RE: ACLs

["Smith, Donald" <Donald.Smith@qwest.com>]

No it should not be dropped!!

Maybe we can quantify it a little.
How many acls do we expect to deploy?
How much of an impact can we live with?
At the very far end of this problem would be
every single ip address /32 in the world either being denied or allowed
on 65535 ports. That is of course NOT what anyone would do but it is the
worse case:-)

How about 1000 line acl/ less then 10 millisecond impact?? or something like
that.

Or should we leave it vague and let actual implementers/clients decide what
they can live with?


Donald.Smith@qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
(coffee != sleep) & (!coffee == sleep)

> -----Original Message-----
> From: George M. Jones [mailto:gmjones@mitre.org]
> Sent: Wednesday, July 23, 2003 11:48 AM
> To: Smith, Donald
> Cc: Randy Bush; Florian Weimer; opsec@ops.ietf.org
> Subject: Re: ACLs
> 
> 
> Smith, Donald wrote:
> 
> >The goal is to improve security:)
> >Writing requirements that the major router vendor can't 
> support might mean
> >the requirements get ignored as TOO HARD.
> >
> 
> Agreed.   There is a continuum from vendor marketing literature to
> things that are impossible due to the laws of physics.
> 
> I'm hoping that we can some out with a list of real, 
> attainable operator
> requirements that are somewhere to the right of  marketing literature
> and hopefull more than a set of least common denominators that
> no one will object to.
> 
> >I still believe acls that have little to no impact is an important
> >requirement
> >but getting a major router vendor to completely change their 
> architecture
> >could take a few years.
> >
> 
> Granted.   But I think the case can be made that high performance 
> hardware based
> fiters are certianly best, mostly common, and definatly a 
> practice.  Do 
> you think
> this should be dropped to accomodate vendors who may 
> currently have problems
> with it ?  Others ?
> 
> ---George
> 
>