

Prev by Date: Re: TCP small fragments
Next by Date: Re: Layer 2 access and Current Practices
Previous by thread: Re: Layer 2 access and Current Practices
Next by thread: Re: Layer 2 access and Current Practices
Index(es):
- Date
- Thread