Archive

Category Archives for "MovingPackets.net"

Why Haven’t I Tried ZeroTier Before?

I have a confession to make: I am not currently using ZeroTier. It turns out that in this respect I am in a minority among my peers at Networking Field Day 27 and after listening to a great introduction to ZeroTier by company founder and original software author Adam Ierymenko, I now know that I need to change this.

ZeroTier Logo

ZeroTier

ZeroTier facilitates the creation of an arbitrarily distributed virtual ethernet switch through which devices can communicate. Since it’s not immediately obvious what that means, here are a few scenarios where ZeroTier can provide a solution:

Home User

Imagine that you want to access your home network when you’re out on the road. ZeroTier can hook you up.

Multi-cloud Connectivity

What if you would like compute instances in multiple cloud providers to be able to communicate directly with one another as if they were on the same VLAN? What if you could also allow your developers to connect to that VLAN and seamlessly access the compute instances without any knowledge or care about which cloud provider is hosting the instance? Or maybe you’d like the cloud instances to appear as if they were on the data center VLAN? ZeroTier can do Continue reading

Zodiac FX Gets a 3D Printed Case

Not content with having dug the Northbound Networks Zodiac FX out of a pile of overlooked technology in my office, I thought that the poor thing desperately needed to have a case to sit in. When I originally received the switch, I did not have a 3D printer and had no idea what it would take to make a case; now though, I do have a 3D printer … and no idea what it would take to make a case. Sounds like a plan to me!

Measuring the Zodiac FX

The most important tool I bought to go with my 3D printer (a Creality CR6-SE) was some digital calipers. I discovered early on how important it was to ensure that if I was going to screw up, I should be able to screw up accurately.

Rexbeti Calipers

These calipers are made by RexBeti, and if you’ve never heard of that company that’s ok, because before I purchased this I hadn’t either. The calipers claim to be accurate to 0.01mm, but I don’t have any way to validate that claim, so let’s just assume that they are. I do know that it beats using a ruler. A few minutes of careful Continue reading

Upgrading Firmware on Northbound Networks Zodiac FX

Recent versions of firmware (after v0.80) running on the Northbound Networks Zodiac FX can be updated directly from the web interface, or using XMODEM via the serial console. But what if, say, you had sat one your Zodiac FX for a while and are running firmware earlier than v0.81 and have a sudden, unexpected desire to upgrade the firmware? Say you are, for example, me?

The process turned out to be less straightforward than I had hoped, so I am documenting the successful steps I followed in case it’s of use to somebody else.

My (Brief) Zodiac FX Background

Back in 2015 I backed a Kickstarter project for this awesome-sounding four-port FastEthernet SDN switch with OpenFlow support. It sounded so cool that I even ordered a two-pack as I thought it would be more fun to have two OpenFlow switches to mess around with). The project was funded successfully, but embarrassingly when the beautifully-made boards arrived in early 2016, for some reason I never quite got around to playing with them. I think it was in part because it was just a printed circuit board without a case and without easy access to 3D printing I was turned Continue reading

Cranky Old Network Engineer Complains About The Youth Of Today

If you’re very old (like me) you’ll likely remember the halcyon days when IP routing was not enabled by default on Cisco routers. Younger gamers may find this hard to believe, which makes it even stranger when I keep bumping into an apparently common misconception about how routers work. Let’s take a look at what I’m beefing about.

No IP Routing?

To put this in context for the younger gamers, it’s worth noting that at the time, a typical “enterprise” might be running IP, but was equally likely to run IPX, AppleTalk, DECnet or some other protocol which may – or may not – support routing. Yes, there was life before the Internet Protocol became ubiquitous. If you’re curious, the command to enable IP routing is, well:

ip routing

Guess how IPX routing was enabled:

ipx routing

Appletalk?

appletalk routing

DECnet Phase IV?

decnet [network-number] routing <decnet-address>

Ok, so the pattern isn’t entirely consistent, but it’s close enough. In one way things are much simpler now because routers tend to handle IP (and IPv6) and nothing else. On the other hand there are so many more IP-related features available, I think we should just be grateful that there’s only one Continue reading

Orange Matter: Why Your Infrastructure Sucks For Automation

Orange Matter Logo

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. Let’s face it, unless we get to build an infrastructure from the ground up, our existing mass of one-off solutions and workarounds makes automating our infrastructure an absolute nightmare.

This post appeared on Orange Matter as “Why Your Infrastctructure Sucks For Automation“, but I’m also linking to the version posted on Thwack, because that version of the post includes pretty pictures. And who doesn’t like a pretty picture?

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Why Your Infrastructure Sucks For Automation and give me a share/like. Thank you!

Orange Matter: All I Want For Christmas is RESTCONF

Orange Matter Logo

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. I need clear commands, structured response data and simple access to it all; so how about giving me REST-based APIs on all my infrastructure equipment?

This post appeared on Orange Matter as “All I Want For Christmas is RESTCONF“, but I’m also linking to the version posted on Thwack, in case you prefer to read and comment there.

I’d love it if you were to take a moment to visit and read, and maybe even comment!

(Featured image created by Kira auf der Heide on Unsplash)

If you liked this post, please do click through to the source at Orange Matter: All I Want For Christmas is RESTCONF and give me a share/like. Thank you!

Orange Matter: Automating the Automators

Orange Matter Logo

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. APIs are critical to operating infrastructure programmatically, but ultimately we need to add one or more layers of API-based middleware to make the solution usable and flexible.

This post appeared on Orange Matter as “Automating The Automators“, but I’m also linking to the version posted on Thwack, mainly because that format allows me to use more images and be slightly more irreverent; you don’t want to miss the great artwork on this one.

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Automating the Automators and give me a share/like. Thank you!

Orange Matter: Automation Paralysis

Orange Matter Logo

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. This post examines how it’s easy to get so focused on automating the small stuff we have difficulty turning that into the more cohesive automation solution that we’d like to have.

This post appeared on Orange Matter as “Automation Paralysis: Why We Get Stuck Automating The Small Stuff“, but I’m also linking to the version posted on Thwack, mainly because that format allowed me to use more images and be slightly more irreverent. Irreverent? Moi? Of course.

Automation Paralysis

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Automation Paralysis and give me a share/like. Thank you!

Orange Matter: Where is Your Configuration Source of Truth?

Orange Matter Logo

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. The post linked here looks at where we define our source of truth for device configurations; is it the device itself? Should it be? This is a key question when looking at automation, and one we should all be asking ourselves.

This post appeared on Orange Matter as “Where Is Your Config Source of Truth?“, but I’m also linking to the version posted on Thwack, mainly because that format allowed me to use more images and be slightly more irreverent, which is perhaps a bit more in character.

Where Is Your Config Source of Truth?

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Where is Your Configuration Source of Truth? and give me a share/like. Thank you!

New Year, New Post, NFDx!

You may be thinking “Wait, he hasn’t posted in ages.. how lazy is he?” but thankfully I haven’t been entirely slothful for the last seven months. Most recently I authored a series of six posts related to SDN and automation on the Solarwinds Orange Matter blog. I can’t republish that content here, but I will be sharing links to the posts in the coming days and I hope you’ll find them interesting and thought-provoking.

Cisco SP – Networking Field Day Exclusive!

More immediately, I’m preparing to start the new year with a quick trip to see Cisco’s Service Provider group at a Networking Field Day Exclusive event. I’ve seen the proposed agenda, and it looks like it’s going to be an intense day filled with the kind of topics that I know my readers will appreciate. As always, I’ll be posting about some of the topics covered (maybe even all of them…who knows?), but it’s even better if you can take part too.

The event takes place on Tuesday, January 15th, 2019. If you can, I recommend hopping on the live stream on Tech Field Day and then using the #TFDx hashtag on Twitter to join in the Continue reading

Mellanox, Ixia and Cumulus: Part 3

Last–but not least–in the technology triumvirate presenting a joint session at Networking Field Day 17 was Cumulus Networks. This post looks at the benefits of Cumulus Linux as a NOS on the Mellanox Spectrum Ethernet switch platform.

Cumulus/Mellanox/Ixia Logos

Cumulus Networks

I’ve not yet managed to deploy Cumulus Linux in anger, but it’s on a fairly short list of Network Operating Systems (NOS) which I would like to evaluate in earnest, because every time I hear about it, I conclude that it’s a great solution. In fact, I’m having difficulty typing this post because I have to stop frequently to wipe the drool from my face.

Cumulus Linux supports around 70 switches from 8 manufacturers at this time, and perhaps obviously, that includes the Mellanox Spectrum switches that were presented during this session. This is the beauty of disaggregation of course; it’s possible to make a hardware selection, then select the software to run on it. Mellanox made a fairly strong case for why the Spectrum-based hardware is better than others, so now Cumulus has to argue for why they would be the best NOS to run on the Mellanox hardware.

Cumulus Linux, as the name suggests, is based on Debian linux. Continue reading

Security: Mitigating Spectre on Older Intel CPUs

I suspect all of my readers are well aware of the Spectre exploit affecting, among others, Intel CPUs going back many years. Intel for their part, after a few missteps, have issued microcode updates for more recent CPUs. But for those of us with computers running older CPUs, the solutions are less likely to be forthcoming. Thankfully there is a solution.

Spectre Logo

 

Branch Prediction and Speculative Execution

The Spectre exploit affects processors which perform branch prediction, a kind of optimistic lookahead where the processor prepares and executes a potential instruction before it is actually requested. For example, if the processor encounters conditional code (like and if..then..else construct), based on previous behavior it predicts what the most likely outcome is and thus which branch of code would be executed as a result, then loads and executes that code in advance (hence “speculative execution”). If the branch prediction is correct, then since the code was already executed the code will benefit from improved performance. Spectre abuses some predictable timing behavior of the speculative execution to be able to extract other processes’ data from the CPU caches. In other words, it’s bad news for security.

The only way to restore security Continue reading

This History Of Networking, from The Network Collective

I mentioned The Network Collective previously when I responded to the very first episode of the videocast/podcast (what TWiT would call a netcast). Since then the three founders and co-hosts (Jordan, Eyvonne and Phil) have published an impressive 20 community roundtable episodes and have somehow also found time to launch a History of Networking series co-hosted by Russ White (yes, that Russ White).

The Network Collective

History Of Networking

I’m a bit of a nerd when it comes to computer history, and I love reading books that give the inside story about the birth of the personal computer, the story of Silicon Valley, the rise and fall of technology companies and so on. However, the history of networking is nowhere near as well covered, which is a real shame. Thankfully, The Network Collective are filling that gap handsomely with a list of guests so far that blows my mind. For example:

Paul Vixie

Paul Vixie on the History of Networking

If you’ve ever heard of Vixie cron, BIND DNS, DNSSEC, the Internet Software Consortium (ISC), you’ve found things Mr Vixie has had his hands all over. It’s fascinating to hear him talking about the history of DNS adoption, and his role in maintaining BIND in a nascent Continue reading

Cisco, Mellanox, Ixia and Cumulus: Last Day of NFD17!

In case you have missed the noise on my Twitter feed (@mrtugs) in the last couple of days, I’m currently at Networking Field Day 17 in Silicon Valley, and today (Friday, January 26) is the last day of presentations. So far this week, along with eleven other lucky delegates, we’ve been treated to presentations from Juniper, Thousand Eyes, Extreme Networks and VMware, including Velocloud from VMware. As usual, it has been a firehose of information and thankfully all the videos will be posted soon so I can go back and figure out what I might have missed.

The last two days of presentations have seen a very strong focus on automation, network fabric (including cloud connectivity) and hybrid cloud services. It’s uncanny how everything aligns, sometimes!

Today is the last day of NFD17 and we’re going to be starting at Cisco at 8AM PST, then after lunch we’re hearing from Mellanox, Ixia and Cumulus, all beginning at 1:30PM PST. We live stream all the presentations, so if you want to tune in and join us, pop over to the NFD17 site and the stream will be live on that page. If you are watching in real time and have a Continue reading

Automatic Product Pitch Generator

Because we all like a little bit of fun, I created an automatic Product Pitch Generator for network vendors. More accurately, a conversation about buzzwords occurred in the context of Networking Field Day 17 where it was jokingly suggested that we needed to take some of the amazing words we were hearing and make a generator. Here’s the best part (if you look at it this way); we ended up with two generators!

Big props to Jordan Martin who hacked together some Python, and created his Network Product Buzzword Generator which I think is hilarious (go try it out!). Meanwhile, I was hacking together some Go and came up with this mess of a Product Pitch Generator:

Hit Refresh to get a new Pitch!

And finally, if you’re watching the NFD17 livestream, why not ML-wash yourself and play NFD17 Buzzword Bingo?

NFD17 Bingo!

Have fun! ?

If you liked this post, please do click through to the source at Automatic Product Pitch Generator and give me a share/like. Thank you!

Microburst: PSIRT Notifications – Are They Good Or Bad?

If your hardware or software vendor issues a lot of PSIRT (Product Security Incident Response Team) notifications, is that a good thing or a bad thing? After all, a PSIRT bulletin means that there’s a security issue with the product, so lots of PSIRTs means that the product is insecure, right?

Mp psirt

What about the alternative, then? If a vendor issues very few PSIRT notifications does it mean that their product is somehow more secure? This is an issue I’ve been thinking about a lot over the last year, and the conclusion I came to is that if a vendor is not issuing regular bulletins, it’s a bad thing. Either the vendor doesn’t think its customers should be aware of vulnerabilities in the product, or perhaps the bugs aren’t being fixed. A PSIRT bulletin involves the vendor admitting that it got something wrong and potentially exposed its customers to a security vulnerability, and I’m ok with that. Sure, I don’t like sloppy coding, but I do appreciate the transparency.

I believe that when a vendor is shy about publishing security notifications it’s probably a decision made by management based on the naive belief that limiting the number of times they admit Continue reading

How To Access Devices with Unsupported SSL Ciphers

With the HeartBleed bug effectively killing off SSLv3 and vulnerabilities in cipher block chaining ruling out another whole swathe of SSL ciphers, network engineers may have found themselves trying to connect to a device and either getting no response (Safari), or getting a response like this (Chrome):

Chrome SSL Error

Or this (Firefox):

Firefox SSL Error

Once upon a time, it was possible to go into settings and enable the old, insecure ciphers again, but in more recent updates, those ciphers no longer exist within the code and are thus inaccessible. So what to do? My answer was to try a proxy.

Charles Proxy

The first proxy I looked at seemed promising. Although not free, Charles Proxy offers a 30 day free trial, and that seemed like a good thing to try. It’s limited additionally by only running for 30 minutes at a time before it has to be reloaded, but for my testing purposes that was not a problem.

During installation I declined to give Charles Proxy permission to configure the system proxy settings. Instead, I manually updated just my Firefox browser to use the proxy which was now listening on port 127.0.0.1:8888. Since I was making an SSL connection, I also Continue reading

Hive Mind, Help Me Out with A10 AXAPI?

Dear Internet,

I am writing some automation code in Go to create client-ssl templates on an A10 load balancer running AXAPI version 2. It’s going as swimmingly as it can with the v2 API, but one area of non-complete API coverage has led to another issue and I’m wondering if anybody has seen the same thing.

A10 Networks Logo

Background – Disabling SSLv3

SSL access to VIPs on the A10 load balancer is controlled by means of client-ssl templates which define which certificates should be presented and the ciphers and protocols supported for the incoming connection. In this case therefore, disabling SSLv3 is accomplished in the client-ssl template (unfortunately there is no global switch to turn SSLv3 off by default). A typical template might look like this in the configuration:

slb template client-ssl mytemplate
   cert my_certificate
   key my_private_key
   chain-cert some_chain_cert
   disable-sslv3
!

As it turns out, all aspects of the client-ssl template are exposed via the API except for “disable-sslv3” which shows neither as a returned property of the template (highly annoying), nor as a property which can be set when creating a template (also annoying). Thus to replicate a template like the one above, I choose to set everything I can using the Continue reading

What Next Now the KRACK Smoke is Clearing?

It’s only four days since we were blessed with news of the KRACK vulnerability in WPA2, so what have we learned now that we’ve had some time to dig into the problem?

KRACK

Patching Infrastructure (Access Points)

In terms of patching wireless access points the good news is that most of the enterprise vendors at least are on the ball and have either released patches, have them in testing, or have at least promised them in the near future. While one of the primary victims of KRACK in these devices is 802.11r (Fast Roaming) which is not likely to be used in most home environments, it’s more common to see repeater or mesh functionality in the home, and because the AP acts as a wireless client in these cases, it is susceptible to the vulnerability. So if you just have a single AP in the home, chances are that updating the firmware because of KRACK is not that urgent. That’s probably a good thing given the number of wireless access points embedded in routers managed by internet providers, running on old and unsupported hardware, or created by vendors who are no longer in business.

Patching Clients

The clients are where Continue reading

KRACK WPA2 Vulnerability Announced – Upgrade Now

If you haven’t already heard about the KRACK (Key Reinstallation Attack) vulnerability announced today, head over to the information page at https://www.krackattacks.com/ as quick as your fingers will take you because Mathy Vanhoef of imec-DistriNet has found a vulnerability in the WPA2 protocol which has a very wide impact.

KRACKKRACK Attack

The challenge here is that for this isn’t a bug in any particular implementation or commonly-used library; rather, it’s a vulnerability in the protocol itself which means that any correct implementation of the protocol is vulnerable. This also does not just apply to wireless access points; remember that most cell phones can also act as wireless APs for purposes of wireless tethering, so they may be vulnerable too.

Impressively, a number of vendors have released code which has been patched for the vulnerability today, and a number of vendors included fixes before today’s public announcement. However, those are useless if people don’t install the upgrades. I strongly advise going now and finding what your wireless vendor has done, and installing any available patched code.

Ubiquiti Update

Since I know you’re all following my Ubiquiti experiences, I’ll note that UBNT released code Continue reading

1 2 3 5