Sean Donelan sean at donelan.com
Sun Apr 19 13:00:32 CDT 2009

On Sat, 18 Apr 2009, Paul Vixie wrote:
>> "Even"?  *Especially* -- or they're not competent at doing security.
> wouldn't a security person also know about
> 	http://en.wikipedia.org/wiki/ARP_spoofing
> and know that many colo facilities now use one customer per vlan due
> to this concern?  (i remember florian weimer being surprised that we
> didn't have such a policy on the ISC guest network.)

I tend to believe there is almost always more than one way to solve any 
problem, and if you can't think of more than one way you probably don't 
understand the problem fully.

IXPs are a subset of the Colo problem, so there may be some issues for 
the colo case that IXPs can handle differently than general purpose colos.
Why use "complex" DELNIs when you could just have passive coax and a real 
RF broadcast medium for your IXP.

If all the IXP participants always did the right thing, you wouldn't need 
the IXP operator to do anything. The problem is sometimes an IXP 
participant does the wrong thing, and the other IXP participants want the 
IXP operator to do something about it which is probably why most IXP
operators use stuff more complex than a passive coax.

Other than Nick's list, are there any other things someone interested in 
checking IXP critical infrastructure might add to the checklist?

More information about the NANOG mailing list