> From: Tony Li <tli(_at_)cisco(_dot_)com>
> As a practical matter, these things are quite doable.
Tony, my sense is that the hard part is not places *within one's own
organization* where one's addresses are stored, but rather in
*other organizations*; e.g. entries in *their* firewalls. Can
those with experience confirm/deny this?
In fact, in one of the global IPv4 networks that we operate, ACLs are
managed just as Tony describes. However, when we need to add/change
ACLs, it takes roughly 90 days to roll it out for two reasons. One is
that we cannot risk changing all routers at one time, so we spread the
work over two or more weekends. But the major piece of work is getting
the change in customer firewalls. This requires notification, planning
on their side, scheduling of their own change windows, etc. All of the
human effort involved in doing this has real costs.
At the same time, we and our customers will instantly make changes to
routing in our networks without any notification or planning or
scheduling of change windows. The difference is that routing is handled
by BGP (and OSPF) which everybody trusts to do the right thing. A lot of
smart people have put a lot of work into building routing protocols that
are reliable. The same amount of brainpower and work has not been
applied to ACL management in routers or firewalls.
Ietf mailing list