On Sat, Apr 18, 2009 at 09:12:24PM +0000, Paul Vixie wrote:
> > Date: Sat, 18 Apr 2009 13:17:11 -0400
> > From: "Steven M. Bellovin" <s...@cs.columbia.edu>
> >
> > On Sat, 18 Apr 2009 16:58:24 +0000
> > bmann...@vacation.karoshi.com wrote:
> >
> > > i make the claim that simple, clean design and execution is
> > > best. even the security goofs will agree.
> >
> > "Even"? *Especially* -- or they're not competent at doing security.
>
> wouldn't a security person also know about
>
> http://en.wikipedia.org/wiki/ARP_spoofing
>
> and know that many colo facilities now use one customer per vlan due
> to this concern? (i remember florian weimer being surprised that we
> didn't have such a policy on the ISC guest network.)
>
> if we maximize for simplicity we get a DELNI. oops that's not fast
> enough we need a switch not a hub and it has to go 10Gbit/sec/port.
> looks like we traded away some simplicity in order to reach our goals.
er... 10G is old hat... try 100G.
i'm not arguing for a return to smoke signals. i'm arguing that
simplicity is often time gratuitously abandoned in favor of the
near-term, quick buck.
if i may paraphrase Albert, "Things should be as simple as possible,
but no simpler"
and ARP... well there's a dirt simple hack that the ethernet-based
folks have never been able to shake. :)
--bill
