[146084] in North American Network Operators' Group
Re: Colocation providers and ACL requests
daemon@ATHENA.MIT.EDU (Adam Rothschild)
Wed Nov 2 11:55:42 2011
In-Reply-To: <CAAAwwbVAd3EJgkPHSTGM=7Y6m0VNYH6+7+dTm9ZzFBc1D0YZfQ@mail.gmail.com>
From: Adam Rothschild <asr@latency.net>
Date: Wed, 2 Nov 2011 11:53:37 -0400
To: Jimmy Hess <mysidia@gmail.com>
Cc: NANOG mailing list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Nov 1, 2011 at 8:00 PM, Jimmy Hess <mysidia@gmail.com> wrote:
> On Tue, Nov 1, 2011 at 1:22 PM, Kevin Loch <kloch@kl.net> wrote:
>> We have always accommodated temporary ACL's for active DDOS attacks. =A0=
I
>> think that is fairly standard across the ISP/hosting industry.
Indeed. We'll do it; ditto every reputable hosting, collocation, or
IP transit shop I've come into contact with.
> And it's reasonable to accomodate the customer that asks, and
> reasonable for a customer to ask for
> a temporary ACL in such situations.
>
> However, it's also reasonable for the provider to refuse, =A0and there's
> nothing wrong with that, unless the provider agreed that they would be
> willing to do that [...]
Disagree. Furthermore, I think providers refusing to implement
temporary ACLs should be called out on fora such as NANOG, to aid
others in the vendor selection process.
This is not to say it's sustainable as a repeat or permanent
configuration -- possible up-sell and business drivers aside, TCAM
exhaustion, performance implications, and man-hours required for ACL
maintenance are all very real concerns -- but denying your customers
this type of emergency response is bad for the Internet, and goes
against basic tenets of customer service.
-a
