Reaction: DNS is Part of the Stack

Over at ipspace.net, Ivan is discussing using DNS to program firewall rules—

Could you use DNS names to translate human-readable rules into packet filters? The traditional answer was “no, because I don’t trust DNS”.

This has been a pet peeve of mine for some years—particularly after my time at Verisign Labs, looking at the DNS system, and its interaction with the control plane, in some detail. I’m just going to say this simply and plainly; maybe someone, somewhere, will pay attention—

The Domain Name System is a part of the IP networking stack.

Network engineers and application developers seem to treat DNS as some sort of red-headed-stepchild; it’s best if we just hide it in some little corner someplace, and hope someone figures out how to make it work, but we’re not going to act like it should or will work. We’re just going to ignore it, and somehow hope it goes away so we don’t have to deal with it.

Let’s look at some of the wonderful ideas this we’ll just ignore DNS has brought us over the years, like, “let’s embed the IP address in the packet someplace so we know who we’re talking to,” and “we Continue reading

Worth Reading: Predictive Policing

Can predictive policing prevent crime before it happens? It sounds like an idea out of science fiction — specifically, out of Philip K. Dick’s “Minority Report,” a 1956 short story about a “Precrime Division” that arrests suspects before any crime had been committed. Can technology make this dream come true? It turns out that predictive policing is already being used by 60 different police departments around America, according to an article late last month in Science magazine, reporting that everything from Facebook profiles, statistics on minor crimes, and information from 911 calls are now being fed into algorithms. —New Stack

The post Worth Reading: Predictive Policing appeared first on 'net work.

Worth Reading Digital Monoculture

While Waze leads us to our destinations via the quickest route, our dependence on this kind of decision support system may also be the quickest route to a monocultural society. You’ve said the word “algorithm” a thousand times this year, and you may have even written out your algorithmic goals in English, but have you ever coded an algorithm? Do you really know how any AI model is performing? What tiny mistakes (or purposeful small changes) are being made to subtly guide our decision-making? —Shelly Palmer

The post Worth Reading Digital Monoculture appeared first on 'net work.

Worth Reading: Elliptic Curve Cryptography and DNS

Erasthosthenes of Cyrene was an ancient Greek of some astounding learning, becoming the Chief Librarian at that fabled wonder of the ancient world, the library of Alexandria, in the third century BCE. Not only has he been credited as the first person to calculate the circumference of the earth, but for the purposes of this article his claim for posterity is based on his work in number theory, and in particular his invention of the Sieve of Erastosthenes as a means of identifying prime numbers. His method is complete and accurate, but for very large numbers the process is inordinately slow. And we haven’t really made it much faster in the intervening 2,200 years. The related problem, that of computing the prime number factors of a very large integer also takes a long time as at its heart is a basic enumeration problem that grows as the size of the number grows. —Potaroo

The post Worth Reading: Elliptic Curve Cryptography and DNS appeared first on 'net work.

On the ‘net: BGP as an SDN

There are probably a dozen other ways to influence the path in this situation using a route reflector in BGP. Each of these methods have advantages and disadvantages; for instance, flowspec and segment routing can classify traffic based on the source address, or other fields in the packet header, while modifying just the destination will modify the flow for every packet destined to F. But what’s interesting here is not the specific mechanisms used and their limitations, but rather that the RR can be treated as a controller which modifies the base BGP routing information using only mechanisms available within BGP itself. —ECI

The post On the ‘net: BGP as an SDN appeared first on 'net work.

Worth Reading: Stop Trying to Change Users

The problem isn’t the users: it’s that we’ve designed our computer systems’ security so badly that we demand the user do all of these counterintuitive things. Why can’t users choose easy-to-remember passwords? Why can’t they click on links in emails with wild abandon? Why can’t they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem? Traditionally, we’ve thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This “either/or” thinking results in systems that are neither usable nor secure. —Schneier on Security

The post Worth Reading: Stop Trying to Change Users appeared first on 'net work.

Worth Reading: Why Google Gadgets are so Cheap

With its newest gadgets, Google will be able to serve up ads that are more personal and even more relevant to everything its users are doing, as it learns more about them with the voice queries made via Google’s answer to Apple’s Siri, Google Assistant. The more it knows you and your habits, the better to pitch its advertising services to the brands that want your dollars and are willing to pay Alphabet to get them. That’s why Google is able to price all its new hardware below or at parity with its rivals. —Market Watch

The post Worth Reading: Why Google Gadgets are so Cheap appeared first on 'net work.

snaproute Go BGP Code Dive (12): Moving to Established

In last week’s post, the new BGP peer we’re tracing through the snaproute BGP code moved from open to openconfirmed by receiving, and processing, the open message. In processing the open message, the list of AFIs this peer will support was built, the hold timer set, and the hold timer started. The next step is to move to established. RFC 4271, around page 70, describes the process as—

If the local system receives a KEEPALIVE message (KeepAliveMsg (Event 26)), the local system:
 - restarts the HoldTimer and
 - changes its state to Established.

In response to any other event (Events 9, 12-13, 20, 27-28), the local system:
 - sends a NOTIFICATION with a code of Finite State Machine Error,
 - sets the ConnectRetryTimer to zero,
 - releases all BGP resources,
 - drops the TCP connection,
 - increments the ConnectRetryCounter by 1,
 - (optionally) performs peer oscillation damping if the DampPeerOscillations attribute is set to TRUE, and
 - changes its state to Idle.

For a bit of review (because this is running so long, you might forget how the state machine works), the way the snaproute code is written is as a state machine. The way the state machine works is Continue reading

Worth Reading: Creating a PCE Prototype

So almost, a little bit over an year ago, when I wasn’t working for a Vendor and was looking for a PCE to fool around with RSVP-TE/SR-TE but I wasn’t able to find anything. At that time, Only thing I was able to found was Open daylight but its PCEP implementation didn’t have Segment Routing support, so I was out of luck. At the same time I was also working on improving my programmatic skills. So I thought why not combine both problems together and write my own PCEP prototype… —Packet Pushers

The post Worth Reading: Creating a PCE Prototype appeared first on 'net work.

Worth Reading: Three great lies of cloud computing

It’s elastic! It’s on-demand! It scales dynamically to meet your needs! It streamlines your operations, gives you persistent access to data, and it’s always, always cheaper. It’s cloud computing, and it’s here to save your enterprise. And yet, for all the promise of cloud, there are still segments of IT, such as HPC and many categories of big data analytics, that have been resistant to wholesale outsourcing to public cloud resources. At present cloud computing makes up only 2.4 percent of the HPC market by revenue, and although Intersect360 Research is forecast its growth at a robust 10.9 per year, that still keeps it well under 5 percent throughout the five-year forecast period. —The Next Platform

The post Worth Reading: Three great lies of cloud computing appeared first on 'net work.

Sand Castle

The post Sand Castle appeared first on 'net work.

Worth Reading: Modernizing business services through the CPE

In a previous blog, I discussed how equipment providers are facing a lucrative but pitfall-laden path in deciding how to invest in NFV to displace dedicated appliances. CSPs have similar NFV investment decisions to make on the user side of the equation. They need to answer the question: “Where should I start implementing an NFV strategy to deliver network functions and customer services as a means of improving my bottom line and business success?” One strong candidate for this starting point is Universal Customer Premises Equipment. —ECI

The post Worth Reading: Modernizing business services through the CPE appeared first on 'net work.

Worth Reading: The best and worst ways to look for a job

Some of the 10 traditional job hunting methods that follow have a pretty good record and will repay you for time spent pursuing them. But others have a really terrible record and are a waste of your time and energy. The success rate figures cited are a mash of studies I’ve seen, plus, where no studies have been done, my own impressions over the past 45 years of working with job hunters or career changers and writing “What Color Is Your Parachute?” —Market Watch

The post Worth Reading: The best and worst ways to look for a job appeared first on 'net work.

Worth Reading: The fall of Theranos

This year has witnessed the spectacular fall from grace for the former Silicon Valley darling Theranos, the Palo Alto-based blood-testing startup, and its high-powered millennial co-founder, Elizabeth Holmes. Once valued at over $9 billion, Theranos has now become a target for massive mockery online. Perhaps the Theranos story also holds a much larger lesson about our whole technology culture. Though the company initially promised hundreds of cheap medical tests could be performed from a single pinprick of blood, what the company was less than candid about was its tests — which were available at Walgreens! — reportedly relied on using other companies’ technologies to stay afloat. —The New Stack

The post Worth Reading: The fall of Theranos appeared first on 'net work.

Worth Reading: Government lawyers don’t understand the internet

Last year, the FBI nearly destroyed the life of an innocent physicist. In May 2015, agents arrested Xi Xiaoxing, the chairman of Temple University’s physics department, and charged that he was sneaking Chinese scientists details about a piece of restricted research equipment known as a “pocket heater.” An illustrious career seemed suddenly to implode. A few months later, though, the Justice Department dropped all the charges and made an embarrassing admission: It hadn’t actually understood Xi’s work. After defense experts examined his supposed “leaks,” they pointed out that what he’d shared with Chinese colleagues wasn’t a restricted engineering design but in fact a schematic for an altogether different type of device. —Washington Post

The post Worth Reading: Government lawyers don’t understand the internet appeared first on 'net work.

The ever expanding menu…

A short note reminding the gentle readers who wander in to this site of the riches of information available in the main menu to the left of this post…

rule 11 reader takes you to a subscription form for the mailing list. The format and frequency of the mailing list is a little messed up right now, and I always mean to do more with it, but never seem to get around to it.

sixty books takes you to a list of books I’ve found particularly helpful or useful over the years. The title isn’t the number of books, strictly speaking, but rather a challenge to read sixty books this year. Not all of these are related to network engineering.

worth visiting is something of a blog role and interesting sites, not all related to network engineering.

author page takes you to a page listing all of my works. Right now this is on Amazon, but as not all my works are available on Amazon, I need to fix this. Yes, it’s already on my list of things to do.

network icons is a set of icons I use in public presentations not tied to a company, etc. These are Continue reading

Worth Reading: a troubling new chapter for the ‘net

For the better part of a day, KrebsOnSecurity, arguably the world’s most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn’t like a recent series of exposés reporter Brian Krebs wrote. The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet. The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS. The first article analyzed leaked data that identified some of the previously anonymous people closely tied to vDOS. It documented how they took in more than $600,000 in two years by knocking other sites offline. A few days later, Krebs ran a follow-up piece detailing the arrests of two men who allegedly ran the service. —Ars Technica

The post Worth Reading: a troubling new chapter for the ‘net appeared first on 'net work.

Worth Reading: The telco quality transformation

The telecoms industry has two fundamental issues whose resolution is a multi-decade business and technology transformation effort. This re-engineering programme turns the current “quantities with quality” model into a “quantities of quality” one. Those who prosper will have to overcome a powerfully entrenched incumbent “bandwidth” paradigm, whereby incentives are initially strongly against investing in the inevitable and irresistible future.Recently I had the pleasure of meeting the CEO of a fast-growing vendor of software-defined networking (SDN) technology. The usual ambition for SDN is merely internal automation and cost optimisation of network operation. In contrast, their offering enables telcos to develop new “bandwidth on demand” services. The potential for differentiated products that are more responsive to demand makes the investment case for SDN considerably more compelling. —CircleID

The post Worth Reading: The telco quality transformation appeared first on 'net work.

Reaction: The Power of Unintended Consequences #49687

Warning, some philosophy may have unintentionally slipped into this post…

There are few things in life that ever really change; rather, we are held captive to what appears to be a surprisingly small set of rules that have lasted at least as long as writing seems to have been around, and—if the history of humanity described in writing is any guide—as long as humans have existed (regardless of your thoughts on that particular topic). One of them, for instance, is that there’s nothing truly new; take these few lines, for instance—

A generation goes, and a generation comes,
but the earth remains forever.
The sun rises, and the sun goes down,
and hastens to the place where it rises.
The wind blows to the south
and goes around to the north;
around and around goes the wind,
and on its circuits the wind returns.
All streams run to the sea,
but the sea is not full;
to the place where the streams flow,
there they flow again.
All things are full of weariness;
a man cannot utter it;
the eye is not satisfied with seeing,
nor the ear filled with hearing.
What has been is what will be,
and what Continue reading

Worth Reading: Decryption mandates and global internet freedom

The debate over law enforcement and widespread strong encryption implicates powerful competing values. On one side, the liberty, privacy, and cybersecurity of American consumers and companies; on the other, the need to investigate serious crimes and protect the country against terrorism. Should companies be compelled to weaken their products (as most technologists see it)? Does the Fourth Amendment’s “balance” require that law enforcement retain the ability to access data covered by a search warrant? Does law enforcement really need such a mandate to investigate effectively? Does the First Amendment permit Congress to enact a ban on encoding one’s communications? Would such a ban be effective given the proliferation of new, powerful, easily accessible encryption technologies, including many created by foreign companies? —Hoover Institute

The post Worth Reading: Decryption mandates and global internet freedom appeared first on 'net work.