On Tue, 21 Aug 2007, Zach White wrote:
At some point our networks have to remain useful. If they can be shut down for hours or days at a time are they really secure?
The first question to ask in designing something is what you're trying to accomplish. This is a mailing list of network operators, meaning that most of us are in the business of forwarding packets, or otherwise seeing that packets get forwarded. It matters very little what those packets are, as long as they get where they're supposed to go. If our networks stop forwarding packets, we've got a problem. Compare that to somebody designing a bank vault. They've still got to be able to get things in and out, but their most important priority is that stuff that's supposed to stay in the vault stays in the vault. If somebody legitimate can't get the vault open that's annoying, but it's nowhere near the level of problem they'd have if the vault turned out to be openable by somebody who wasn't supposed to open it. The question for the designers of immigration systems, then, is whether they're designing something like the Internet, intended to forward people through efficiently, or something like a bank vault, intended to keep people out. If the former, they'd presumably want to default to being open in the event of a failure. If the latter, they'd want to default to being closed in the event of a failure. If their goals are somewhere in the middle, it becomes a matter of weighing the costs of the two failure modes and deciding which one will do less damage. But at that point, it becomes a political question, not an engineering question and certainly not a network operations question, so it's beyond the scope of the NANOG list. -Steve