[OPSEC] culled from nanog 47 circumstances where stateful inspection is considered harmful...

[Joel Jaeggli <joelja at bogus.com>]

Roland Dobbins presentation from the nanog 47 caught my attention...

http://www.nanog.org/meetings/nanog47/presentations/Monday/Dobbins_ISPSecTrac_N47_Mond.pdf

Notably:

"Organizations with firewalls and IDS/’IPS’ inline in front of their
servers went down quickly and stayed down. Same for load-balancers."


Obviously we have a long suspicion of elements of user generated state
with the potential to blow up the forwarding plane (MSDP explosions for
example). Stateful packet inspection however is cooked into a lot of
both network security devices and standards (e.g. pci compliance).

I wonder:

if some of the efforts associated with stateful inspection requirements
in this space:

	 are working at cross-purposes

	preclude cost-effective network scaling beyond a certain level

joel