Worth Reading: How to fight latency

Given that minimizing latency, and by association, determining a path across the global Internet with minimal packet loss is still critical, how can we accomplish this? Using the $20 billion real-time ad serving market as an example, we’ll first look at the different components, and then introduce an approach to mitigate latency. New Stack

The post Worth Reading: How to fight latency appeared first on 'net work.

Worth Reading: Windows WPAD attack

Windows’ WPAD feature has for many years provided attackers and penetration testers a simple way to perform MITM attacks on web traffic. There is, for example, a great blog post by Tod Beardsley called “MS09-008: Web Proxy Auto-Discovery (WPAD), Illustrated” that highlights the problems with WPAD. Now finally, roughly 10 years after WPAD was introduced, the penetration testing framework Metasploit includes support for WPAD via a new auxiliary module located at “auxiliary/server/wpad”. This module, which is written by Efrain Torres, can be used to perform for man-in-the-middle (MITM) attacks by exploiting the features of WPAD. Netresec

The post Worth Reading: Windows WPAD attack appeared first on 'net work.

Worth Reading: IPv6 Link Local Addresses

In November 2014, after quite some controversy in the IETF OPSEC working group (for those interested look at the archives), the Informational RFC 7404 “Using Only Link-Local Addressing inside an IPv6 Network” was published. It is authored by Michael Behringer and Eric Vyncke and discusses the advantages and disadvantages of an approach using “only link-local addresses on infrastructure links between routers”. APNIC

The post Worth Reading: IPv6 Link Local Addresses appeared first on 'net work.

Building a “Network” Network

Over my years as a network engineer, I’ve notice that the engineering job tends to be somewhat isolated (or isolating). Part of the reason is probably that there tend to be one or two network engineers at a single company, munged in with a lot of other IT folks who share some common ground (but not entirely), so there’s little chance to interact with others who are working on the same sorts of problem sets on a day to day basis. This tends to produce network engineers who are more attached to their vendor than they are to their “day job.” In fact, this tends to make the entire network engineering world, to the average network engineer, appear to be “not much more” than the vendors who show up on our doorsteps, the vendor specific trade shows we can attend, and what we read online. This is—how can I say this gently—??

This is an unhealthy situation for your career as a network engineer—and as a person.

What you need to do is build a network of other network engineers—a network network—so you can broaden your scope, keep your ear to the ground for changes, prepare for changes, have Continue reading

Worth Reading: Encryption is a red herring

Spooky rhetorical flourishes have become commonplace in the debate about encrypted communications. We are told that the FBI is “going dark;” that “warrant-proof” communications are proliferating; and that terrorists and criminals are operating en masse and with impunity. But are evildoers really foiling law enforcement’s ability to investigate their crimes? Real Clear Policy

The post Worth Reading: Encryption is a red herring appeared first on 'net work.

Worth Reading: Privacy is disappearing

So the main question raised by all this surveillance tech is how much we’re willing to risk loss of liberty for the sake of greater security. A saying often attributed to Benjamin Franklin has it: “Those who prefer security to liberty deserve neither.” Assuming that’s true, we need to come together as a polity to decide when to say “Enough!” to all the spying. Intellectual Takeout

The post Worth Reading: Privacy is disappearing appeared first on 'net work.

When prepend fails, what next? (2)

This week’s post was written by Johnny Britt over at FreedomPay. I’ve edited in some small places to add more information, etc., but I think Johnny needs to start blogging…

Once you have determined that AS-Path prepending can no longer help us what are our next steps? Routing is based on the longest matched prefix, this is true when BGP routes are being compared as well regardless of the AS-PATH. So one option you have is to split your address space into longer advertised prefixes and advertise a slice to each of our upstream providers. In Fig. 1, AS65000 splits its /44 IPv6 into 2 prefixes and advertises them out to AS65001 and AS65004 respectively. This forces half of AS65000 subnet traffic to flow inbound from one specific provider and we can combine both this technique and AS-Path prepending to give us more load sharing capabilities.

Using longer prefixes to direct traffic to a more preferred inbound link can take us a long way in creating the desired inbound traffic pattern. Sometimes there are scenarios where you may need to direct traffic at a more granular level.

But what if you don’t have the ability to create longer prefixes Continue reading

Worth Reading: Troubleshooting Cisco Remote Access

The Cisco Mobile and Remote Access (MRA) feature is a “client edge” solution that allows external software and hardware clients to register to enterprise Cisco Unified Communication (UC) solutions without requiring a VPN. Like most things, there are a lot of moving parts working together to create a relatively seamless user experience. And, like most things, the first time you deploy MRA there are a few “gotchas” that can eat up a significant amount of troubleshooting time. Netcraftsmen

The post Worth Reading: Troubleshooting Cisco Remote Access appeared first on 'net work.

Worth Reading: Random number breakthrough

The generation of random numbers has been an interesting problem for mathematicians for thousands of years. Old methods of random number generation include rolling dice, flipping coins and shuffling playing cards, but using these techniques for producing large numbers of sufficiently random numbers is extremely time-consuming. The New Stack

The post Worth Reading: Random number breakthrough appeared first on 'net work.

Hilton Head

The post Hilton Head appeared first on 'net work.

Worth Reading: Open Flow Tables and Vendor Hype

An OpenFlow-based switch can do only whatever the underlying hardware can do and whatever the NOS vendor implemented in the OpenFlow agent. If Pica8 claims that their software works better with TTPs they’re just saying that their previous software sucked. IP Space

The post Worth Reading: Open Flow Tables and Vendor Hype appeared first on 'net work.

Worth Reading: Useful Utilities

Troubleshooting and managing a network is much easier when you have the proper tools. Anybody who has been in the IT world for a time likely has a stash of small, portable, and often free programs they use to help in this area. Here is a list of my most-used utilities. Packet Pushers

The post Worth Reading: Useful Utilities appeared first on 'net work.

Worth Reading: IP addresses are not telephone numbers

A blanket association between telephone numbers and IP numbers and domain names is simply not useful. Here’s the problem — IP numbers and domain names are not telephone numbers. By using this analogy as the starting point for their rationale to consider IP numbers as CPNI, the FCC is beginning from a fundamentally flawed starting point. Circle ID

The post Worth Reading: IP addresses are not telephone numbers appeared first on 'net work.

Worth Reading: Venezuela and ‘net Neutrality

A recent study conducted by the Institute for Press and Society (IPYS) in Venezuela has confirmed that at least 43 different websites are being blocked in the country, shedding new light on the filtering practices of the Venezuelan government. The research focused on documenting incidents surrounding web access and net neutrality, zeroing in on the treatment of national networks during the 2015 elections. Somewhat Reasonable

The post Worth Reading: Venezuela and ‘net Neutrality appeared first on 'net work.

Worth Reading: Automation, Robotics, and the Future

And humility because of the poorness of our ability to peer into the future. When reviewing the mountains of books and magazine articles that have sought to predict what the future holds in automation and related fields, when reading the hyped tech headlines or when looking at the many charts and tables extrapolating from the past to help us forecast the future, it is striking to see how often our predictions go wrong. The New Atlantis

The post Worth Reading: Automation, Robotics, and the Future appeared first on 'net work.

DHCP Topology Customization Options

The Dynamic Host Configuration Protocol (DHCP) is widely used, and yet poorly understood. There are, in fact, a large number of options in DHCP—but before we get to these, let’s do a quick review of basic off-segment operation.

When the client, which has no IP address, sends out a request for configuration information, what happens? The Router, A, if it is configured to be a DHCP helper, will receive the packet and forward it to the DHCP server, which is presumably located someplace else in the network. The router generally knows what address to send the request to because of manual configuration—but how does the server know how to get the packet back to the original requester?

The helper—Router A in this case—inserts the IP address of the interface on which the request was received into the giaddr field of the DHCP packet. As boring as this might seem, this is where things actually get pretty interesting. It’s possible, of course, for a router to have an logical layer three interface that sits on a bridge group (or perhaps an IRB interface). The router obviously needs to be able to put more information in the DHCP request to handle this Continue reading

Worth Reading: DNS Privacy

The DNS is normally a relatively open protocol that smears its data (which is your data and mine too!) far and wide. Little wonder that the DNS is used in many ways, not just as a mundane name resolution protocol, but as a data channel for surveillance and as a common means of implementing various forms of content access control. Circle ID

The post Worth Reading: DNS Privacy appeared first on 'net work.

Worth Reading: It’s hard to leave Google

What I do respectfully challenge is that first, Google essentially doesn’t “collect all of that information” because they do (see here), and second, that Google somehow is easy to escape,when it comes to collecting one’s private information, because it is not, as I will prove below. Somewhat Reasonable

The post Worth Reading: It’s hard to leave Google appeared first on 'net work.

When prepend fails, what next? (1)

So you want to load share better on your inbound ‘net links. If you look around the ‘web, it won’t take long to find a site that explains how to configure AS Path Prepending. So the next time you have downtime, you configure it up, turn everything back on, and… Well, it moved some traffic, but not as much as you’d like. So you wait ’til the next scheduled maintenance window and configure a couple of extra prepends into the mix. Now you fire it all back up and… not much happens. Why not? There are a couple of reasons prepending isn’t always that effective—but it primarily has to do with the way the Internet itself tends to be built. Let’s use the figure below as an example network.

You’re sitting at AS65000, and you’re trying to get the traffic to be relatively balanced across the 65001->65000 and the 65004->65000 links. Say you’ve prepended towards AS65001, as that’s the provider sending you more traffic. Assume, for a moment, that AS65003 accepts routes from both AS65001 and AS65004 on an equal basis. When you prepend, you’re causing the route towards your destinations to appear to be longer from AS65003’s perspective. This Continue reading

Worth Reading: Today’s DNS

DevOps is revolutionizing how developers create and deploy applications. Cloud services have both enabled and necessitated a distributed model for applications. In the midst of this profusion of new technology, an old-school player has emerged to enable the reliability and performance that apps and their users demand: DNS. Data Center Journal

The post Worth Reading: Today’s DNS appeared first on 'net work.