customers and web servers and level one naps
What are the positions of Ameritech, sprint, pac bell and MFS on two issues? First having someone at a NAP who is there as a customer of one of the National service providers... and who may or may not engage in cost free peering with any of the other NSPs or even with other isps? Second: allowing such a customer, or an NSP, to attach web services directly to the FDDI ring at the NAP. PAIX is doing this. As far as I know the other major interchange provider are not. I am wondering why. ************************************************************************ The COOK Report on Internet For subsc. pricing & more than 431 Greenway Ave, Ewing, NJ 08618 USA ten megabytes of free material (609) 882-2572 (phone & fax) visit http://pobox.com/cook/ Internet: cook@cookreport.com For case study of MercerNet & TIIAP induced harm to local community http://pobox.com/cook/mercernet.html ************************************************************************
What are the positions of Ameritech, sprint, pac bell and MFS on two issues?
First having someone at a NAP who is there as a customer of one of the National service providers... and who may or may not engage in cost free peering with any of the other NSPs or even with other isps?
Second: allowing such a customer, or an NSP, to attach web services directly to the FDDI ring at the NAP.
PAIX is doing this. As far as I know the other major interchange provider are not. I am wondering why.
Is PAIX a "major" exchange Gordon? -- --bill
Second: allowing such a customer, or an NSP, to attach web services directly to the FDDI ring at the NAP.
PAIX is doing this. As far as I know the other major interchange provider are not. I am wondering why.
No, Gordon, PAIX IS NOT DOING THIS. I told you quite explicitly that the only hosts connected to the PAIX layer 2 network (GIGAswitch/FDDI, not FDDI ring) are ISP routers, just like all the other IX networks. NO WEB SERVERS ARE CONNECTED TO THE PAIX GIGASWITCH. PERIOD. Review your tape of our conversation if this remains unclear; I said that PAIX provides co-location space in order to encourage ISPs to place web servers ON THEIR OWN NETWORKS, BEHIND THEIR ROUTERS. Stephen - ----- Stephen Stuart stuart@pa.dec.com Network Systems Laboratory Digital Equipment Corporation
Easy does it Stephen..... sorry I misunderstood you. I have not yet begun to work on the tape. So let me reorient my question. You encourage ISPs to place web servers ON THEIR OWN NETWORKS, BEHIND THEIR ROUTERS. I see now the point you are making and it is a critical one, but please have mercy when i make a mistake. Having said this, the web servers are still sited within PAIX and topologically a lot closer to the exchange switching fabric than they have been before. This presumably offers some advantages for the preformance of those machines. The only thing i am trying to ascertain is to whether this has been tried at other exchanges or not and why. As far as I am aware it has not. Bill Manning asked whether PAIX was a major exchange. No of course it is not. But bill is your response meant to imply that at a major exchange, there is simply going to be too much traffic to add the web stuff? Since the server is BEHIND the customer router the web traffic would hit the switch as part of the application layer traffic brought there by the customer. therefor should it really make any difference to have the web traffic avoid the extra hops of traversing the local loop? what am I missing? ************************************************************************ The COOK Report on Internet For subsc. pricing & more than 431 Greenway Ave, Ewing, NJ 08618 USA ten megabytes of free material (609) 882-2572 (phone & fax) visit http://pobox.com/cook/ Internet: cook@cookreport.com For case study of MercerNet & TIIAP induced harm to local community http://pobox.com/cook/mercernet.html ************************************************************************ On Thu, 5 Sep 1996, Stephen Stuart wrote:
Second: allowing such a customer, or an NSP, to attach web services directly to the FDDI ring at the NAP.
PAIX is doing this. As far as I know the other major interchange provider are not. I am wondering why.
No, Gordon, PAIX IS NOT DOING THIS. I told you quite explicitly that the only hosts connected to the PAIX layer 2 network (GIGAswitch/FDDI, not FDDI ring) are ISP routers, just like all the other IX networks.
NO WEB SERVERS ARE CONNECTED TO THE PAIX GIGASWITCH. PERIOD. Review your tape of our conversation if this remains unclear; I said that PAIX provides co-location space in order to encourage ISPs to place web servers ON THEIR OWN NETWORKS, BEHIND THEIR ROUTERS.
Stephen - ----- Stephen Stuart stuart@pa.dec.com Network Systems Laboratory Digital Equipment Corporation
Easy does it Stephen..... sorry I misunderstood you. I have not yet begun to work on the tape. So let me reorient my question.
You encourage ISPs to place web servers ON THEIR OWN NETWORKS, BEHIND THEIR ROUTERS.
I see now the point you are making and it is a critical one, but please have mercy when i make a mistake.
Sorry. I've had to defend that point a lot over the past year, and I guess I come out of the blocks pretty fast when I see it nowadays.
Having said this, the web servers are still sited within PAIX and topologically a lot closer to the exchange switching fabric than they have been before. This presumably offers some advantages for the preformance of those machines. The only thing i am trying to ascertain is to whether this has been tried at other exchanges or not and why. As far as I am aware it has not.
Yes, servers sited at PAIX are topologically much closer to the exchange switching fabric than before. There are two advantages to this: 1. Fewer server responses backhauled over internal intrastructure. Of course, there may be more requests backhauled through internal infrastructure as a result. Grossly characterized, web servers tend to be of the small-request/large-response category, so the net result may be less load on internal infrastructure. Lots of factors come into play, though; who else is peering at the exchange where your server is located, peering policies at all the exchanges where you are present, etc. 2. If, in fact, the server responses wind up having shorter paths to their destinations, with less latency, the time during which server resources are consumed to service a single request goes down. Presumably, throughput goes up.
Bill Manning asked whether PAIX was a major exchange.
No of course it is not.
Although I'd certainly like to think it's going to be. :-)
But bill is your response meant to imply that at a major exchange, there is simply going to be too much traffic to add the web stuff? Since the server is BEHIND the customer router the web traffic would hit the switch as part of the application layer traffic brought there by the customer. therefor should it really make any difference to have the web traffic avoid the extra hops of traversing the local loop?
The server is behind the ISP router. Depending on the topology that is chosen by the ISP, the server could be one hop away from the IX switch, rather than two or three with the latency of a wide-area circuit thrown in. Even if the hop count goes up to two or three, if it's all in be same building, these hops could all be some flavor of FDDI, rather than having DS3 circuits to get out of the building. Stephen
Easy does it Stephen..... sorry I misunderstood you. I have not yet begun to work on the tape. So let me reorient my question.
You encourage ISPs to place web servers ON THEIR OWN NETWORKS, BEHIND THEIR ROUTERS.
Which is what everyone encourages people to do.
I see now the point you are making and it is a critical one, but please have mercy when i make a mistake.
Having said this, the web servers are still sited within PAIX and topologically a lot closer to the exchange switching fabric than they have been before. This presumably offers some advantages for the preformance of those machines. The only thing i am trying to ascertain is to whether this has been tried at other exchanges or not and why. As far as I am aware it has not.
Bill Manning asked whether PAIX was a major exchange.
No of course it is not. But bill is your response meant to imply that at a major exchange, there is simply going to be too much traffic to add the web stuff? Since the server is BEHIND the customer router the web traffic would hit the switch as part of the application layer traffic brought there by the customer. therefor should it really make any difference to have the web traffic avoid the extra hops of traversing the local loop?
what am I missing?
I suppose the theory is that you get more bandwidth somehow, or a more reliable connection, if you are collocated on top of someone's router at an XP. Depending on your provider's architecture, though, that might be the last place you'd want to be... Avi
No of course it is not. But bill is your response meant to imply that at a major exchange, there is simply going to be too much traffic to add the web stuff? Since the server is BEHIND the customer router the web traffic would hit the switch as part of the application layer traffic brought there by the customer. therefor should it really make any difference to have the web traffic avoid the extra hops of traversing the local loop?
Thats a viable assumption. There is also the premise that for certain types/styles of exchange, direct hosting of servers may be a valid design consideration. Vertical Niche exchanges are becoming more popular. "Traditional" exchanges simply made a number of assumptions wrt participants which are not true. Newer exchanges are differentiation themselves in a number of ways, including more documentation on appropriate use. PAIX appears to be targeting the same type of market segment that other, progressive exchanges are trying to meet, e.g. colo with exchange. Part of the premise of placing all your eggs in one basket and then watching the heck out of it. -- --bill
On Thu, 5 Sep 1996, Stephen Stuart wrote:
Second: allowing such a customer, or an NSP, to attach web services directly to the FDDI ring at the NAP.
PAIX is doing this. As far as I know the other major interchange provider are not. I am wondering why.
No, Gordon, PAIX IS NOT DOING THIS. I told you quite explicitly that the only hosts connected to the PAIX layer 2 network (GIGAswitch/FDDI, not FDDI ring) are ISP routers, just like all the other IX networks.
*sigh* OK, so PA stands for Palo Alto while I assumed it stood for Pennsylvania... Anyway, from the point of view of network engineering it makes a lot of sense for the customer machines to be kept off the central exchange media. But from every other point of view, the fact that there is a router between the customer equipment and the layer 2 exchange media is irrelevant as it has no negative impact on anything. Did I misinterpret Gordon's question as being a higher level question about which XP's allow customer servers to have high-speed access to the XP? Said high-speed access could just as easily be a Gigaswitch/FDDI behind the ISP's router. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
Micahel, Have you had much experience, having the servers connect directly on to a level-2 device like a FDDI-to Ethernet (e.g. catalyst) connector ? and it security implications ? -Mulugu ========================================================= Mulugu Srinivasarao Tel : 703/904-2013 SprintLink Engineering Fax : 703/904-2292 Sprint, GSD Bldg. On Thu, 5 Sep 1996, Michael Dillon wrote:
On Thu, 5 Sep 1996, Stephen Stuart wrote:
Second: allowing such a customer, or an NSP, to attach web services directly to the FDDI ring at the NAP.
PAIX is doing this. As far as I know the other major interchange provider are not. I am wondering why.
No, Gordon, PAIX IS NOT DOING THIS. I told you quite explicitly that the only hosts connected to the PAIX layer 2 network (GIGAswitch/FDDI, not FDDI ring) are ISP routers, just like all the other IX networks.
*sigh* OK, so PA stands for Palo Alto while I assumed it stood for Pennsylvania...
Anyway, from the point of view of network engineering it makes a lot of sense for the customer machines to be kept off the central exchange media. But from every other point of view, the fact that there is a router between the customer equipment and the layer 2 exchange media is irrelevant as it has no negative impact on anything.
Did I misinterpret Gordon's question as being a higher level question about which XP's allow customer servers to have high-speed access to the XP? Said high-speed access could just as easily be a Gigaswitch/FDDI behind the ISP's router.
Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
On Tue, 10 Sep 1996, Srinivasarao Mulugu wrote:
Have you had much experience, having the servers connect directly on to a level-2 device like a FDDI-to Ethernet (e.g. catalyst) connector ? and it security implications ?
Mulugu Srinivasarao Tel : 703/904-2013 SprintLink Engineering Fax : 703/904-2292
Don't you have people at Sprint who could answer this question? ;-) Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
I know we do, Michael. And I have "their" answer. But they may not have the same experiences you did. I know they did not have the same experiences as some folks running PAIX. So if u have the time and inclination to speak , I do have the interest, to listen to you. ;) -Mulugu ========================================================= Mulugu Srinivasarao Tel : 703/904-2013 SprintLink Engineering Fax : 703/904-2292 Sprint, GSD Bldg. On Tue, 10 Sep 1996, Michael Dillon wrote:
On Tue, 10 Sep 1996, Srinivasarao Mulugu wrote:
Have you had much experience, having the servers connect directly on to a level-2 device like a FDDI-to Ethernet (e.g. catalyst) connector ? and it security implications ?
Mulugu Srinivasarao Tel : 703/904-2013 SprintLink Engineering Fax : 703/904-2292
Don't you have people at Sprint who could answer this question? ;-)
Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
On Tue, 10 Sep 1996, Srinivasarao Mulugu wrote:
I know we do, Michael. And I have "their" answer. But they may not have the same experiences you did.
Have you had much experience, having the servers connect directly on to a level-2 device like a FDDI-to Ethernet (e.g. catalyst) connector ? and it security implications ?
It's not a matter of experience. It's a matter of what a level-2 device is and how it normally works. There is no security at level 2. Therefore, you should only connect trusted pieces of equipment to a level-2 media unless it is being used as a point-to-point media. Lets use Ethernet as an example. If you connect a customer web server to an Ethernet then they can sniff any traffic that goes by and possibly do nasty things like spoofing. Even if they would never do such a thing they may be hacked by somebody who would do such a thing. So it is not a good idea to share a level 2 media in this way. However you can use level 2 media to create point-to-point links. One way is to use a reversed patch cable between two 10baseT interfaces. Another more common way is to use a switch (also works with FDDI and ATM). Of course, the normal reason for using such switches is to get greater bandwidth capabilities. I wouldn't rely on them as the sole means of isolating a customer's web server. I still don't understand why you are asking me specifically about this stuff. I certainly don't have any direct experience building exchange points. Normally on a mailing list you would direct your question to all the list members in the hopes that you will get several replies from people who have good information to share. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
At 11:30 -0700 9.10.96, Michael Dillon wrote:
It's not a matter of experience. It's a matter of what a level-2 device is and how it normally works. There is no security at level 2.
Yes there is rudimentary security at L2. It's called MAC-based filtering, which is a feature of DEC's GIGAswitch. I believe that SprintLink uses the capability in a form to logically separate backbone router traffic from access router traffic when both routers are homed to the same GIGAswitch. With filtering, you can establish virtual workgroups where only certain devices can communicate with other devices in the same group, or with specific devices in other groups. ss ******************************************************************************** Phone: 1.816.854.2113 Fax: 1.816.854.2201 Sprint Pager: 1.888.366.7890, PIN 398.6644 Text Page via Internet: 3986644@pagenet.net ********************************************************************************
Steve, The GIGAswitches support filtering based on several parameters (e.g. MAC source/destination address, switch ports, etc.). We currently employ filtering based on ports (vs. MAC addresses) to logically partition the GIGAswitches. I think this is prudent since the MAC addresses will change if (er, when :-) )we ever have to swap out failed equipment. Jim On Wed, 11 Sep 1996, Steve Schnell, Sprint Corporation wrote:
Date: Wed, 11 Sep 1996 09:49:58 -0500 From: Steve Schnell, Sprint Corporation <schnell@gsd.sprint.com> To: Michael Dillon <michael@memra.com> Cc: nanog@merit.edu Subject: Re: customers and web servers and level one naps
At 11:30 -0700 9.10.96, Michael Dillon wrote:
It's not a matter of experience. It's a matter of what a level-2 device is and how it normally works. There is no security at level 2.
Yes there is rudimentary security at L2. It's called MAC-based filtering, which is a feature of DEC's GIGAswitch. I believe that SprintLink uses the capability in a form to logically separate backbone router traffic from access router traffic when both routers are homed to the same GIGAswitch. With filtering, you can establish virtual workgroups where only certain devices can communicate with other devices in the same group, or with specific devices in other groups.
ss
********************************************************************************
Phone: 1.816.854.2113
Fax: 1.816.854.2201
Sprint Pager: 1.888.366.7890, PIN 398.6644
Text Page via Internet: 3986644@pagenet.net
********************************************************************************
In message <Pine.SV4.3.91.960910141342.17625U-100000@mercury.int.sprintlink.net
, Srinivasarao Mulugu writes:
I know we do, Michael. And I have "their" answer. But they may not have the same experiences you did. I know they did not have the same experiences as some folks running PAIX. So if u have the time and inclination to speak , I do have the interest, to listen to you. ;)
-Mulugu
It is possible though admitedly not easy to secure a Unix machine quite tightly (and still put some services on it allowing it to do some useful work) since the services needed for remote administrative access can be fully encrypted. It is not possible to secure a router from the major router vendors at the present time since administrative access involves telnet access where the open TCP session has full priviledges and remains "in the clear" for long periods of time and ready for hijack. A poor administered Unix system has more holes in it than swiss cheese since thats how many workstation products are shipped. BSD systems today are fairly good as shipped but need kerberos or other encrypted access if they are to be administered remotely. There is no recognized source of Unix security merit badges so its hard to specify that Unix systems can only be allowed directly on a specific media if they are securely administered. It is generally easier to turn a Unix box into a sniffer and launch sophisticated attacks from it should it get broken into. Does that approximately match the great wisdom of Sprint? ;-) Curtis ps- how did we get (back) on this topic anyway.
Curtis Villamizar writes:
It is possible though admitedly not easy to secure a Unix machine quite tightly (and still put some services on it allowing it to do some useful work) since the services needed for remote administrative access can be fully encrypted. It is not possible to secure a router from the major router vendors at the present time since administrative access involves telnet access where the open TCP session has full priviledges and remains "in the clear" for long periods of time and ready for hijack.
If (and only if) you're competent to secure a Unix box, this is pretty easy to deal with. Put one on a private wire with the router, connect to it in a secure encrypted fashion (kerb or ssh, these days?), and from there cleartext telnet to the router is fine. Of course, it costs money. But you can get away with one box and one private net for all the routers in one location, assuming all the routers are in the same security zone. /a
Second: allowing such a customer, or an NSP, to attach web services directly to the FDDI ring at the NAP.
PAIX is doing this. As far as I know the other major interchange provider are not. I am wondering why.
Umm, they were, shall we say, unclear. I heard from one PAIX source that they would give IPs to hosts (non-routers), but another source (at ISPCon) said that they wouldn't. I'd like to know the answer to this (re: PAIX. No other exchange that I know of gives IPs for use by non-routers that aren't RA machines). It's well-know nthat ploth has a host on the Sprintlink && Pennsauken gigaswitches @ Pennsauken, but I'm quite sure he doesn't run web services on it :) Avi
Second: allowing such a customer, or an NSP, to attach web services directly to the FDDI ring at the NAP.
PAIX is doing this. As far as I know the other major interchange provider are not. I am wondering why.
Umm, they were, shall we say, unclear. I heard from one PAIX source that they would give IPs to hosts (non-routers), but another source (at ISPCon) said that they wouldn't.
I'd like to know the answer to this (re: PAIX. No other exchange that I know of gives IPs for use by non-routers that aren't RA machines). It's well-know nthat ploth has a host on the Sprintlink && Pennsauken gigaswitches @ Pennsauken, but I'm quite sure he doesn't run web services on it :)
The only devices for which I have or ever will assign IP addresses on the PAIX network are ISP routers, route servers (2), and layer 2 devices that have IP addresses for SNMP management. If you heard anything different from anyone else, they're wrong. Stephen
On Thu, 5 Sep 1996, Gordon Cook wrote:
What are the positions of Ameritech, sprint, pac bell and MFS on two issues?
Who cares? It's a business decision.
First having someone at a NAP who is there as a customer of one of the
Second: allowing such a customer, or an NSP, to attach web services directly to the FDDI ring at the NAP.
First, there is a difference between a NAP and an exchange point. NAP's are quasi-government-sponsored exchange points or in other words, a NAP is a special sort of XP.
PAIX is doing this. As far as I know the other major interchange provider are not. I am wondering why.
Digital's new XP is doing this. http://www.ix.digital.com/ for more info. Other XP's do it too if it makes business sense. The market will figure out whether it makes sense or not. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
Second: allowing such a customer, or an NSP, to attach web services directly to the FDDI ring at the NAP. [...] PAIX is doing this. As far as I know the other major interchange provider are not. I am wondering why.
Digital's new XP is doing this. http://www.ix.digital.com/ for more info. Other XP's do it too if it makes business sense. The market will figure out whether it makes sense or not.
Digital's new XP is not doing this. Quoting the above WWW page: |Digital is not in the business of selling Internet Service. |... |Locating a corporate server at the Digital Internet Exchange insures the |fastest access to global Internet routes. We're a switching center and a |data center designed for collocation of business computers, a facility that |is secure, powered, cooled, fire protected and earthquake resistant with |7x24 access, and remote hands service. Then, later on in http://www.ix.digital.com/guide.html, we see: |Collocation Services |... |All servers must be direct customers of a Service Provider located at the |Digital Internet Exchange.
participants (12)
-
Alexis Rosen
-
Avi Freedman
-
bmanning@isi.edu
-
bmanning@ISI.EDU
-
Curtis Villamizar
-
Gordon Cook
-
Jim J. Steinhard
-
Michael Dillon
-
Paul A Vixie
-
Srinivasarao Mulugu
-
Stephen Stuart
-
Steve Schnell, Sprint Corporation