That captures the key points. I'm not about restricting freedoms, just protecting from derp.

Macca

On Tue, Nov 4, 2014 at 12:16 PM, Dean Pemberton <nznog@deanpemberton.com> wrote:
Barry,�� have I summed up your points correctly below"

1)�� You can't do nothing because as access link speeds increase at a
greater rate than aggregation of core link speeds there is an
unacceptable risk that single digit numbers of users will cause
significant link saturation.
2)�� You can't filter at the edge because in most cases you don't own
the edge.�� You don't own the CPE in any meaningful way, nor do you own
the access network.�� By the time the traffic arrives at your handover
it's already causing you problems.
3)�� There needs to be some way to remotely disconnect customers at L2,
in the access network, who are causing issues.


Macca, your points are:

1)�� The environment is fundamentally different than it was in the
past.�� Single digit numbers of home users have not historically had
the ability to cause substantial issues in table resource, CPU and
memory across the access, aggregation and core networks.
2)�� The only way to mitigate this is to limit what the end users are
able to do from a service point of view�� "unfiltered and unfettered
provision of default residential services is coming to an end"


Have I missed anything?

On Tue, Nov 4, 2014 at 7:13 PM, Barry Murphy
<barry@vibecommunications.co.nz> wrote:
> I don��t believe this to be true, you can��t just police the users data at
> the access port, the data is already consuming the full capacity of the
> connection before you can police it, your policing will do nothing.
> You��d need chorus to do the policing before it reached you which is not
> likely as it��s a layer 2 service, so you��d have to police at the egress of
> each CPE, if you were in control of it.
>
> I understand (and we do it) that you can scan your own network, detect
> where open relays or open DNS servers are and firewall on your ingress
> from transit and peering upstreams to ensure the downstream clients aren��t
> the source of the attack, but it simply takes one nasty worm someone
> wasn��t expecting and you haven��t blocked and bam your 10gig is full, the
> only fix is to disconnect the affected users you cannot police them.
>
> While there is cheap tin these days such as mikrotiks, second hand ciscos
> or junipers etc for the small entrants of sub 500 users. To get scale you
> need big devices that can scale in size to support 100,000+ subscribers
> like what we use, Alcatel Lucent 7750. Your cost per 10G port is around
> $15k USD per port, this considering you��ve already spent around $100k on
> the chassis. While these prices may seem like nothing to the likes of
> Telecom or Vodafone, majority of those on the list that operate an ISP,
> adding an extra 10G handover for a UFB location at $10-15k plus backhaul
> is not really cheap I don��t believe, not when you��re competing with mass
> market products where people are price conscious. While we don��t compete
> for such services, some of our wholesalers do, at the end of the day we
> have to point out the quantity vs quality points for them to understand.
>
> The problem still lies, if you have a 10gig handover and you have 10
> infected downstream customers that have 1Gbps access circuits pumping out
> 1gbps of data, they can easily consume the size of the handover and affect
> everyone else on that handover until you disconnect their session. With
> the theoretical maximum capacity being 80Gbps per region (say telecom can
> have a maximum of 80Gbps to service the whole of auckland), it would only
> take 80 of their 100��s of thousands of customers to consume all their
> Auckland region UFB handover. With the amount of data Telecom would be
> passing through their routers consuming 80gbps of data, it would take some
> time for some one to pick those 80 infected customers our of 100,000
> customers and then disconnect each, all while the 100,000 other customers
> have packet loss and bad connectivity.
>
> I guess the fix is to have 100gbps handovers, but even then these would
> likely go into aggregation switches then back to the BNG/BRAS, you��d have
> to have multiple 100gbps handovers directly into your BNG/BRAS.
>
>
> Kind regards,
> Barry Murphy / Chief Operating Officer
>
>
> From:�� Kris Price <nznog@punk.co.nz>
> Date:�� Tuesday, 4 November 2014 5:17 pm
> Cc:�� nznog <nznog@list.waikato.ac.nz>
> Subject:�� Re: [nznog] UFB 1 gig plans for retail and impact they have
>
>
> There are networks out there that cope with these issues. Develop means to
> monitor and detect DDoS and police users in near real time at the access
> port. Think about what happens when someone tries to launch a DDoS from a
> cloud provider.
>
> The related aspect to this is we can, if we choose provide very high
> amounts of bandwidth with very low over sub ratios. Network equipment is
> now a commodity. Provided you have the fiber you can light vast amounts of
> bandwidth for surprisingly low cost,
>�� not just in the access but also the long haul.
>
> Sent from my mobile
>
> On Nov 3, 2014, at 6:23 PM, McDonald Richards
> <mcdonald.richards@gmail.com> wrote:
>
>
>
> Sure - we had the conversation then, when 1.5Mbit of saturation didn't
> also exhaust firewall state tables, CPU and memory resources of everything
> in the service path.
>
> What we do have now, that we didn't have then, are bot-nets for hire and
> parties who intentionally exploit, infect, test and document these hosts
> for hire as weapons while the end users in a lot of cases have no idea
> that it's happening outside of a slower
>�� Internet connection.
>
>
>
>
>
> On Mon, Nov 3, 2014 at 5:53 PM, Jeremy Visser
> <jeremy@visser.name> wrote:
>
> On 03/11/14 22:26, McDonald Richards wrote:
>> The days of the "any to any, open Internet" are slowly coming to an
>> end. One small flaw in one mass produced and mass distributed piece
>> of software (including software that runs on CPE) can easily snowball
>> into hundreds of gigabits of traffic at the "core" of the Internet (I
>> hate that term but I'm too tired to come up with anything else right
>> now).
>
> We had this same conversation when people started moving from dial-up to
> DSL.
>
> "OMG a single user on 1.5 Mbit/s can saturate our entire server farm
> bandwidth"
>
> The world didn't end.�� The same rules apply today that applied back then.
> _______________________________________________
> NZNOG mailing list
> NZNOG@list.waikato.ac.nz
> http://list.waikato.ac.nz/mailman/listinfo/nznog
>
>
>
>
>
>
>
>
>
> _______________________________________________
> NZNOG mailing list
> NZNOG@list.waikato.ac.nz
> http://list.waikato.ac.nz/mailman/listinfo/nznog
>
> _______________________________________________
> NZNOG mailing list
> NZNOG@list.waikato.ac.nz
> http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog