Here is a disturbing thought experiment.
- the purpose of network monitoring is to discover performance problems in network devices.
- we rely on APIs on applications that run on the operating system of network devices
- (virtual, physical, containers – doesn’t matter)
- API = SNMP, YANG, I2RS, etc etc etc
- If device performance is poor then vendors are responsible for a fix. Which has a cost.
- There is incentive (cost, reputation etc) to presetn the product in the best possible light
- The API reports that the device is performing well.,
- The API is maliciously or deliberately configured to hide a problem, look better than it is and/or report that performance/service is being delivered perfectly.
One of the lessons we learned from VW ‘Dieselgate’ scandal is that vendors who operate for profit have enormous incentives to make their products look good. The closed systems that VW used made it difficult to test/validate/prove that their was some form of malfeasance. Once the code was available it was quickly proven.
Open source is not better or worse here. Errors in the OpenSSL application which lead to Heartbleed etc, show that code can lie by error, lack of resources and talent too. Open source is not inherently better than closed source but transparency has business value for the customer.
- I should be open to the idea that ANY APIs may report false data. Not just bad data or data produced as software bug but recognise that IT Security involves evaluating profit motivation for companies and their motivation when monitoring their own systems. (see also, outsourcing SLAs)
- Legal liability is not a practical disincentive. Proving deliberate and intentional actions to produce false data would be unworkable due to the cost of mounting a case and burden of proof. Also, very few (effectively none) legal actions relating to IT are successful.
- Vendor focus on quarterly results means that long term goals such as “company reputation” has less value than most people think. (see Cultural gap)
- Customers place trust in closed systems. Making a choice to buy an integrated system with closed code inherently place trust and responsibility on the supplier to act correctly and properly. This risk is inherently accepted by most companies without conscious awareness.
- Testing and Visibility – we come back to the value of community led testing and validation.
- Unlikely. This is an improbable scenario given the level of focus on APIs, software and level of standards based interoperability that we have today. The widespread use of merchant silicon, commodity components and general openness in networking make it unlikely to happen in my view.