Re: [nznog] UFB 1 gig plans for retail and impact they have

2 Nov 2014

      I think the CPE problems are looking up in a way - the problem has been that ADSL/VDSL
are using firmware blobs and it's hard to have custom distributions on them with more
attention towards security.

Most of the modems just stick their own branding on top of what Broadcom give them, which
is years old and includes things like vulnerable dropbear ssh client.  Fortunately this
isn't usually exposed to the world.  Dropbear is being maintained again, but it wasn't
for many years.

I think the way forwards with UFB and other such connections is actually to get away from
these shoddy firmwares and move to something more secure with automatic updates, and more
attention to security.  The main hinderance seems to be that modems don't have much flash
memory on them yet so people are using prebuilt images that can't autoupdate.  But it is
likely that will change in the near future, as even cheap cellphones have plentiful amounts
of flash on them now.

The attitude towards security from these companies is obviously rather casual, but their
hand has to be forced in a way if they're going to change.

One attitude for these things is to just charge for bandwidth, which makes users care.  Just
like if you have a plumbing leak, it's up to you to try and get compensation for such, otherwise
you're going to just be left with a huge bill.

Ben.

On Mon, Nov 03, 2014 at 10:26:58PM +1100, McDonald Richards wrote:
...
...
I'd like to think we all care about an open internet where any one can
   connect with anyone, but the engineer in me says that there are some
   things we should do to ensure that it is not stupidly easy for a 3rd party
   to use anyone to harm someone else.
   I agree. The days of the "any to any, open Internet" are slowly coming to
   an end. One small flaw in one mass produced and mass distributed piece of
   software (including software that runs on CPE) can easily snowball into
   hundreds of gigabits of traffic at the "core" of the Internet (I hate that
   term but I'm too tired to come up with anything else right now).
   Who would have thought you could weaponise a D-Link ;)
   A lot of providers still fail to implement basic ingress packet filtering
   from users (BCP38). What hope is there if scope is expanded to limit or
   block NTP, DNS, SSDP, SNMP etc as well?
   Maybe our beloved vendors of BNG and BRAS products should step up to the
   plate and give us the 'dummy' mode config for service providers that can
   used for best practice secure subscriber templates?
   That'll take care of our high speed users and their compromised home
   networks.... What do we do about the networks that intentionally sell
   bandwidth for the purposes of launching high volume unfiltered DDOS
   attacks? :)
   Here we all were thinking that IPv4 exhaustion would break the any-to-any
   connectivity!
   Macca
   On Mon, Nov 3, 2014 at 10:11 PM, Jamie Baddeley 
   wrote:
Hey Barry,
Great conversation starter and some topics that have on my mind lately.
Seems to me after having done a quick scan of the market the other day
     that ISP's have fallen away around being clear about the Acceptable Use
     Policies that they may have with customers. Traditionally (or least when
     my head was buried all the time in operational matters), AUP's were
     built to deal with intentional abuse of the network, spam, conscious
     DDoS attacks ecetera ecetera. But as you point out with very high speed
     plans available and customers being unintentional participants of abuse,
     the results can be quite cataclysmic and spectacuuulaaarr.
Our friend Roland Dobbins presented a really simple summary at AUSNOG
     recently on the state of play with fashionable DDoS attacks. At least
     half a dozen services available on 1G connected CPE -A  mostly reflector
     attacks. DNS, NTP, Chargen (woah, the 80's are calling), and some others
     too.
Seems to me we need to consider whether these services running on CPE
     are considered harmful in a gb connected age and whether we make it
     clear that these services (i.e open DNS resolver on a gb connected
     customer site) is considered harmful by default unless the customer has
     explicitly asked for that to be available and is consciously aware of
     the risks. I think the challenges of operationally managing this are
     proportionally related to competition and the fluidity of the market.
     Customers churning and turning up with their own CPE. Sigh.
It's not until we've had the conversations with our customers and we get
     sense of what is mutually acceptable before we take steps to explicitly
     deny this stuff. It is all about mitigating risk for the benefit of most
     but the process by which we get that permission to do so is an important
     one.
I'd like to think we all care about an open internet where any one can
     connect with anyone, but the engineer in me says that there are some
     things we should do to ensure that it is not stupidly easy for a 3rd
     party to use anyone to harm someone else.
Now I'm sure some of you will say, yeah we do that. But as far as the
     public is concerned - are we making that clear enough? I think the
     wholesale players need to also think about steps to ensure that AUP
     (what ever that is) ripples downstream too.
cheers
jamie
On 3 November 2014 23:01, Barry Murphy 
     wrote:
Hey guys,
I just wondered what people thought of the implications around 1gbps
       residential / business plans now becoming more and more common.
       IA^1m seeing requests from wholesalers and retail asking about this
       gigatown
       thing and how they can get a 1Gbps service, especially unlimited.
       While I know 1gbps is not too common yet, the 200mbps plan is becoming
       more and more common and it wonA^1t be long before there is pressure
       to do
       1gbps
I know the unlimited part is easy to justify to the client around
       AA*international & domesticA^1 transit pricing, but some ask why can
       we not do
       user to user or peering traffic at 1gbps.
IA^1m not sure if itA^1s still true, but I recall from the Chorus
       documentation that you could LAG a maximum of 8x10g circuits in a
       handover
       region and that was the max, so theoretically 80gbps handover.
       For the sake of ease and because 10Gbps holes are not cheap in high
       end
       routers like ALU 7750 SR-7A^1s which we run, we will consider the
       average
       provider has a single 10g or maybe 2 per region right now.
If you had say 10 or 20 users on the 1Gbps plan or even 100-200 users
       on
       the 200mbps plan and they had misconfigured routers (consider they
       could
       do 200mbps upload) opening them up to the likes of DNS amplifications
       etc.
       Now those users are maxing out the upload capacity of the handover,
       you
       have no ability to QoS the malicious users as the QoS would need to
       come
       before hitting the handover, I.e. On the CPE.
       Suddenly everyone on the handover is impacted from a handful of users
       that
       wanted the faster speed just because it was available and affordable.
       The only way to stop the attack affecting everyone would be to isolate
       and
       disconnect the end users causing the damage, be it IPOE or PPPoE, if
       the
       user was on a direct /30 IP then things are even harder to manage.
The DNS amplifications that hurt Spark for a whole weekend, I can only
       assume was caused by such a large amount of affected devices filling
       up
       the handovers and also because it was targeted at their DNS.
       Imagine an attack of that magnitude, 10s of thousands of end users on
       200
       or even 100mbps circuits filling up a 10gig or even at this point a
       80gbps
       handover LAG.
When you talk about regional handovers up and down the country then
       the
       problem gets worse as you then obviously need to backhaul that
       capacity to
       Auckland before getting out to the internet, so this also has to be
       considered too.
Any thoughts on the matter.
Many thanks
Kind regards,
       Barry Murphy / Chief Operating Officer
       +64 27 490 9712 / barry(a)vibecommunications.co.nz
       A http://www.vibecommunications.co.nz/
       https://www.facebook.com/VibeComA  https://twitter.com/vibecomnz
       https://www.linkedin.com/company/1941512
       Office: +64 9 222 0000 / Fax: 0800 842 326
       Unit A7, 1 Beresford Square, Auckland, New Zealand
       Web: www.vibecommunications.co.nz
       http://www.vibecommunications.co.nz/ /
       Peering: AS45177 http://www.peeringdb.com/view.php?asn=45177
       This communication, including any attachments, is confidential. If you
       are
       not the intended recipient, you should not read it - please contact me
       immediately, destroy it, and do not copy or use any part of this
       communication or disclose anything about it. Thank you. Please note
       that
       this communication does not designate an information system for the
       purposes of the Electronic Transactions Act 2002.
_______________________________________________
       NZNOG mailing list
       NZNOG(a)list.waikato.ac.nz
       http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________
     NZNOG mailing list
     NZNOG(a)list.waikato.ac.nz
     http://list.waikato.ac.nz/mailman/listinfo/nznog
...
_______________________________________________
NZNOG mailing list
NZNOG(a)list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog