On Sat, 18 Apr 2009, Paul Vixie wrote:
"Even"? *Especially* -- or they're not competent at doing security.
wouldn't a security person also know about
http://en.wikipedia.org/wiki/ARP_spoofing
and know that many colo facilities now use one customer per vlan due
to this concern? (i remember florian weimer being surprised that we
didn't have such a policy on the ISC guest network.)
I tend to believe there is almost always more than one way to solve any
problem, and if you can't think of more than one way you probably don't
understand the problem fully.
IXPs are a subset of the Colo problem, so there may be some issues for
the colo case that IXPs can handle differently than general purpose colos.
Why use "complex" DELNIs when you could just have passive coax and a real
RF broadcast medium for your IXP.
If all the IXP participants always did the right thing, you wouldn't need
the IXP operator to do anything. The problem is sometimes an IXP
participant does the wrong thing, and the other IXP participants want the
IXP operator to do something about it which is probably why most IXP
operators use stuff more complex than a passive coax.
Other than Nick's list, are there any other things someone interested in
checking IXP critical infrastructure might add to the checklist?
