Re: Colocation providers and ACL requests

[Adam Rothschild <asr () latency net>]

On Tue, Nov 1, 2011 at 8:00 PM, Jimmy Hess <mysidia () gmail com> wrote:
> On Tue, Nov 1, 2011 at 1:22 PM, Kevin Loch <kloch () kl net> wrote:
> > We have always accommodated temporary ACL's for active DDOS attacks.  I
> > think that is fairly standard across the ISP/hosting industry.

Indeed.  We'll do it; ditto every reputable hosting, collocation, or
IP transit shop I've come into contact with.

> And it's reasonable to accomodate the customer that asks, and
> reasonable for a customer to ask for
> a temporary ACL in such situations.
>
> However, it's also reasonable for the provider to refuse,  and there's
> nothing wrong with that, unless the provider agreed that they would be
> willing to do that [...]

Disagree.  Furthermore, I think providers refusing to implement
temporary ACLs should be called out on fora such as NANOG, to aid
others in the vendor selection process.

This is not to say it's sustainable as a repeat or permanent
configuration -- possible up-sell and business drivers aside, TCAM
exhaustion, performance implications, and man-hours required for ACL
maintenance are all very real concerns -- but denying your customers
this type of emergency response is bad for the Internet, and goes
against basic tenets of customer service.

-a