On Tue, Nov 1, 2011 at 8:00 PM, Jimmy Hess <mysidia@gmail.com> wrote:
On Tue, Nov 1, 2011 at 1:22 PM, Kevin Loch <kloch@kl.net> wrote:
We have always accommodated temporary ACL's for active DDOS attacks. I think that is fairly standard across the ISP/hosting industry.
Indeed. We'll do it; ditto every reputable hosting, collocation, or IP transit shop I've come into contact with.
And it's reasonable to accomodate the customer that asks, and reasonable for a customer to ask for a temporary ACL in such situations.
However, it's also reasonable for the provider to refuse, and there's nothing wrong with that, unless the provider agreed that they would be willing to do that [...]
Disagree. Furthermore, I think providers refusing to implement temporary ACLs should be called out on fora such as NANOG, to aid others in the vendor selection process. This is not to say it's sustainable as a repeat or permanent configuration -- possible up-sell and business drivers aside, TCAM exhaustion, performance implications, and man-hours required for ACL maintenance are all very real concerns -- but denying your customers this type of emergency response is bad for the Internet, and goes against basic tenets of customer service. -a