Worth Reading: Gone in six characters

Today, we are releasing our study, 18 months in the making, of what URL shortening means for the security and privacy of cloud services. We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary), but we sampled enough to discover interesting information and draw important conclusions. -Freedom to Tinker

The post Worth Reading: Gone in six characters appeared first on 'net work.

Worth Watching: Must privacy give way?

Projected benefits of data science and the paradigm of big data are not compatible with the regulation of information collection prompted by concerns over privacy. So goes a compelling and popular argument. Dr. Nissenbaum will challenge this perspective not only because it plays suspiciously well with the dominant business model of the commercial information industry but also because it rests on misconceptions and ambiguities of key terms. -Brown University

The post Worth Watching: Must privacy give way? appeared first on 'net work.

Worth Watching: Must privacy give way?

Projected benefits of data science and the paradigm of big data are not compatible with the regulation of information collection prompted by concerns over privacy. So goes a compelling and popular argument. Dr. Nissenbaum will challenge this perspective not only because it plays suspiciously well with the dominant business model of the commercial information industry but also because it rests on misconceptions and ambiguities of key terms. -Brown University

The post Worth Watching: Must privacy give way? appeared first on 'net work.

Flooding Domains versus Areas

At a fundamental level, SPF and IS-IS are similar in operation. They both build neighbor adjacencies. They both use Dijkstra’s shortest path first (SPF) to find the shortest path to every destination in the network. They both advertise the state of each link connected to a network device. There are some differences, of course, such as the naming (OSI addresses versus IP addresses, intermediate systems versus routers). Many of the similarities and differences don’t play too much in the design of a network, though.

One difference that does play into network design, however, is the way in which the two protocols break up a single failure domain into multiple failure domains. In OSPF we have areas, while in IS-IS we have flooding domains. What’s the difference between these two, and how does it effect network design? Let’s use the illustration below as a helpful reference point for the two different solutions.

In the upper network, we have an illustration of how OSPF areas work. Each router at the border of a flooding domain (an Area Border Router, or ABR), has a certain number of interfaces in each area. Another way of saying this is that an OSPF ABR is Continue reading

Flooding Domains versus Areas

At a fundamental level, OSPF and IS-IS are similar in operation. They both build neighbor adjacencies. They both use Dijkstra’s shortest path first (SPF) to find the shortest path to every destination in the network. They both advertise the state of each link connected to a network device. There are some differences, of course, such as the naming (OSI addresses versus IP addresses, intermediate systems versus routers). Many of the similarities and differences don’t play too much in the design of a network, though.

One difference that does play into network design, however, is the way in which the two protocols break up a single failure domain into multiple failure domains. In OSPF we have areas, while in IS-IS we have flooding domains. What’s the difference between these two, and how does it effect network design? Let’s use the illustration below as a helpful reference point for the two different solutions.

In the upper network, we have an illustration of how OSPF areas work. Each router at the border of a flooding domain (an Area Border Router, or ABR), has a certain number of interfaces in each area. Another way of saying this is that an OSPF ABR is Continue reading

Worth Reading: Declaring IPv6 an Internet Standard

I don’t think that there is any doubt about the “significant benefits” part of this criteria when considering IPv6.But the issue of “technical maturity” is one I’d like to explore a little further. In so many ways IPv6 is just IPv4 with larger address fields. There are just a few technical differences, but it’s these differences that continue to be a source of technical exploration and potential uncertainty. -CircleID

The post Worth Reading: Declaring IPv6 an Internet Standard appeared first on 'net work.

Worth Reading: IoT Hub Throttling

IoT Hub is a service built to support millions of connections in a single region. We’re already dealing with serious-scale connectivity when we talk about the Internet of Things, and we impose the throttling limits on IoT Hub to protect against what otherwise looks like Denial of Service (DoS) attacks on the service. -Azure

The post Worth Reading: IoT Hub Throttling appeared first on 'net work.

Securing BGP: A Case Study (8)

Throughout the last several months, I’ve been building a set of posts examining securing BGP as a sort of case study around protocol and/or system design. The point of this series of posts isn’t to find a way to secure BGP specifically, but rather to look at the kinds of problems we need to think about when building such a system. The interplay between technical and business requirements are wide and deep. In this post, I’m going to summarize the requirements drawn from the last seven posts in the series.

Don’t try to prove things you can’t. This might feel like a bit of an “anti-requirement,” but the point is still important. In this case, we can’t prove which path along which traffic will flow. We also can’t enforce policies, specifically “don’t transit this AS;” the best we can do is to provide information and letting other operators make a local decision about what to follow and what not to follow. In the larger sense, it’s important to understand what can, and what can’t, be solved, or rather what the practical limits of any solution might be, as close to the beginning of the design phase as possible.

In the Continue reading

Worth Reading: Delusional Encryption Bill

One reading of the proposed Senate Encryption Bill reveals an abysmal, multidimensional ignorance of math realities and Internet reach. Or perhaps the bill is just a bit of agitprop in an election year. -MondayNote

The post Worth Reading: Delusional Encryption Bill appeared first on 'net work.

IPSpace

I will be presenting as part of a new online class at IPSpace.net. Check here for details.

The post IPSpace appeared first on 'net work.

Worth Reading: The IETF as a model

Imagine a world where you would be judged by the power of your ideas and not by your title, your origin, your age, your sex or even your academic credentials. Imagine a world where ideas can be debated with great openness and where it is still possible to make decisions by consensus. Imagine a world where competitors work together for the future of humanity.

The post Worth Reading: The IETF as a model appeared first on 'net work.

Worth Reading: Certification road map

Are you struggling to complete a vendor certification? Do you have the will, but perhaps not the way? Getting through a cert program is tough — I’ve completed several of them. And I’ve developed a methodology for successfully completing a cert. With luck, this process might help you move ahead.

The post Worth Reading: Certification road map appeared first on 'net work.

Worth Reading: Is your tax data secure?

Monday is Tax Day. Many of us are thinking about our taxes. Are they too high or too low? What’s our money being spent on? Do we have a government worth paying for? I’m not here to answer any of those questions — I’m here to give you something else to think about. In addition to sending the IRS your money, you’re also sending them your data. It’s a lot of highly personal financial data, so it’s sensitive and important information. Is that data secure?

The post Worth Reading: Is your tax data secure? appeared first on 'net work.

Sunrise over Oak Island

The post Sunrise over Oak Island appeared first on 'net work.

Worth Reading: Topology of malicious activity

We have recently focused our research on how these tools can work together to provide unique insights on the state of the Internet. In this post, we’ll present the beginning of our explorations to identify stable, macro-level attacks trends invisible on the scale of IP addresses.

The post Worth Reading: Topology of malicious activity appeared first on 'net work.

Worth Reading: Rolling the root

…no cryptographic secret can be regarded as “absolute”. It’s all relative and the use of a key has some element of associated risk that the key is not a strict secret. If that’s the case, and if we cannot really understand the exact levels of risk associated with the use of a key, then why should we place our trust in any form of public key cryptography?

The post Worth Reading: Rolling the root appeared first on 'net work.

RFC Reading List

While we normally think of RFCs as standards, there is actually a lot of useful information published through the IETF process that relates to basic network engineering concepts. Since this information is specifically and intentionally vendor independent, it often goes back to the theoretical basis of a line of thinking, or explains things in a way that’s free of vendor implementation jargon. From time to time, I like to highlight these sorts of drafts, to bring them to the notice of the wider networking community.

A lot of basic research has gone into quality of service from the perspective of queuing, marking, and dropping mechanisms. The result of this research is a wide array of quality of service mechanisms, which tend to be explained either using deep math, or in terms of “look what feature we’ve implemented, and here’s how to configure it.” RFC7806, published this month, is a useful intermediary between the high math and vendor implementation styles of presentation. This RFC describes a model often used for understanding quality of service, the Generalized Processor Sharing model, and how it applies to a few packet queuing, marking, and drop strategies.

Benchmarking routing protocols might not be something you Continue reading

Worth Reading: Court rules cell phone location isn’t private information

This week, the Sixth Circuit Court of Appeals held, in United States v. Carpenter, that we lack any privacy interest in the location information generated by our cell phones. The opinion shows a complete disregard for the sensitive and revealing nature of cell site location information (CSLI) and a misguided response to the differences between the analog technologies addressed in old cases and the data-rich technologies of today.

The post Worth Reading: Court rules cell phone location isn’t private information appeared first on 'net work.

Worth Reading: Datera emerges from stealth

Today Datera emerged from stealth launching its first product, Datera Elastic Data Fabric. Datera Elastic Data Fabric is scale-out storage software that turns standard, commodity hardware into a RESTful API-driven, policy-based storage fabric for large-scale clouds.

The post Worth Reading: Datera emerges from stealth appeared first on 'net work.

Something Old, Something New…

Some time back a reader sent this question in—

Is there some list of design fundamentals which were “true” or at least “good rules of thumb” in the past (2 months to 20 years and beyond) which are still proclaimed as true and good, which we need to throw out, or at least question closely today?

It’s an interesting question—the problem is, of course, that there are two sorts of answers to this type of question. The first is rather specific, and the second is rather general. Let’s try the more specific answer first, and see if we can get to the more general one.

There are several rules of thumb that are no longer useful today.

OSPF and IS-IS flooding domains should be limited to 50/100/200 routers/intermediate systems. The old “50 in an area rule” is something several of us asked to be removed from Cisco Online something like 10 years ago, as it didn’t even apply then. I’ve heard 200 more recently, but the reality is—there is no right number here. I just did a two post series on dividing up flooding domains that might be useful here (part 1 and part 2).

There are provider Continue reading