Randy Bush wrote:
in the field != untouched/unloved
i contend that all one's routers should be rigorously configured as programmatically as possible.
It seems to me that those are the routers where the filtering of both packets and routes is easiest and most effective. If every such router (which almost be definition knows what source addresses and routes are legitimate) filtered out all the crap, there would not be much crap getting to the DFZ. Too hard. I don't think so. When I administered a /16 with "only" a hundred or so such routers, a simple skeleton config-file-base allowed quick construction of a config file at installation--which was then rarely touched ever again. (We did log at a central location and used SNMP monitors for supervison.) -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs