-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So, someone else (Thanks, by the way -- this is the one I was looking
for) pointed me to RFC3013/BCP46:
http://rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=3013&type=http&f
ile_format=txt
In addition to RFC2142, it would appear that these are largely
ignored just as much as any other operational IETF documents.
That's a shame.
$.02,
- - ferg
p.s. Thanks to everyone for their replies.
The IETF (and other groups) developing "Best Common Practices" seem to sometimes forget
1. Is it a practice?
2. Is it a common practice?
3. Is it a best common practice?
If no one is doing it, and they are largely ignored, did the IETF
really do its job of consulting with the operational community to
identify practices that are common and considered best? It is the
organizational version of "running code."
It seemed like many of the Internet "operational" people stopped going to the IETF in the 1990's and I don't know those people have really settled down anywhere else. NANOG/MERIT deliberately decided not to get into the standards development or publishing business. RIPE does publish somethings. NRIC has the same problem as the IETF and published a
ton of "Best Practices" that no one practiced, and I think tended to cause
operations people to start ignoring NRIC.
Instead often what you get is a group of people from one industry writing what they wish a group of people in another industry would practice.
For example, the financial industry writing what they wish merchants would do for security. Or the e-mail industry writing what they wish networks
would do for security. Or the music industry writing what they wish
universities would do for security.
Although you need a some overlap, I think you get much better "buy-in"
when people from the same industry are developing their operational standards.
Well, MAAWG does that, and has produced a lot of good work in the
past. Has the same ISPs that come to NANOG, NSPSEC etc too, and in
some cases the same people.
So is that a call for *NOGs to come out with operational BCPs (no, not
"standards")?
--srs
If you can get the appropriate subject matter people to agree, then
any forum may be useful. However, as other folks have pointed out,
often there are many different constituencies even within the same company. Just because the same ISPs or people show up to the same
groups, it doesn't necessarily mean those are the right people for
a particular subject.
That's why the natives are important. In one company you might
want to talk with the abuse folks, another company you might want to
talk with the infrastructure folks, another company you might want
to talk with the application managers, and so on. Even in the same
company you might need to talk to different people for DDOS incidents,
customer abuse incidents, law enforcement response, and so on. If
you are lucky you might find a person that spends 90% of their time
trying to get all the different parts of the same company to talk to
each other.
MAAWG is useful for particular subjects, not as useful for other subjects.
I expect the same will be true for any forum.
Sean Donelan wrote:
The IETF (and other groups) developing "Best Common Practices" seem to
sometimes forget1. Is it a practice?
2. Is it a common practice?
3. Is it a best common practice?If no one is doing it, and they are largely ignored, did the IETF
really do its job of consulting with the operational community to
identify practices that are common and considered best? It is the
organizational version of "running code."
From my perspective if the people who need the BCP aren't the one's
doing the writing then clearly something is going to be lost in
translation.
Writing things down, presenting and accepting criticism on them doesn't
require the blessing of standards body. If we're so rigid a culture that
we're incapable of handling the documentation of operational wisdom
informally yet we find ourselves bound to a standards body which we
claim isn't serving our interests, whose fault is that?