On May 11, 2010, at 7:32 AM, Nick Hilliard wrote:
Risk analysis is ass covering without the theatre. You collect data, make a judgement based on that data, and if it turns out that the judgement says that signed bgp updates constitute more of a stability risk to network operations than the occasional shock problem
So apply the risk management analogy here. We all know that pretty much anyone can assert reachability for anyone else's address space inter-domain on the Internet, in particular the closer you get to 'the core' the easier this gets. We also know that route "leaks" commonly occur that result in outages and the potential for intercept or other nefarious activity. Additionally, we know that deaggregation, and similar events result in wide-scale systemic effects. We also know that topologically localized events occur that can impact our reachability, whether we're party to the actual fault or not. We have a slew of empirical data to support all of these things, some more high profile than others, with route leaks likely occurring at the highest frequency (every single day). I would suspect that the probability of fire effecting your network availability is very low, as you can fail over to a new facility. OTOH, if you have a route hijack (intentional or not) failover to a new facility with that address space isn't going to help, and hijacks can be topologically localized - the same applies for DDoS. Yet I suspect your organization has invested reasonably in fire suppression systems, but the asset that matters most that enables the substrate of some applications and services that you care about - the availability of your address space within the global routing system, has no safeguards whatsoever, and can be impacted from anywhere in the world. I'd also venture a guess that we've had more routing issues that have resulted in network downtime of critical sites than we have had fires (if someone disproves that _nice dinner on me!). We've got empirical data, we understand the vulnerability and the risk (probability of a threat being used). Put that in your risk management equation and consider what assets are most vulnerable to your organization - I'd venture it's something to do with network, and if routing ain't working, network ain't working... -danny