Have to say that blocking inbound port 25 and 53 is highly recommended for all RSPs. Plus blocking outbound port 25 to only SMTP servers you run if you wanted a sense of if customers are using their connections for mass spamming. With an opt out of course. My view is that 1gb downstream and 200mb upstream plans, it’s the upstream that in some ways is more of a concern. If your customers get infected with malware and get used as a botnet that can easily overwhelm your international capacity if you are a smaller player is much more of a concern in the UFB world. The next worry is dimensioning of your customers and the required handover and connection upstream into your core and out to the interwebs. With a 10gb handover, you should probably also have at least a 10gb connection or bonded 10gb or 100gb into your core to off load to local transparent proxies (if you have them), Local CDNs (if you have them) and peering. Since you would typically run more than one LFC into the same BNG. And then the questions come up on how many subs can / should you realistically run on a single BNG. The days of 50k+ subs on a single BNG if they all have 1GB aren’t going to fly. So then you start needing more gear to support your customers. Then the whole conversation on if unlimited plans are commercially viable and the future planning on expansion come into play. I know there is plenty of work going on in Spark around this, but the 1gb plan does change things a lot in that regard. From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of McDonald Richards Sent: Wednesday, 5 November 2014 10:50 a.m. To: Dean Pemberton Cc: nznog Subject: Re: [nznog] UFB 1 gig plans for retail and impact they have
ISPs will be the same. Try and restrict people and you'll just end up playing whack-a-mole
I agree that trying to restrict creative people from having free access will result in whack-a-mole, but common sense is needed when considering the damage that can be done with basic reflection attacks.
Should you default block the deafult SNMP port to a residential user from the Internet? Can the CPE vendor be trusted to not leave a default "public" community with the Internet facing interface permitted? Can the user be trusted to secure their own network devices to prevent misuse?
Which of these things is the easiest to accomplish and provides no reduction in experience for 99.95% of "normal" residential Internet users? Which of them has the potential to melt down the Internet if a CPE vendor ships 500,000+ units of equipment and leaves a door open?
Macca
On Tue, Nov 4, 2014 at 1:40 PM, Dean Pemberton
Which is the last thing I think worth mentioning; that the internet will route around damage, whether we like it or not. We can filter things, we can try to block stuff, but unless you cut off the connectivity completely, devices and programs will still find ways to talk directly to each other.
Good point well made. It's something that IT departments are having to live with and ISPs will be no different. If you don't give employees the quality of email or file storage that they have come to expect, they'll just install gmail and install dropbox. and BYO-IT-Department is born. ISPs will be the same. Try and restrict people and you'll just end up playing whack-a-mole. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nzmailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog