[97826] in North American Network Operators' Group
Re: Level(3) filtering (was Yahoo outage summary)
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Mon Jul 9 23:27:57 2007
In-Reply-To: <Pine.GSO.4.58.0707100301170.1179@marvin.argfrp.us.uu.net>
From: Roland Dobbins <rdobbins@cisco.com>
Date: Mon, 9 Jul 2007 20:26:54 -0700
To: Nanog list <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
On Jul 9, 2007, at 8:10 PM, Chris L. Morrow wrote:
> In the
> number of customer conversations I've had about this it's always
> sort of
> surprising that people think it's 'ok' to not have a prefix-list :
> ( cause,
> guess what: "if you don't have one and they don't have one... THEY
> will
> get you eventually"
Many folks seem to think that they'll be OK because 'someone else'
will be doing this for them, and so they're protected. They also
don't think about the fact that they themselves could accidentally
cause a problem for others (and, in some cases, for themselves, by
acting as an inadvertent sinkhole). But when it's explained to them
that a) if everyone thinks that 'someone else' will do the
appropriate filtering, then nobody will do it, and b) that they can
end up hosing themselves and also taking a big reputational hit, most
people I talk to about this seem to understand.
The problem is that this is largely an ad-hoc, 1:1 type of
educational effort, which doesn't scale well. And in many cases,
folks seem to find it difficult to go to their management and explain
that they must invest the opex to implement and maintain these
policies (along with BCP38, iACLs, et. al.); sort of an inversion of
"The Emperor's New Clothes", heh.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
