Randy Bush wrote:
in the field != untouched/unloved
i contend that all one's routers should be rigorously configured as
programmatically as possible.
It seems to me that those are the routers where the filtering of both
packets and routes is easiest and most effective. If every such router
(which almost be definition knows what source addresses and routes are
legitimate) filtered out all the crap, there would not be much crap
getting to the DFZ.
Too hard. I don't think so. When I administered a /16 with "only" a
hundred or so such routers, a simple skeleton config-file-base allowed
quick construction of a config file at installation--which was then
rarely touched ever again. (We did log at a central location and used
SNMP monitors for supervison.)
--
Requiescas in pace o email Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio Infallibility, and the ability to
learn from their mistakes.
Eppure si rinfresca
ICBM Targeting Information: http://tinyurl.com/4sqczs
