> > From: Tony Li <tli@xxxxxxxxx> > > > As a practical matter, these things are quite doable. > > Tony, my sense is that the hard part is not places *within one's own > organization* where one's addresses are stored, but rather in > *other organizations*; e.g. entries in *their* firewalls. Can > those with experience confirm/deny this? In fact, in one of the global IPv4 networks that we operate, ACLs are managed just as Tony describes. However, when we need to add/change ACLs, it takes roughly 90 days to roll it out for two reasons. One is that we cannot risk changing all routers at one time, so we spread the work over two or more weekends. But the major piece of work is getting the change in customer firewalls. This requires notification, planning on their side, scheduling of their own change windows, etc. All of the human effort involved in doing this has real costs. At the same time, we and our customers will instantly make changes to routing in our networks without any notification or planning or scheduling of change windows. The difference is that routing is handled by BGP (and OSPF) which everybody trusts to do the right thing. A lot of smart people have put a lot of work into building routing protocols that are reliable. The same amount of brainpower and work has not been applied to ACL management in routers or firewalls. --Michael Dillon _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf