North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security control in DSL access network

  • From: Christian Kuhtz
  • Date: Mon Mar 27 21:21:50 2006

On Mar 27, 2006, at 7:35 PM, William Caban wrote:

Christian Kuhtz wrote:
At the very least, you're making a big assumption here, and that is that there are no EMS in charge of managing configurations and no provisioning system to trigger and not triggering EMS configuration management. In effect, service provisioning doesn't exist in what you describe.
Being able to provision over point-and-clicks does not get away with the rest of the configuration. I know you can do (depending on the EMS) a certain types of security configurations. Personally, I haven't seen an EMS capable of do a very good hardening of the configurations of DSLAMs and CMTS's.
In a carrier environment with flow through(!) provisioning, humans generally don't touch EMS. They can't, you can't hire that many monkeys and still be in business. Instead, a service provisioning system (or OSS) gets all warm and friendly with the EMS on its northbound interface. Sometimes, OSS skip the EMS altogether because it sucks so bad and can't handle the volume. And it's only as smart (or stupid) as the professional (or moron) who designed it. So, if there's a flaw in provisioning, it can be traced back to a human.

And DSL is not provisioned by hand at scale, that's just an absurd concept. That was only true for carriers when DSL was first introduced almost a decade ago now.

Btw, if you don't mind, please point out to me a large scale deployment that actually has 10's of thousands of live customers on a single DSLAM or which DSLAM you propose this is even physically possible, as well as anticipated engineered bit rates for such a deployment.
1) Point out? I know but I can't. This is a public list and I would get fired if I discuss in public anything from a client with name. But believe me when I say _it does_ exist.
Carriers can do some pretty dumb things, but in my experience they don't do what you describe.

2) Well with a over subscription you can do it on the Junipers E Series (and I've seen it).
It is on the technical docs of the ESeries but you can also see it in this URL: ( page=239)
An E-Series is not a DSLAM, it's a BRAS. Totally different function. A BRAS terminates subscriber sessions, a DSLAM terminates xDSL lines. Some DSLAMs act as mini BRAS these days. But an E- Series is not a DSLAM.

Is this where your confusion is? You really mean to be talking about BRAS?

3) It is not a configuration I will ever recommend; but sometimes due to budget restrictions of what a provider set to spend for the servicing of a location, the provisioning division just "make it work" doing this.
Not in a carrier setting.