On Tue, Dec 29, 2009 at 10:08 AM, Steven Bellovin <smb@cs.columbia.edu> wrote:
On Dec 29, 2009, at 9:29 AM, Sachs, Marcus Hans (Marc) wrote:
Totally out of the box, but here goes: why don't we run the entire Internet management plane "out of band" so that customers have minimal ability to interact with routing updates, layer 3/4 protocols, DNS, etc.? I don't mean 100% exclusion for all customers, but for the average Joe-customer (residential, business, etc., not the researcher, network operator, or clueful content provider) do they really need to have full access to the Internet mechanisms (routing, naming, numbering, etc.)?
We already provide lots of proxy services for end users, so why not finish the job and move all of the management mechanisms out of plain sight?
I hope you're joking. If not, I have two questions: how can this be done, and what will the side-effects be?
Take BGP, for example. The average residential consumer doesn't need BGP, doesn't speak it, and has no real ability to interfere with it, so there's no problem. But a multihomed customer *must* speak it. Perhaps you could assert that their ISPs should announce it -- but why trust random ISPs? Is that ISP 12 hops away from you trustworthy, or a front for the Elbonian Business Network?
I was going to mute the thread, but.... So for just routing protocols (assume we've already turned off snmp/ssh/telnet/sftp/tftp/etc 'management traffic' to a device) for BGP one 'easy' solution is to have your router only listen on configured addresses, implement the existing bgp security features (GTSH, filtering, iACLs, etc). Arguably this is doable today, it's not 100% OOB, but you COULD model it a little more closely to the TDM world and steal some bw from each eBGP link for just eBGP (say a frame dlci with CAR, or perhaps a sonet/tdm channel, or an atm PVC with a CAR). Of course, we can't seem to do simple bgp filtering, so... For your IGP things get more 'complex', there is some faith that a link's behaviour and health is judged by what the IGP itself sees on the link. If you remove that link from the IGP's view how can the IGP accurately judge health and add/remove that link from it's database? There was some decent thought put into this proposal in ~2001/2002 ... a lot of the time (then) it was simpler to say: "Why not do something like SS7 for the internet?" (not the best analogy, and I'd rather not fixate on that particular thing anyway) -Chris
As for side-effects -- how can you proxy everything? Do you know every application your customers are running? Must someone who invents a new app first develop a proxy and persuade every ISP that it's safe, secure, high-enough performance, and worth their while to run? It's worth remembering that most of the innovative applications have come from folks whom no one had ever heard of.
--Steve Bellovin, http://www.cs.columbia.edu/~smb