On Wed, Jan 9, 2019 at 9:07 PM Saku Ytti <s...@ytti.fi> wrote: > Not disputing bug or bog house as ideal location for said policy, just > want to explain my perspective why it is so.
So, network device vendors releasing security advisories twice a year isn't a big part of the explanation? > Hitless upgrades are not really a thing yet, even though they've been > marketed for 20 years now. This is correct; on the flip side, hitless vulnerabilities haven't even been marketed, much less invented. > Only reason things work as well as they do, is because bad > guys are not trying to DoS the infrastructure with BGP or > packet-of-deaths Err... don't they? My experience is quite the opposite. > If this is something we think should be fixed, then we should have > good guys intentionally fuzzing _public internet_ BGP and > transit-packet-of-deaths with good reporting. If we could be sure that after such fuzzing there would still be a working transport infrastructure to report on top of, then yes. > if they are abused, Internet will fix those in no more than > days — just like we did with IoT in 2016 — > and trying to guarantee it cannot happen probably is fools > errant > If anything, I suspect if it's cheaper to enter the market with > inferior security and quality then that is likely good business case This is also correct so far. I wonder if it's here to stay. -- Töma
