Technical Explanation of DSL Service

What is it?

DSL is an acronym for Digital Subscriber Line, it is in essence a high-speed circuit provided by the telephone company, that connects a DSL Device at the end-user or customer site, with a Service Provider such as an ISP.

Can DSL only connect to ISP's?

No. If your organization operates a Wide Area Network (WAN) then it may be possible to convert your WAN to DSL and achieve some cost savings. The restriction is that for the most part all sites in your network MUST reside in the SAME Local ExChange. You will also need to designate ONE site as the "master" site, and this site will be connected to the LEC via Frame Relay (if Verizon) or T1-T3 ATM. (QWest) Internet Partners has had much experience creating and building corporate WAN's, ask about DSL when you discuss your corporate WAN with us.

My wife and I both have our own computers, can I run them both off a DSL account?

YES - but under one condition, you will need to purchase additional network equipment. DSL is typically sold with the telephone company supplying the DSL Access Device. This can be an external device connected to your PC with an Ethernet cable, or an internal card that goes in your PC. Regardless of how it's connected, Internet Partners only supplies ONE single "legal" IP number for you to use on your equipment. So, it is obviously not possible for TWO machines to both be using the DSL account at the same time and to both have separate legal IP numbers. Even if you switch off one of the PC's while the other is running, this PC will not be able to obtain an IP number from our DHCP server.

What IS possible is to install a network device (or application) that allows you to apply this single, legal IP number to an "external Interface" that is connected directly to the DSL Access Device. There are 3 common methods of doing this. The first is to use a hardware Network Address Translation (NAT) device such as a Cisco 1605 router with 2 Ethernet interfaces. The external interface is connected to the DSL device, and the internal interface is connected to a hub that your multiple PC's are plugged in to. The second method of doing this is to run a software NAT on a PC, such as Windows Internet Sharing. Two network cards are inserted into the PC and a package like Windows 98 Internet Sharing is run, (or perhaps a free Unix such as Linux is used) one card is plugged into the internal hub, the other to the external DSL Access Device. The last method is to run a software package called a Proxy Server on a PC with multiple network cards in it.

What is NAT or Proxying?

See here

OK, I read that but I don't have the Cisco router you are talking about

A popular alternative is the LinkSys Router. Keep in mind that while this is a popular product due to it's low price, we have heard that LinkSys's tech support only provides basic help to get the router operational - not extensive network consulting or help with setting up a firewall using the router.

I have QWest DSL and someone told me that the external Cisco 675 supports NAT, why do I need to buy an expensive router?

There is a lot of confusion about this subject because the Cisco 675 does indeed support Network Address Translation. However, the catch is that it only supports all of these features when in RFC 1483 Routed mode, or PPP mode.

QWest delivers MegaBit DSL residential services in 2 major flavors, Select256 and Deluxe256. The Select256 is a PPP mode service and as such the customer's Cisco 675 or their Intel 2100 is required to "log in" to the ISP. The connection can only stay up a maximum of 2 hours - after that QWest disconnects the Select256 user, who then must wait 5 minutes to log in again. Since this is a PPP-mode connection over DSL, it is possible to enable NAT on the Cisco 675. However there is a catch - QWest only supports 256Select on the Intel internal 2100 card. It is possible to use 256Select with the Cisco 675 but to do so you must install and activate your service using the Intel 2100 card in a Windows system, then separately purchase a Cisco 675 and configure this yourself.

The Select256 Deluxe is a bridged-only, always-on DSL service. Per the Cisco 675 installation manual (available here) on page 5-7 and page 5-8, NAT and routing as well as filters DO NOT WORK while the 675 is in RFC1483 bridged mode.

If someone tells you they have a Cisco 675 operating NAT under QWest, it is because they have custom-configured their Cisco 675. Perhaps they can assist you in configuring your Cisco 675 so as to avoid paying the extra $150 for a cheap router, if so then great. However, neither QWest nor us support such a configuration at this time.

I want to run a business and I don't want to mess around with a cheap, throwaway router, what should I use?

Internet Partners sells and services Cisco routers. A suitable Cisco device to use would be a Cisco 2514, 1605, or 2611. These routers are more expensive but Cisco's support is spectacular, and service contracts are available that will cover the router up to 4-hour turnaround time in case of failure.

What is a DSL "modem"

A DSL modem is an extremely crude and incorrect term for a DSL Access Device, also known as a DSL Bridge or DSL Router.

What is a DSL Router?

A DSL Router, such as a Cisco 675, combines a DSL interface and an Ethernet Interface, and performs Layer 3 IP Routing functions.

What is a DSL Bridge?

A DSL Bridge, such as a Cisco 675, combines a DSL interface and an Ethernet Interface, and performs Layer 2 Ethernet Bridging functions. In most cases (such as ours) this is how DSL service is delivered from the ISP to the end-user. When one of these Cisco's is in Bridging mode, it can NOT do routing functions such as NAT.

Since it is a bridge can I run other protocols than IP on it?

Any protocol that you have running on the system connected to your DSL device will be bridged to us. However we only respond to TCP/IP.

A friend of mine has DSL and his DSL access device is a Copper Mountain device, I just got DSL service from you and my device is a Cisco 675, why are they different?

Copper Mountain produces DSL bridges that are marketed as Copper Rocket devices. Cisco produces DSL bridges marketed as Cisco 675 and 875. Netopia and Fujitsu also produce DSL access devices. Depending on who you get the service from (QWest, or Verizon) you may have a different one of these devices. QWest generally uses Cisco 675 devices and Verizon generally uses Fujitsu devices.

These devices are all different because at the current time there are 3 major DSL encoding schemes, CAP, DMP and G.Lite. Only G.Lite is standardized but it isn't as popular. Also, there is no standardization on control interfaces of the DSL devices - while a Cisco 675 and a Netopia both support CAP, the control interface is different.

The different control interfaces is an issue because by and large DSL devices are configured and controlled by the Telco, not the end user. (unlike a modem) The Telco does this by sending commands to the remote device from the DSLAM. DSLAM's are different between manufacturers - for example the Fujitsu DSLAM only works with Fujitsu DSL access devices. Depending on what DSLAM the Telco has fielded (ie: who had the best bid price for the contract, usually) this determines what device is used by the end user.

Somebody told me that DSL is a security hole

Any conection to the Internet not only presents a path for YOU to access resources on the Internet, it presents a path for OTHERS on the Internet to access YOUR resources. In this respect DSL is no different than any other Internet connection, INCLUDING a dialup connection.

What is different with DSL is that in a great many cases it is being used as a replacement connection technology for V.90 dialup. The difference here is that dialup accounts are not persistent - in other words without warning you may decide you have had enough web surfing for the day and hang up. From a crackers standpoint, it's a bit like attempting to break into a car that stops at a stoplight - without warning the light may change and the car be replaced by a different one. With DSL, by contrast, since your IP number is the same, and your DSL connection is "always on" (ie: connected to the Internet even when your not surfing or using the Internet) it is much easier for a cracker to patiently try many different intrusion attempts on your computer.

In addition, DSL connections are also somewhat unique because they are BRIDGED connections, not routed. Consider that in a bridged network that all devices on the bridge are in effect on the same network. For example, suppose that you and your neighbor both purchase DSL service from Internet Partners and are connected to the same bridged group in our router. From a protocol standpoint, this is almost identical to running an Ethernet cable from your neighbors computer to your computer. Normally, broadcast traffic that you emit from your machine will be sent to all other nodes in the bridge. Thus, master browsing announcements that are part of Windows Filesharing will be recieved by other computers - these announcements contain the IP number and name used by your system, which is useful in making crack attempts.

While Internet Partners does set P-node discovery via DHCP (which will disable Microsoft Networking broadcasts) this ONLY WORKS IF YOU USE DHCP! This service is NOT provided for it's security feature, it's provided to enhance utilization of your bandwidth by supressing some client broadcasts.

OK, I'm concerned now, what do I do to protect my computer on a DSL account?

There are two approaches that are available to protect your computer on a dedicated connection to the Internet. The first is more commonly used when a SINGLE computer is connected to the Internet. This is referred to as "Hardening the host". Hardening is accomplished by a combination of disabling, or making it difficult to use, all non-essential services on the computer, and installing a network filter on the computer. For Windows 95 or 98, if File and Print Sharing for Microsoft Networks is not required, then remove it from your Network Settings in Control Panel. If this isn't feasible, then at least use difficult-to-guess passwords on your shares. Then install a network filter such as the program Zone Alarm, produced by Zone Labs. If your running Unix then disable all nonessential services, and turn on packet filtering with a program such as ipfw. For Windows NT 4.0, the Routing and Remote Access add-in that is downloadable from Microsoft contains network filtering that can be enabled.

The second approach is more commonly used when multiple machines are involved, this is called firewalling. With a firewall, a single system (or router) is hardened and placed between inside hosts and the rest of the world. All network access to and from the Internet takes place through this host, and is inspected and blocked if necessary. If your using a NAT as described above then you will have a certain measure of protection as NAT's contain a natural firewall defense in that internal IP numbers aren't accessible from the outside. However, it's not 100% secure. Filtering is required such as that provided by an Access List on your NAT device, or under Windows NT+RRAS Update or 2000 you can install access lists. A Cisco 1605, 2514 or 2611 used as a NAT has better access list filtering, for even better security you can run IOS Firewall on them which is as good as any other commercial firewall.

Do I really get all the bandwidth the DSL service is supposed to give me?

The short answer: yes. The long answer: Of course not.

For starters, in the Portland area if your purchasing LEC (Local ExChange) DSL from QWest or Verizon, the tariff that this service is provided under explicitly states that there is no bandwidth guarentee. Click here for a copy of the QWest tariff, and note section 8.11. This tariff can also be found at http://tariffs.uswest.com Click here for a copy of the Verizon tariff, and note section 16.6. This base tariff is located at http://www.gte.com/Tariffs/FCC/gtocgstc.htm

In simple terms, if your purchasing a DSL account that gives you 700Kbps you will NEVER be able to continuously transfer 700Kbps worth of data from the Internet till the cows come home, no matter WHAT ISP or DSL service provider you are using. Anyone who tells you otherwise is lying like a dog. DSL is a SHARED medium. There is a reason why DSL accounts cost $20 a month and T1 accounts that deliever the same bandwidth cost $1000 a month.

HOWEVER, it is perfectly possible to see BURTS of data up to the 700Kbps. How long those bursts last, and how many of them will you see, well this is the mystery and the gamble.

In essense, DSL is like a community hot tub in an apartment complex. Nobody in the complex can possibly afford a hot tub in their apartment, but all of them can afford to kick in $20 a month towards the cost of a single tub. In any given night, there's probably going to be 5 or 10 people in the tub, but they won't be the same people most of the time.

Internet Partners assumes that the end-user DSL users are going to be like the hot tub users, and we do take steps to make sure that the occassional user that comes along and wants the whole tub for himself is moved to a commercial account, where the aggregation factor (and expense) is completely different. However, your always going to run the risk that the night you decide to go tubbing that half the people in the complex, well they decide to go tubbing also. If your networking needs are too critical to subject to this, then DSL is not for you.
 

2000-2003 Internet Partners, Inc.
1800 NW 167th Place Suite 160 - Beaverton, Oregon 97006-8132
+1 503 690 2700  FAX +1 503 690 9700