Cat 6a Ethernet

[Reschke]

That's fine, but I'm not sure what the relevance is to this thread in regards to a site where fibre is deployed and in the definitions of fibre performance (and ppp for that matter). All I'm doing is correcting some technical mistakes and misunderstandings stated in this thread.

Seemed to me that it had degenerated from a technical explanation to a thread where everyone was trying to jump in on you there. I was pointing out that in fact the USA is far behind in terms of broadband internet availability in a vast majority of the nation. Our infrastructure...not just telephony items...is falling apart and needs to be replaced but the telco companies don't want to spend the dollars it would take to redo everything...neither do the other service companies since it would most likely bankrupt many of them and that just can't happen because they are too big to fail.

However that is getting this thread way off base.

[ketinkrad]

Vulcan, what brands of better equipment? Please tell me the Brands, Models and where to get them. Thank You Ketinkrad     P.S. I am always looking for better equipment, there is so much trash out there.

[Ghastly]

Actually no I'm arguing based on the fact that I consult, sell, and help deploy VPN solutions into large organisations (govt/education/corporate). One of the solutions I designed and rolled out services 25,000 remote users. I'm trained and certified on solutions from the likes of Aventail and Juniper.

If most VPN implementations you've used do not work particularly well then I would suggest either the equipment deployed was sub-standard or the people deploying it failed to do so correctly.

PPPoE and PPPoA are not encrypted, so the overheads in processing are minimal. They also fulfill a need in provisioning subscriber networks across multiple physical providers.

Which is all well and good, and I don't doubt you in any way regarding your stated design and implementation abilities. But honestly, even if I accept them without reservation, I don't see how your experience and ability in building great VPN solutions changes that fact that as a general rule, most of the ones I've used have performed noticeably more poorly than a comparable routed connection.  Nor am I alone I think in this observation - it's generally considered a given that you sacrifice performance and "reliability" (using the term loosely given that so much more can go wrong in establishing and maintaining the connection, interopability issues with products from different vendors, etc) in exchange for security.

But even if I were to concede that my experience isn't the norm (even though I know better) much more germane to this discussion is that I don't really understand why your experience and expertise would help convince me that a Verizon's PPPoE based FIOS solution is not something of a risk in terms of anticipated performance, especially when the main reason for rolling out FIOS using PPPoE is to re-use older, already existent hardware and software solutions that are now idle?

Maybe it's simply a case of differing viewpoints.  Perhaps you feel that because it could work equally well it probably will, where I feel that where they are already taking what I believe to be a cost cutting shortcut, it's more likely to have adverse effects.

<S>

[Vulcan]

We have been down the fibre path quite a ways now in NZ. Primarily in the business end. A point to note is our fibre providers are not necessarily the ISPs (there has been a push to seperate these two in NZ).

So far the implementation's are either route, VLAN, or MPLS based. In my experience so far this has led to many problems, an authentication based PPP solution would have negated these issues.

For example, on our fibre network for a long time you just plugged in with your IP and gateway and away you went.  However all it took was some idiot to type his IP wrong and you'd get a conflict on the network and no idea why your connection was flakey. So then they introduced MAC address rules to tie you to IP, basically if you changed MAC addresses within a certain time period it'd lock you out. Problem for me is I often throw a new firewall on to play with. A few weeks back I was trying a Palo Alto box, took our Sonicwall off, PA in... (1 MAC change), PA didn't do something right, took it out put the Sonicwall back in (2 MAC changes and BLAM I was locked out).

What you really want is an Auth system that will backend into different Authorization servers, and nothing else does that as easily as PPPoE.

The alternative is the ISP is locked to the media and visa versa. This gives you no choice in selecting providers.

As for your security/vpn issues, tell me what vendors you deal with, because I'd say 9/10 times that's your problem. I'm cisco certified, done the cisco clone thing for a couple of years, then got out of that. Cisco are a jack of all trades, master of none. They are particularly inept at security and vpn devices. And if it's not cisco then it's a MS PPTP setup which is even worse

[2bighorn]

For example, on our fibre network for a long time you just plugged in with your IP and gateway and away you went.  However all it took was some idiot to type his IP wrong and you'd get a conflict on the network and no idea why your connection was flakey.

Isn't that what DHCP is for?

So then they introduced MAC address rules to tie you to IP, basically if you changed MAC addresses within a certain time period it'd lock you out. Problem for me is I often throw a new firewall on to play with. A few weeks back I was trying a Palo Alto box, took our Sonicwall off, PA in... (1 MAC change), PA didn't do something right, took it out put the Sonicwall back in (2 MAC changes and BLAM I was locked out).

MAC cloning... If firewall/router doesn't support it, you shouldn't be using it...

What you really want is an Auth system that will backend into different Authorization servers, and nothing else does that as easily as PPPoE.

DHCP + IP/MAC binding works just fine. Absolutely no need for any other overhead.

[Ghastly]

As for your security/vpn issues, tell me what vendors you deal with, because I'd say 9/10 times that's your problem

I've used Cisco and Checkpoint clients.  Excluding the ones I've set up myself, the VPN's I've used have been set up by the particular vendor we need to communicate with, and have either replaced a non-encrypted routed connection or in one instance, a dialup connection.  In short, I'm not involved in any way other than the mandate that if we want to keep getting/doing (whatever) - we need to use the (whatever) that they provide.

For my own company, I've used Netgear FVS318 routers to implement VPNs between the office and two remote sites - and I will not argue with you if you want to dis' the quality of connection they provide - on the one hand they definitely can be slower than the same connection "just routed", but on the other they met the budgetary requirements (read "they cost next to nothing"), are fast enough, and most importantly, have been rock solid.

Now, about that PPPoE based FIOS...

<S>

[Vulcan]

Isn't that what DHCP is for?

MAC cloning... If firewall/router doesn't support it, you shouldn't be using it...

DHCP + IP/MAC binding works just fine. Absolutely no need for any other overhead.

How do you do authentication to multiple authorization servers within DHCP? Let me know when you figure that out

MAC Cloning is fine, but likewise it's easy to clone someone elses MAC address and create even more problems.

DHCP + IP/MAC binding offers zero security whatsoever, only an idiot would deploy that solution to clients provisioned on a 3rd party infrastructure.

[Vulcan]

I've used Cisco and Checkpoint clients.  Excluding the ones I've set up myself, the VPN's I've used have been set up by the particular vendor we need to communicate with, and have either replaced a non-encrypted routed connection or in one instance, a dialup connection.  In short, I'm not involved in any way other than the mandate that if we want to keep getting/doing (whatever) - we need to use the (whatever) that they provide.

For my own company, I've used Netgear FVS318 routers to implement VPNs between the office and two remote sites - and I will not argue with you if you want to dis' the quality of connection they provide - on the one hand they definitely can be slower than the same connection "just routed", but on the other they met the budgetary requirements (read "they cost next to nothing"), are fast enough, and most importantly, have been rock solid.

Now, about that PPPoE based FIOS...

<S>

Righto, Cisco as I said early is fairly meagre. For example the old entry level PIX501's - which were the backbone of their security offering for some time - they only did around 3Mbps *at best* of 3DES throughput. Whereas the comparable Sonicwall and Juniper (Netscreen) products did a minimum of 25Mbps 3DES throughput on their smallest boxes (which incidentally were cheaper). And it was/is like that throughout the entire Cisco range.

Never done much with Checkpoint so I won't go there

The entry level netgear type products AFAIK do not have cryptographic co-processors, so they too are not to hot on VPN performance. We've encountered problems with devices like these crashing when VPNing to a proper box (ie Sonicwall/Juniper/Fortinet) because they simply can't handle the amount of encrypted traffic being thrown at them.

Now the ironic thing is you've most probably been using IPSEC clients, and they DON'T use PPP   . Typically IPSEC clients hack the network stack on the client OS and filter packets as they travel up and down the stack. This mean't that you could never really load more than one IPSEC client on a machine, otherwise you tended to get BSOD's.

So in summary, you experience is with the lower end of the performance scale in hardware and not using PPP style connections.

Any more questions

[2bighorn]

How do you do authentication to multiple authorization servers within DHCP? Let me know when you figure that out

MAC Cloning is fine, but likewise it's easy to clone someone elses MAC address and create even more problems.

DHCP + IP/MAC binding offers zero security whatsoever, only an idiot would deploy that solution to clients provisioned on a 3rd party infrastructure.

Weren't we talking from the ISP's point of view? You don't need PPPoE nor it's overhead to authenticate on network. IPoE is sufficient. Even Verizon figured that out. And that's what we were talking about...

[Vulcan]

Weren't we talking from the ISP's point of view? You don't need PPPoE nor it's overhead to authenticate on network. IPoE is sufficient. Even Verizon figured that out. And that's what we were talking about...

Yes I am, and IPoE has still has no subscriber based authentication methods. I suggest you read here: http://www.juniper.net/solutions/literature/white_papers/200187.pdf    (Pg 8 specifically)

[2bighorn]

Oh no, not Juniper white papers. They're all religious about PPP. Everybody knows they are desperate in pushing their B-RAS hardware. It is their belief that they have an edge over Cisco in all PPP matters.

Question for you. Why would ISP need PPPoE for their downstream subscriber base? Even DSLAMs are now IP based.

[Vulcan]

Maybe the ISP doesn't control the DSLAM? If you read the white paper you'd see the disadvantage of IPoE is the lack of subscriber authentication functionality. And as far as Juniper having the edge over Cisco, I'd believe Juniper

[2bighorn]

Maybe the ISP doesn't control the DSLAM?

Well, at least in US mostly all carriers (telcoes) are also ISPs.

If you read the white paper you'd see the disadvantage of IPoE is the lack of subscriber authentication functionality.

And again, why would an ISP need this functionality (when delivering internet access)?

And as far as Juniper having the edge over Cisco, I'd believe Juniper

Personally I prefer Juniper over Cisco, but that doesn't mean I should take their marketing crap masked as white papers at face value. Beside that, PPPoE is going the way of a Dodo. It's just the way it is...

[Vulcan]

And again, why would an ISP need this functionality (when delivering internet access)?

So randoms don't clone a MAC address and IP and route through them? In reality ISP's don't actually use MAC/IP, they use ports. But if the ISP does not control the device the clients are connected too then an authentication method is require, IPoE doesn't have any authentication method (well, perhaps except 802.1q but that's not supported on edge routers/firewalls).

At the moment the telco's in the USA are managing their own dslams, but as has been noted a large portion of the USA is way behind. If you look at moves overseas (like NZ) the governments have pushed for a separated model where there is a wholesaler provisioning the physical layer and subscribers pick their service providers. This allows more competition with a better infrastructure, as well as giving subscribers the ability to mix services (ie internet could come via one provider, VoIP via another, IPTV via a third).