rdobbins at arbor.net
Sun Dec 14 23:05:26 UTC 2014
On 15 Dec 2014, at 5:47, David Conrad wrote:
> A monoculture invites catastrophic failure. We've seen this over and
> over again.
We've seen heterogenous environments fail catastrophically, too.
I've never run into a situation in which a monoculture would've made
things any worse.
> Sure, there are a wide variety of other possible failure points, but
> it would be simply insane to (say) have everyone run the exact same
> code base would mean that everyone is subject to the same
I hate to break it to you, but a) packet-of-death vulnerabilities are
rare, b) operators ought to have mechanisms in place to filter them when
they do show up (*not* silly 'IPS'), and c) gross incompetence with a
heterogeneous software base is no different than gross incompetence with
a monoculture - except that it's more certain.
Having worked for a major vendor of telecommunications gear which is
quite dominant in its space, and having dealt with packet-of-death
issues from said vendor's perspective, I'm here to tell you that all
this preaching about avoiding monoculture is a sideshow compared to the
real issues faced every day in the trenches.
If we could ever get to the point where a monoculture was the biggest
challenge we face, we'd be a lot better off than we are today.
> Are you seriously arguing that it is better to have your entire
> infrastructure subject to a PoD because it's a bit more challenging to
> run different software bases?
See above. And 'a bit more challenging' is a significant
understatement, especially at scale.
Worrying about software monoculture at this juncture is like worrying
about urban planning when you don't even have indoor plumbing.
Roland Dobbins <rdobbins at arbor.net>
More information about the dns-operations