Re: IXP

[bmanning () vacation karoshi com]

On Sat, Apr 18, 2009 at 09:12:24PM +0000, Paul Vixie wrote:
> > Date: Sat, 18 Apr 2009 13:17:11 -0400
> > From: "Steven M. Bellovin" <smb () cs columbia edu>
> >
> > On Sat, 18 Apr 2009 16:58:24 +0000
> > bmanning () vacation karoshi com wrote:
> >
> > >   i make the claim that simple, clean design and execution is
> > > best. even the security goofs will agree.   
> >
> > "Even"?  *Especially* -- or they're not competent at doing security.
>
> wouldn't a security person also know about
>
>       http://en.wikipedia.org/wiki/ARP_spoofing
>
> and know that many colo facilities now use one customer per vlan due
> to this concern?  (i remember florian weimer being surprised that we
> didn't have such a policy on the ISC guest network.)
>
> if we maximize for simplicity we get a DELNI.  oops that's not fast
> enough we need a switch not a hub and it has to go 10Gbit/sec/port.
> looks like we traded away some simplicity in order to reach our goals.

        er... 10G is old hat... try 100G.

        i'm not arguing for a return to smoke signals.  i'm arguing that
        simplicity is often time gratuitously abandoned in favor of the
        near-term, quick buck.

        if i may paraphrase Albert, "Things should be as simple as possible,
        but no simpler"

        and ARP... well there's a dirt simple hack that the ethernet-based
        folks have never been able to shake. :)

--bill