[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Definitions of "Console" and "CLI" expanded

To: "Perry E.Metzger" <perry@piermont.com>, "Owen DeLong" <owen@delong.com>
Subject: RE: Definitions of "Console" and "CLI" expanded
From: "Smith, Donald" <Donald.Smith@qwest.com>
Date: Wed, 26 Nov 2003 09:11:02 -0700
Cc: <gmj@pobox.com>, <opsec@ops.ietf.org>

Rs232 is still supported by all major router and network equipment
vendors.
Many of us have functional requirements for oobr access that can not be
handled (without serious $$$)
Without a CLI. Most terminal servers do not come with a simple
ansi/ascii/curses based webbrowser.
If a portion of the network is "broke" (media physically cut, power
brownouts, etc ...)
Today I can dialin to a modem bank to connect via the oobr network and
diagonose or reconfigure
As required.

An html interface just is not feasible today for most of the larger
ISP's.

As for wireing up most of us have staff devoted to just that task. They
know how to use
A breakout box and have the ability to make connectors and cables for
rs232 connectivity.

The breakout box shouldn't be required if we can define the rs232
interface with minimual signals.

-----Original Message-----
From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On Behalf Of
Perry E.Metzger
Sent: Wednesday, November 26, 2003 8:06 AM
To: Owen DeLong
Cc: gmj@pobox.com; opsec@ops.ietf.org
Subject: Re: Definitions of "Console" and "CLI" expanded

Owen DeLong <owen@delong.com> writes:
> I think the fact that certain manufacturers are starting to let this 
> slip away is a *BAD* thing.  Personally, I would rather NOT reconcile 
> with this, as I don't believe it provides a reliable solution.
>
> Ethernet plus an IP stack is a much more complicated interface with 
> many more points of failure possible.

Let me subtly disagree.

RS232 is a dying protocol. RS232 concentrators now exist entirely for
people like us, and wiring the things up wastes large amounts of time.
(Indeed, likely wasted hundreds of hours in my life with breakout boxes
making one port or another speak at last).

Then, on top of this, the RS232 concentrators/terminal servers don't
always run a good secure protocol like SSH, so suddenly my terminal
servers become a way to attack my boxes, and if I'm setting up just one
or two boxes in a particular colo I either have to bring my own terminal
server just for one box or (if the locals have one at all!) I have to
trust someone else's security to make sure my box is kept safe.

Having an over-ethernet management console, handled by a separate
processor inside the box, which is now cheap enough to be almost
ignorable on the cost of "real" equipment, is a serious benefit.

At the very least, we should not be telling people that they "must" use
RS232. Even if the systems of the future run with USB target ports for
their consoles and run the serial-over-USB protocol, it would be a big
win -- you could use a few USB hubs on a linux box as your "terminal
server" and handle a hundred ports from one machine if needed, or just a
couple if you wanted, with the wiring all impossible to screw up. USB is
so much nicer than RS232 from a "can't mess up the wiring" perspective
it isn't funny. (On top of this, many laptops don't even have a native
RS232 port any more...)

> The total cost to putting a serial port in a box these days is usually

> under $20.  Even ZyXEL in their "toaster" products has a serial port 
> on most of them (all of the more recent models).  If you have a CLI, 
> there's really little or no additional software required for serial.

On the other hand, these days, a single chip can provide a supervisory
microprocessor running separately from the rest of the machine plus an
ethernet port for under your magic $20. That processor can perform
additional tasks like doing watchdog timer based resets of the box and
giving you a console even when the machine itself has hung hard, and
providing a hard reset to the main processor! And yes, integrated
systems-on-a-chip have indeed gotten that cheap.

I've gotten rather used to using console boards on PCs. See, for
example, http://www.realweasel.com/ for an example. That board gives you
a separate processor running its own software that handles console but
also does a true hardware watchdog timer and can hard reset the device.
I'm told by the guys building that thing that their next generation
board will have ethernet, and will have ssh for access. I'm thrilled.

> The console port is for those times that communication absolutely 
> positively has to work or you completely lose control of the device. 
> These are circumstances in which you usually face at least one other 
> form of network failure already.

Yah, but how are you going to get to the terminal server? You probably
need a management net anyway if the device going down means that the
network goes down.

> As to full-featured HTML as an option to replace CLI, it's not.

Here we agree fully.

-- 
Perry E. Metzger		perry@piermont.com

Prev by Date: Re: Definitions of "Console" and "CLI" expanded
Next by Date: Re: Definitions of "Console" and "CLI" expanded
Previous by thread: Re: comments on draft-jones-opsec-02
Next by thread: -03 posted
Index(es):
- Date
- Thread