On Feb 5, 2014, at 3:35 AM, Saku Ytti <s...@ytti.fi> wrote: > If what you say was actual reason, it could be solved by logging ACL. > > We the community, could produce tooling to automate this in few popular > platforms. Automatically builds the ACL, web interface for humans to classify > the logged/unknown. When classified by human as legit source, automatically > create route object for it. > Recreate ACL from route-objects, submit to router.
The problem is many of these can compile to larger than the physical amount of space in the router/LC have to handle it. I’ve done presentations to vendors about what percentage (in bytes and per-line) of the configuration is of what component. 90%+ tends to be customer-specific prefix-list/set/filter lines. These can easily reach many megabytes of configuration and tens or hundreds of thousands of lines. Asking someone to duplicate that to also have an ingress ACL of equivalent size, and *assuming* the router can handle that ACL and compile it properly is a challenge to say the least. > Repeat until human operator is confident no further classification is needed, > and ask tool to swap log+permit + deny. Similar to the above, doing the log permit, etc.. is all dependent on the platform and what scale is feasible. Some devices you can’t do things like log-input and capture the ingress MAC that originated the packet as it’s been stripped off before it gets to that part of the engine. Similar to Randys previous comments, I would like to see another operator talk about their efforts here that has actually implemented something and is willing to share. Right now, I’ve seen a lot of people say what others should do with “their” network, and limited data about what they have done to help solve this problem. It’s harder than it seems, and even those that invite regulation and other things, the technology isn’t capable because it’s not something folks “ask for”. > Probably takes like maybe 50h development work. Let me know how that goes. I’ve found estimates for this stuff can be off by as much as 10x + once all the details are chased down. my wife has regularly been very patient with me when i say “10 minutes” and it’s closer to 2+ hours. I know we can do better than what the state is today, but there’s only so much that one network can do. - Jared
