Hey Barry,
Great conversation starter and some topics that have on my mind lately.
Seems to me after having done a quick scan of the market the other day that
ISP's have fallen away around being clear about the Acceptable Use Policies
that they may have with customers. Traditionally (or least when my head was
buried *all the time* in operational matters), AUP's were built to deal
with intentional abuse of the network, spam, conscious DDoS attacks ecetera
ecetera. But as you point out with very high speed plans available and
customers being unintentional participants of abuse, the results can be
quite cataclysmic and spectacuuulaaarr.
Our friend Roland Dobbins presented a really simple summary at AUSNOG
recently on the state of play with fashionable DDoS attacks. At least half
a dozen services available on 1G connected CPE - mostly reflector attacks.
DNS, NTP, Chargen (woah, the 80's are calling), and some others too.
Seems to me we need to consider whether these services running on CPE are
considered harmful in a gb connected age and whether we make it clear that
these services (i.e open DNS resolver on a gb connected customer site) is
considered harmful by default unless the customer has explicitly asked for
that to be available and is consciously aware of the risks. I think the
challenges of operationally managing this are proportionally related to
competition and the fluidity of the market. Customers churning and turning
up with their own CPE. Sigh.
It's not until we've had the conversations with our customers and we get
sense of what is mutually acceptable before we take steps to explicitly
deny this stuff. It is all about mitigating risk for the benefit of most
but the process by which we get that permission to do so is an important
one.
I'd like to think we all care about an open internet where any one can
connect with anyone, but the engineer in me says that there are some things
we should do to ensure that it is not stupidly easy for a 3rd party to use
anyone to harm someone else.
Now I'm sure some of you will say, yeah we do that. But as far as the
public is concerned - are we making that clear enough? I think the
wholesale players need to also think about steps to ensure that AUP (what
ever that is) ripples downstream too.
cheers
jamie
On 3 November 2014 23:01, Barry Murphy
Hey guys,
I just wondered what people thought of the implications around 1gbps residential / business plans now becoming more and more common. I¹m seeing requests from wholesalers and retail asking about this gigatown thing and how they can get a 1Gbps service, especially unlimited. While I know 1gbps is not too common yet, the 200mbps plan is becoming more and more common and it won¹t be long before there is pressure to do 1gbps
I know the unlimited part is easy to justify to the client around Œinternational & domestic¹ transit pricing, but some ask why can we not do user to user or peering traffic at 1gbps.
I¹m not sure if it¹s still true, but I recall from the Chorus documentation that you could LAG a maximum of 8x10g circuits in a handover region and that was the max, so theoretically 80gbps handover. For the sake of ease and because 10Gbps holes are not cheap in high end routers like ALU 7750 SR-7¹s which we run, we will consider the average provider has a single 10g or maybe 2 per region right now.
If you had say 10 or 20 users on the 1Gbps plan or even 100-200 users on the 200mbps plan and they had misconfigured routers (consider they could do 200mbps upload) opening them up to the likes of DNS amplifications etc. Now those users are maxing out the upload capacity of the handover, you have no ability to QoS the malicious users as the QoS would need to come before hitting the handover, I.e. On the CPE. Suddenly everyone on the handover is impacted from a handful of users that wanted the faster speed just because it was available and affordable. The only way to stop the attack affecting everyone would be to isolate and disconnect the end users causing the damage, be it IPOE or PPPoE, if the user was on a direct /30 IP then things are even harder to manage.
The DNS amplifications that hurt Spark for a whole weekend, I can only assume was caused by such a large amount of affected devices filling up the handovers and also because it was targeted at their DNS. Imagine an attack of that magnitude, 10s of thousands of end users on 200 or even 100mbps circuits filling up a 10gig or even at this point a 80gbps handover LAG.
When you talk about regional handovers up and down the country then the problem gets worse as you then obviously need to backhaul that capacity to Auckland before getting out to the internet, so this also has to be considered too.
Any thoughts on the matter.
Many thanks
Kind regards, Barry Murphy / Chief Operating Officer +64 27 490 9712 / barry(a)vibecommunications.co.nz http://www.vibecommunications.co.nz/ https://www.facebook.com/VibeCom https://twitter.com/vibecomnz https://www.linkedin.com/company/1941512 Office: +64 9 222 0000 / Fax: 0800 842 326 Unit A7, 1 Beresford Square, Auckland, New Zealand Web: www.vibecommunications.co.nz http://www.vibecommunications.co.nz/ / Peering: AS45177 http://www.peeringdb.com/view.php?asn=45177 This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog