On Wed, 09 Mar 2011 03:34:18 PST, Vadim Antonov said:
Steven Bellovin wrote:
And then some other dim bulb will connect one of those 5 layers to the outside world...
Broken attribution alert - I wrote that, not Steve..
A dim bulb has infinite (and often much subtler) ways of screwing routing in his employer's network. Protecting against idiots is the weakest argument I ever heard for architectural design.
Yes, a dim bulb can do other things. That doesn't mean it's OK to simply ignore totally predictable failure modes. Consider BGP - what happens when some dim bulb manages to create a routing loop? What would have happened if the BGP designers had said "We're not going to worry about this because there's other things the dim bulb can do to hose himself"?