On Wed, 2004-06-02 at 19:32, Jeff Aitken wrote:
On Wed, Jun 02, 2004 at 06:00:38PM +0200, Erik Haagsman wrote:
Only very small ISPs relying on 36xx's or multilayer switching instead of larger, more powerful might be still valid cases where ACL's are a problem.
Interesting assertion. Care to support it?
It's not unusual for smaller ISP's and small hosting companies to rely on low-spec equipment that can just deal with normal traffic flows, but start falling apart when a traffic spike hits and access lists are present. As an example, take a lower end IronCore Foudry switch with a management II or III and make a comparison between the impact a DoS has with and without access lists present. Altough it's still depending on exact network topology and the type of traffic, it's usually a difference of night and day performance wise, and the absence or presence of access-lists can mean the difference between keeping the network running while under attack and having it fall over, especially since all access list handling is taken care of by the CPU. This isn't the case for anyone anywhere that uses this type of equipment, but I can understad smaller networks with smaller budgets and equipment running close to their max hesitance to put access lists and filtering polcies in place. On the other hand, the smaller the network, the smaller the amount of actual filters needed, so you might wonder if that's even a reason not to filter. Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl