What I really meant by single pt. of failure was... problems of losing
the
filtering list if the central system is down... Granted, this would not
cause any network issues..
We know how to set up central authorities without central systems or
obvious single points of failure. For instance, the DNS has a single root
authority but there are 13 distributed servers publishing authoritative
data. And not all of those servers are single systems. For some time now
Vixie's root server has been at least two systems using his own FreeBSD
kernel hack to handle load balancing and failover.
Also, people are beginning to realize that having a local cache of
authoritative data is a wise thing and is not very difficult to do. That's
why ISC is now offering a replica service for network operators to set up
local copies of Vixie's F root server.
I would expect that the LDAP service for IP address range attributes would
leverage all of this knowledge about architecture. LDAP may a more
versatile protocol than DNS but it is clearly from the same family tree of
directory service protocols and there are no major roadblocks preventing
it from being deployed in a sane fashion.
--Michael Dillon