Date: Sat, 18 Apr 2009 13:17:11 -0400 From: "Steven M. Bellovin" <smb@cs.columbia.edu>
On Sat, 18 Apr 2009 16:58:24 +0000 bmanning@vacation.karoshi.com wrote:
i make the claim that simple, clean design and execution is best. even the security goofs will agree.
"Even"? *Especially* -- or they're not competent at doing security.
wouldn't a security person also know about http://en.wikipedia.org/wiki/ARP_spoofing and know that many colo facilities now use one customer per vlan due to this concern? (i remember florian weimer being surprised that we didn't have such a policy on the ISC guest network.) if we maximize for simplicity we get a DELNI. oops that's not fast enough we need a switch not a hub and it has to go 10Gbit/sec/port. looks like we traded away some simplicity in order to reach our goals.