Archive

Category Archives for "MovingPackets.net"

Orange Matter: Why Your Infrastructure Sucks For Automation

Orange Matter Logo

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. Let’s face it, unless we get to build an infrastructure from the ground up, our existing mass of one-off solutions and workarounds makes automating our infrastructure an absolute nightmare.

This post appeared on Orange Matter as “Why Your Infrastctructure Sucks For Automation“, but I’m also linking to the version posted on Thwack, because that version of the post includes pretty pictures. And who doesn’t like a pretty picture?

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Why Your Infrastructure Sucks For Automation and give me a share/like. Thank you!

Orange Matter: All I Want For Christmas is RESTCONF

Orange Matter Logo

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. I need clear commands, structured response data and simple access to it all; so how about giving me REST-based APIs on all my infrastructure equipment?

This post appeared on Orange Matter as “All I Want For Christmas is RESTCONF“, but I’m also linking to the version posted on Thwack, in case you prefer to read and comment there.

I’d love it if you were to take a moment to visit and read, and maybe even comment!

(Featured image created by Kira auf der Heide on Unsplash)

If you liked this post, please do click through to the source at Orange Matter: All I Want For Christmas is RESTCONF and give me a share/like. Thank you!

Orange Matter: Automating the Automators

Orange Matter Logo

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. APIs are critical to operating infrastructure programmatically, but ultimately we need to add one or more layers of API-based middleware to make the solution usable and flexible.

This post appeared on Orange Matter as “Automating The Automators“, but I’m also linking to the version posted on Thwack, mainly because that format allows me to use more images and be slightly more irreverent; you don’t want to miss the great artwork on this one.

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Automating the Automators and give me a share/like. Thank you!

Orange Matter: Automation Paralysis

Orange Matter Logo

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. This post examines how it’s easy to get so focused on automating the small stuff we have difficulty turning that into the more cohesive automation solution that we’d like to have.

This post appeared on Orange Matter as “Automation Paralysis: Why We Get Stuck Automating The Small Stuff“, but I’m also linking to the version posted on Thwack, mainly because that format allowed me to use more images and be slightly more irreverent. Irreverent? Moi? Of course.

Automation Paralysis

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Automation Paralysis and give me a share/like. Thank you!

Orange Matter: Where is Your Configuration Source of Truth?

Orange Matter Logo

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. The post linked here looks at where we define our source of truth for device configurations; is it the device itself? Should it be? This is a key question when looking at automation, and one we should all be asking ourselves.

This post appeared on Orange Matter as “Where Is Your Config Source of Truth?“, but I’m also linking to the version posted on Thwack, mainly because that format allowed me to use more images and be slightly more irreverent, which is perhaps a bit more in character.

Where Is Your Config Source of Truth?

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Where is Your Configuration Source of Truth? and give me a share/like. Thank you!

New Year, New Post, NFDx!

You may be thinking “Wait, he hasn’t posted in ages.. how lazy is he?” but thankfully I haven’t been entirely slothful for the last seven months. Most recently I authored a series of six posts related to SDN and automation on the Solarwinds Orange Matter blog. I can’t republish that content here, but I will be sharing links to the posts in the coming days and I hope you’ll find them interesting and thought-provoking.

Cisco SP – Networking Field Day Exclusive!

More immediately, I’m preparing to start the new year with a quick trip to see Cisco’s Service Provider group at a Networking Field Day Exclusive event. I’ve seen the proposed agenda, and it looks like it’s going to be an intense day filled with the kind of topics that I know my readers will appreciate. As always, I’ll be posting about some of the topics covered (maybe even all of them…who knows?), but it’s even better if you can take part too.

The event takes place on Tuesday, January 15th, 2019. If you can, I recommend hopping on the live stream on Tech Field Day and then using the #TFDx hashtag on Twitter to join in the Continue reading

Mellanox, Ixia and Cumulus: Part 3

Last–but not least–in the technology triumvirate presenting a joint session at Networking Field Day 17 was Cumulus Networks. This post looks at the benefits of Cumulus Linux as a NOS on the Mellanox Spectrum Ethernet switch platform.

Cumulus/Mellanox/Ixia Logos

Cumulus Networks

I’ve not yet managed to deploy Cumulus Linux in anger, but it’s on a fairly short list of Network Operating Systems (NOS) which I would like to evaluate in earnest, because every time I hear about it, I conclude that it’s a great solution. In fact, I’m having difficulty typing this post because I have to stop frequently to wipe the drool from my face.

Cumulus Linux supports around 70 switches from 8 manufacturers at this time, and perhaps obviously, that includes the Mellanox Spectrum switches that were presented during this session. This is the beauty of disaggregation of course; it’s possible to make a hardware selection, then select the software to run on it. Mellanox made a fairly strong case for why the Spectrum-based hardware is better than others, so now Cumulus has to argue for why they would be the best NOS to run on the Mellanox hardware.

Cumulus Linux, as the name suggests, is based on Debian linux. Continue reading

Security: Mitigating Spectre on Older Intel CPUs

I suspect all of my readers are well aware of the Spectre exploit affecting, among others, Intel CPUs going back many years. Intel for their part, after a few missteps, have issued microcode updates for more recent CPUs. But for those of us with computers running older CPUs, the solutions are less likely to be forthcoming. Thankfully there is a solution.

Spectre Logo

 

Branch Prediction and Speculative Execution

The Spectre exploit affects processors which perform branch prediction, a kind of optimistic lookahead where the processor prepares and executes a potential instruction before it is actually requested. For example, if the processor encounters conditional code (like and if..then..else construct), based on previous behavior it predicts what the most likely outcome is and thus which branch of code would be executed as a result, then loads and executes that code in advance (hence “speculative execution”). If the branch prediction is correct, then since the code was already executed the code will benefit from improved performance. Spectre abuses some predictable timing behavior of the speculative execution to be able to extract other processes’ data from the CPU caches. In other words, it’s bad news for security.

The only way to restore security Continue reading

This History Of Networking, from The Network Collective

I mentioned The Network Collective previously when I responded to the very first episode of the videocast/podcast (what TWiT would call a netcast). Since then the three founders and co-hosts (Jordan, Eyvonne and Phil) have published an impressive 20 community roundtable episodes and have somehow also found time to launch a History of Networking series co-hosted by Russ White (yes, that Russ White).

The Network Collective

History Of Networking

I’m a bit of a nerd when it comes to computer history, and I love reading books that give the inside story about the birth of the personal computer, the story of Silicon Valley, the rise and fall of technology companies and so on. However, the history of networking is nowhere near as well covered, which is a real shame. Thankfully, The Network Collective are filling that gap handsomely with a list of guests so far that blows my mind. For example:

Paul Vixie

Paul Vixie on the History of Networking

If you’ve ever heard of Vixie cron, BIND DNS, DNSSEC, the Internet Software Consortium (ISC), you’ve found things Mr Vixie has had his hands all over. It’s fascinating to hear him talking about the history of DNS adoption, and his role in maintaining BIND in a nascent Continue reading

Cisco, Mellanox, Ixia and Cumulus: Last Day of NFD17!

In case you have missed the noise on my Twitter feed (@mrtugs) in the last couple of days, I’m currently at Networking Field Day 17 in Silicon Valley, and today (Friday, January 26) is the last day of presentations. So far this week, along with eleven other lucky delegates, we’ve been treated to presentations from Juniper, Thousand Eyes, Extreme Networks and VMware, including Velocloud from VMware. As usual, it has been a firehose of information and thankfully all the videos will be posted soon so I can go back and figure out what I might have missed.

The last two days of presentations have seen a very strong focus on automation, network fabric (including cloud connectivity) and hybrid cloud services. It’s uncanny how everything aligns, sometimes!

Today is the last day of NFD17 and we’re going to be starting at Cisco at 8AM PST, then after lunch we’re hearing from Mellanox, Ixia and Cumulus, all beginning at 1:30PM PST. We live stream all the presentations, so if you want to tune in and join us, pop over to the NFD17 site and the stream will be live on that page. If you are watching in real time and have a Continue reading

Automatic Product Pitch Generator

Because we all like a little bit of fun, I created an automatic Product Pitch Generator for network vendors. More accurately, a conversation about buzzwords occurred in the context of Networking Field Day 17 where it was jokingly suggested that we needed to take some of the amazing words we were hearing and make a generator. Here’s the best part (if you look at it this way); we ended up with two generators!

Big props to Jordan Martin who hacked together some Python, and created his Network Product Buzzword Generator which I think is hilarious (go try it out!). Meanwhile, I was hacking together some Go and came up with this mess of a Product Pitch Generator:

Hit Refresh to get a new Pitch!

And finally, if you’re watching the NFD17 livestream, why not ML-wash yourself and play NFD17 Buzzword Bingo?

NFD17 Bingo!

Have fun! ?

If you liked this post, please do click through to the source at Automatic Product Pitch Generator and give me a share/like. Thank you!

Microburst: PSIRT Notifications – Are They Good Or Bad?

If your hardware or software vendor issues a lot of PSIRT (Product Security Incident Response Team) notifications, is that a good thing or a bad thing? After all, a PSIRT bulletin means that there’s a security issue with the product, so lots of PSIRTs means that the product is insecure, right?

Mp psirt

What about the alternative, then? If a vendor issues very few PSIRT notifications does it mean that their product is somehow more secure? This is an issue I’ve been thinking about a lot over the last year, and the conclusion I came to is that if a vendor is not issuing regular bulletins, it’s a bad thing. Either the vendor doesn’t think its customers should be aware of vulnerabilities in the product, or perhaps the bugs aren’t being fixed. A PSIRT bulletin involves the vendor admitting that it got something wrong and potentially exposed its customers to a security vulnerability, and I’m ok with that. Sure, I don’t like sloppy coding, but I do appreciate the transparency.

I believe that when a vendor is shy about publishing security notifications it’s probably a decision made by management based on the naive belief that limiting the number of times they admit Continue reading

How To Access Devices with Unsupported SSL Ciphers

With the HeartBleed bug effectively killing off SSLv3 and vulnerabilities in cipher block chaining ruling out another whole swathe of SSL ciphers, network engineers may have found themselves trying to connect to a device and either getting no response (Safari), or getting a response like this (Chrome):

Chrome SSL Error

Or this (Firefox):

Firefox SSL Error

Once upon a time, it was possible to go into settings and enable the old, insecure ciphers again, but in more recent updates, those ciphers no longer exist within the code and are thus inaccessible. So what to do? My answer was to try a proxy.

Charles Proxy

The first proxy I looked at seemed promising. Although not free, Charles Proxy offers a 30 day free trial, and that seemed like a good thing to try. It’s limited additionally by only running for 30 minutes at a time before it has to be reloaded, but for my testing purposes that was not a problem.

During installation I declined to give Charles Proxy permission to configure the system proxy settings. Instead, I manually updated just my Firefox browser to use the proxy which was now listening on port 127.0.0.1:8888. Since I was making an SSL connection, I also Continue reading

Hive Mind, Help Me Out with A10 AXAPI?

Dear Internet,

I am writing some automation code in Go to create client-ssl templates on an A10 load balancer running AXAPI version 2. It’s going as swimmingly as it can with the v2 API, but one area of non-complete API coverage has led to another issue and I’m wondering if anybody has seen the same thing.

A10 Networks Logo

Background – Disabling SSLv3

SSL access to VIPs on the A10 load balancer is controlled by means of client-ssl templates which define which certificates should be presented and the ciphers and protocols supported for the incoming connection. In this case therefore, disabling SSLv3 is accomplished in the client-ssl template (unfortunately there is no global switch to turn SSLv3 off by default). A typical template might look like this in the configuration:

slb template client-ssl mytemplate
   cert my_certificate
   key my_private_key
   chain-cert some_chain_cert
   disable-sslv3
!

As it turns out, all aspects of the client-ssl template are exposed via the API except for “disable-sslv3” which shows neither as a returned property of the template (highly annoying), nor as a property which can be set when creating a template (also annoying). Thus to replicate a template like the one above, I choose to set everything I can using the Continue reading

What Next Now the KRACK Smoke is Clearing?

It’s only four days since we were blessed with news of the KRACK vulnerability in WPA2, so what have we learned now that we’ve had some time to dig into the problem?

KRACK

Patching Infrastructure (Access Points)

In terms of patching wireless access points the good news is that most of the enterprise vendors at least are on the ball and have either released patches, have them in testing, or have at least promised them in the near future. While one of the primary victims of KRACK in these devices is 802.11r (Fast Roaming) which is not likely to be used in most home environments, it’s more common to see repeater or mesh functionality in the home, and because the AP acts as a wireless client in these cases, it is susceptible to the vulnerability. So if you just have a single AP in the home, chances are that updating the firmware because of KRACK is not that urgent. That’s probably a good thing given the number of wireless access points embedded in routers managed by internet providers, running on old and unsupported hardware, or created by vendors who are no longer in business.

Patching Clients

The clients are where Continue reading

KRACK WPA2 Vulnerability Announced – Upgrade Now

If you haven’t already heard about the KRACK (Key Reinstallation Attack) vulnerability announced today, head over to the information page at https://www.krackattacks.com/ as quick as your fingers will take you because Mathy Vanhoef of imec-DistriNet has found a vulnerability in the WPA2 protocol which has a very wide impact.

KRACKKRACK Attack

The challenge here is that for this isn’t a bug in any particular implementation or commonly-used library; rather, it’s a vulnerability in the protocol itself which means that any correct implementation of the protocol is vulnerable. This also does not just apply to wireless access points; remember that most cell phones can also act as wireless APs for purposes of wireless tethering, so they may be vulnerable too.

Impressively, a number of vendors have released code which has been patched for the vulnerability today, and a number of vendors included fixes before today’s public announcement. However, those are useless if people don’t install the upgrades. I strongly advise going now and finding what your wireless vendor has done, and installing any available patched code.

Ubiquiti Update

Since I know you’re all following my Ubiquiti experiences, I’ll note that UBNT released code Continue reading

iTerm2 Tip: Repeating Commands Using a Coprocess

iTerm2 is a great terminal for MacOS; far better than Apple’s built-in Terminal app, and it’s my #1 recommendation for Mac-based network engineers. One of the many reasons I like it is that it has a feature that solves a really annoying problem.

Iterm Repeat Title

It’s tedious having to issue a command repeatedly so that you can see when and if the output changes. I’ve had to do this in the past, repeating commands like show ip arp so that I can spot when an entry times out and when it it refreshes. The repeated sequence of up arrow, Enter, up arrow, Enter, up arrow, Enter drives me mad.

Some vendors offer assistance; A10 Networks for example has a repeat command in the CLI specifically to help with show commands:

a10-vMaster[2/2]#repeat 5 show arp
Total arp entries: 25       Age time: 300 secs
IP Address         MAC Address          Type         Age   Interface    Vlan
---------------------------------------------------------------------------
10.1.1.65      0000.5e00.01a1       Dynamic      17    Management   1
10.1.1.67      ac4b.c821.57d1       Dynamic      255   Management   1
10.1.1.97      001f.a0f8.d901       Dynamic      22    Management   1
Refreshing command every 5 seconds. (press ^C to quit) Elapsed Time: 00:00:00
Total arp entries: 25       Age time:  Continue reading

Microburst: Update on the HTML Home Network Diagram

Moving Packets - Microburst

 

Last week I published an article called Making a Clickable HTML Network Diagram using OmniGraffle. One of the questions I was asked was whether I’d tried doing the same in draw.io or Gliffy. I have not, although I do use Gliffy a fair amount, and I have dabbled with draw.io.

Thankfully, Keith Miller (@packetologist) is on hand to provide the answer! Keith has put together an article mirroring a similar process using the free (and platform-agnostic) draw.io. Definitely worth a read, and a great example of a free tool making our lives way easier.

Link: CLICKABLE HTML NETWORK DIAGRAMS WITH DRAW.IO

Thanks, Keith for the excellent demonstration!

If you liked this post, please do click through to the source at Microburst: Update on the HTML Home Network Diagram and give me a share/like. Thank you!

Traceroute Lies! A Typical Misinterpretation Of Output

Sometimes a user with performance issues will proudly present me with a traceroute and point to a particular hop in the network and accuse it of being the problem because of high latency on the link. About 1 time in 1000 they are correct and the link is totally saturated. The other 999 times, well, let me explain.

Traceroute

Traceroute Output

Here’s a typical traceroute I might be sent by a user (IPs and hostnames are altered to protect the innocent):

$ traceroute www-europe
traceroute to www-europe (18.9.4.17), 64 hops max, 52 byte packets
 1  gateway (57.239.196.133)          11.447 ms   18.371ms    25.057 ms
 2  us-atl-edge (137.16.151.202)      13.338 ms   20.070 ms   19.119 ms
 3  us-ga-core (57.239.129.37)       103.789 ms  105.998 ms  103.696 ms
 4  us-nyc-core (57.239.128.189)     107.601 ms  103.116 ms  103.934 ms
 5  us-east-core (57.239.13.42)     103.099 ms  104.215 ms  109.042 ms
 6  us-east-bb1 (57.239.111.58)      107.824 ms  104.463 ms  103.482 ms
 7  uk-south-bb1 (57.240.117.81)     106.439 ms  111.156 ms  104.761 ms
  Continue reading

Microburst: A New Post Type on MovingPackets.Net

A problem I frequently face is that I want to share thoughts and comments on something, but I don’t have the time free to write up a full post. The solution, I hope, is a new post type which I’m calling a Microburst.

Moving Packets - Microburst

A Microburst could be anything from one line to a few paragraphs; basically enough for me to convey a thought without having to go into as much depth as I would usually like to do. For that reason in particular, I think it’s important that I can distinguish my regular, shallow posts from these special, short, shallow posts. Handy, right?

The first Microburst appeared a few days ago, and more will be coming soon. Gird your loins, etc.

If you liked this post, please do click through to the source at Microburst: A New Post Type on MovingPackets.Net and give me a share/like. Thank you!

1 2 3 5