Re: For want of a single ethernet card, an airport was lost ...

[Steve Gibbard <scg () gibbard org>]

On Tue, 21 Aug 2007, Zach White wrote:

> At some point our networks have to remain useful. If they can be shut
> down for hours or days at a time are they really secure?

The first question to ask in designing something is what you're trying to 
accomplish.

This is a mailing list of network operators, meaning that most of us are 
in the business of forwarding packets, or otherwise seeing that packets 
get forwarded.  It matters very little what those packets are, as long as 
they get where they're supposed to go.  If our networks stop forwarding 
packets, we've got a problem.

Compare that to somebody designing a bank vault.  They've still got to be 
able to get things in and out, but their most important priority is that 
stuff that's supposed to stay in the vault stays in the vault.  If 
somebody legitimate can't get the vault open that's annoying, but it's 
nowhere near the level of problem they'd have if the vault turned out to 
be openable by somebody who wasn't supposed to open it.

The question for the designers of immigration systems, then, is whether 
they're designing something like the Internet, intended to forward people 
through efficiently, or something like a bank vault, intended to keep 
people out.  If the former, they'd presumably want to default to being 
open in the event of a failure.  If the latter, they'd want to default to 
being closed in the event of a failure.  If their goals are somewhere in 
the middle, it becomes a matter of weighing the costs of the two failure 
modes and deciding which one will do less damage.  But at that point, it 
becomes a political question, not an engineering question and certainly 
not a network operations question, so it's beyond the scope of the NANOG 
list.

-Steve