On the ‘net: I2RS on Packet Pushers

While Greg was at the IETF in Berlin, Sue Hares and I—the two current co-chairs of the I2RS working group—had a general discussion around what the big idea is and where the working group is headed. You can listen to the recording at Packet Pushers.

The post On the ‘net: I2RS on Packet Pushers appeared first on 'net work.

VIRL on Packet Cloud—Some thoughts

For the last couple of days I’ve been messing with Cisco’s VIRL on Packet’s bare metal service. I don’t do enough labbing now to spend multiple thousands of dollars building a lab in my house, and I want something that I can use from anywhere without opening a lot of holes in my home network when I’m on the road, so the Packet service seems like something useful to get running.

Forthwith, some observations and hints for those who might be thinking about doing this. Some of this might be obvious to other folks, I know, but—maybe me writing them down here will be somehow helpful, and save other folks some time.

An observation—this all feels a little (okay, maybe a lot) clunky’ish. There’s a lot of steps, it takes a long time to set up, etc. There are a lot of moving parts, and they interconnect in interesting ways. Maybe this will all get better over time, but for now, if you’re going to do this, plan on spending at least a half a day, probably more, just getting all the pieces to work.

Some places I ran into trouble, and things I needed to configure that I had Continue reading

Worth Reading: Photographing the Internet

Shuli Hallak photographs the Internet. And when we say she photographs it, we’re not just talking about cool pictures of wires (although those are in her portfolio) but entire worlds that are up and running right under our noses but remain invisible. Her work is helping to demystify the sometimes complicated language surrounding the open Internet and is building a new understanding of how important the open Internet is for people everywhere. —Internet Society

The post Worth Reading: Photographing the Internet appeared first on 'net work.

Do what you love?

How many times have you heard this? Or this?

Two of the most oft repeated, and driven home, ideas in modern times are be true to yourself and do what you love. But just because they’re oft repeated and driven home doesn’t mean they are actually true. The problem with both statements is they have just enough truth to sound really plausible—and yet they are both simplistic enough to be dangerous when taken raw.

Or maybe it’s just that I’m a grumpy old man who’s been in a bad mood for the last couple of weeks, and misery likes company.

Let’s try to put some reality into the do what you love statement.

Sometimes you’re just not very good at what you love to do. When I was a kid, I wanted to be an artist. And then a musician. Apparently there are no real jobs for artists or musicians with my somewhat mediocre skills in these two areas. I just have to face it—I’m never going to be a professional basketball player, either. Sometimes it doesn’t matter how much you love something, you just don’t have the skills to master it.

Sometimes there’s just no market for what you Continue reading

Worth Reading: A new bit flipping attack

We introduce Flip Feng Shui (FFS), a new exploitation vector which allows an attacker to induce bit flips overarbitrary physical memory in a fully controlled way. FFS relies on hardware bugs to induce bit flips over memoryand on the ability to surgically control the physical memory layout to corrupt attacker-targeted data anywhere inthe software stack. We show FFS is possible today with very few constraints on the target data, by implementingan instance using the Rowhammer bug and memory deduplication (an OS feature widely deployed in production).Memory deduplication allows an attacker to reverse-map any physical page into a virtual page she owns as long as the page’s contents are known. Rowhammer, in turn, allows an attacker to flip bits in controlled (initially unknown) locations in the target page. -(PDF) Usenix via Schneier on Security

The post Worth Reading: A new bit flipping attack appeared first on 'net work.

Worth Reading: Big data is making us more more boring

The world today is awash in data. In 2015, mankind produced as much information as was created in all previous years of human civilization. Every time we send a message, make a call, or complete a transaction, we leave digital traces. We are quickly approaching what Italian writer Italo Calvino presciently called the “memory of the world”: a full digital copy of our physical universe. —MarketWatch

The post Worth Reading: Big data is making us more more boring appeared first on 'net work.

DC Fabric Segment Routing Use Case (4)

In the last post in this series, I discussed using SR labels to direct traffic from one flow onto, and from other flows off of, a particular path through a DC fabric. Throughout this series, though, I’ve been using node (or prefix) SIDs to direct the traffic. There is another kind of SID in SR that needs to be considered—the adj-sid. Let’s consider the same fabric used throughout this series—

So far, I’ve been describing the green marked path using the node or (loopback) prefix-sids: [A,F,G,D,E]. What’s interesting is I could describe the same path using adj-sids: [a->f,f->g,g->d,d->e], where the vector in each hop is described by a single entry on the SR stack. There is, in fact, no difference between the two ways of describing this path, as there is only one link between each pair of routers in the path. This means everything discussed in this series so far could be accomplished with either a set of adj SIDs ore a set of node (prefix) SIDs.

Given this, why are both types of SIDs defined? Assume we zoom in a little on the border leaf node in this topology, and find—

Assume—

• Router E, a ToR on the Continue reading

Worth Reading: What Sauron Tells Us

Last week, both Symantec and Kaspersky released a series of reports on a nation-state malware attacker dubbed alternately “Strider” or “Sauron.” Although neither formally attributes the attack to any particular country, reading between the lines it is pretty clear: The U.S. was Here. Attributing malcode is always questionable, and there is some possibility this is not the (rather excellent) work of the NSA but instead some the efforts of a FVEY ally. But—given the quality, the modular nature, target selection, and lots of other details—the smart money is on this being from our friends at Fort Meade. If we assume that it is, what does this mean? —Lawfare

The post Worth Reading: What Sauron Tells Us appeared first on 'net work.

Worth Reading: Lawless government hacking

In our society, the rule of law sets limits on what government can and cannot do, no matter how important its goals. To give a simple example, even when chasing a fleeing murder suspect, the police have a duty not to endanger bystanders. The government should pay the same care to our safety in pursuing threats online, but right now we don’t have clear, enforceable rules for government activities like hacking and “digital sabotage.” And this is no abstract question—these actions increasingly endanger everyone’s security. —Deep Links

The post Worth Reading: Lawless government hacking appeared first on 'net work.

Pelican

The post Pelican appeared first on 'net work.

Worth Reading: Hosts versus the network

There are a number of ways to view the relationship between hosts and the network in the Internet. One view is that this is an example of two sets of cooperating entities that share a common goal: hosts and the network both want content to be delivered. Both have an interest in seeing this delivery happen quickly, efficiently and without fuss. This leads to one view of the relationship between hosts and the network: the more the elements of the network provide the host with a description of their capabilities and connectivity, and the more the host provides the network with a description of the desired treatment of their traffic flow, the more harmonious the relationship, and the better the carriage service can attune its service response to match the host’s requirements, and vice versa. —Potaroo

The post Worth Reading: Hosts versus the network appeared first on 'net work.

Worth Reading: Reopening the going dark debate

Just over a week ago, at the BlackHat hacker convention in Las Vegas, Ivan Krstić, Head of Security Engineering and Architecture at Apple gave a talk entitled “Behind the scenes of iOS Security,” the slides of which are available here. It’s a historic talk for a couple of reasons. First, Apple is traditionally very secretive about how it technically does security on its devices. Apple also announced its first bug bounty program. So far, so newsworthy. But something else happened at that talk. Unbeknownst to the presenter or anybody in the audience, Apple just reopened the “Going Dark” dispute between the FBI and the privacy community, and it turned the entire dispute on its head. —Lawfare

The post Worth Reading: Reopening the going dark debate appeared first on 'net work.

Beware the network without an operator

A lot of people seem to be looking forward to the day we build a network without an operator; to wit—

Containerized solutions and machine learning may soon be more than tangentially related. Containerized solutions will usher in an era of operations that don’t require human intervention. Once humans are taken out of operations, we will be free to apply machine learning techniques to what is left. —The New Stack

I hope not, because machines are more brittle than humans. Totally automated security fails much more often than security that uses a blend of people and algorithms. Machines do well at repetitive tasks, humans at catching the things that don’t fit into the algorithm’s state machine. Taking the person out of the network just means there’s no-one there to see when the state machine fails.

And it will fail—at some point. I know we like to believe that machines break less often, but I’m pretty certain there’s a counterpoint to this: when machines break, it’s more likely to be catastrophic. I’m not convinced replacing people with algorithms always reduces damage so much as move the potential damage around.

I hope not, because machines separate the decision from the decision maker. Continue reading

Worth Reading: Container defense in depth

The new age of image-based containers exploded onto the scene in early to mid-2013. Since the early days of the Docker container engine, we heard questions of whether they were secure enough. Our very own Dan Walsh was heard many times saying, “Docker containers don’t contain” — so the question is, can we safely use them? Especially in production? —The New Stack

The post Worth Reading: Container defense in depth appeared first on 'net work.

Worth Reading: Your chance to say no

“Passport and flight number, please. What brings you to the States? Duration of stay?” “LinkedIn username? OKCupid handle?” No, the U.S. Customs officer is not trolling you. If the Department of Homeland Security has its way, these will be standard questions for people visiting the United States. The DHS recently issued a proposal to ask tourists on visa waivers to share their “online presence” on the I-94W and the online application for the Electronic System for Travel Authorization (ESTA), including the social networks they use and their corresponding “identifiers”—their handles or account names. —CDT

The post Worth Reading: Your chance to say no appeared first on 'net work.

Self-Improvement Through Time Travel

There are some days I wish I could travel back in time and “fix” the time I wasted through an hour, a day, or a week working on something that really wasn’t worth my time, or just wandering through links on the Internet, looking at things I don’t really (ultimately) care about. My time management skills are, honestly, often lacking. There doesn’t seem to be a way, does there, though?

Or maybe there is. Let’s twist our brains a little and think about it this way. Tomorrow is going to be the day we wish we could travel into from the day after tomorrow to fix, right? So what if we did reverse time travel and fix tomorrow today? Sure, sounds nice, but how? The answer might seem a little trivial, but it’s only apparently trivial, rather than trivial in real life.

Once answer is the humble todo list. I know, you’ve made one of these before—in fact, you probably already have one, don’t you? And it’s never really helped, right? Well, let’s see if we can figure out how to supercharge to make it a bit more effective. To begin, we have to try to understand how a todo Continue reading

Worth Reading: Tracking the hackers

The e-mail from Google arrived at 4:09 AM on March 22 and contained an ominous alert for its recipient, William Rinehart, a staffer with Hillary Clinton’s presidential campaign. “Someone has your password,” the e-mail’s subject line declared. “Someone just used your password to try to sign in to your Google Account,” warned the message, which reported that the incursion attempt came from an IP address in Ukraine. —the smoking gun

The post Worth Reading: Tracking the hackers appeared first on 'net work.

Worth Reading: Network monitoring

I encounter a lot of sites that ignore syslog. Yes, there’s a large noise-to-signal ratio there. There are free tools that summarize the syslog data, and there are golden needles in the haystack as well. A tool like Splunk or syslog-NG (free in most Linux distributions) can help you send alerts based on the items of interest. Splunk can also give you frequency count based reports to separate out repeated happenings that might be of concern from one-time blips that aren’t worth investigating. —Netcraftsmen

The post Worth Reading: Network monitoring appeared first on 'net work.

On the ‘net: Crashes and Complexity

It’s a familiar story by now: on the 8th of August, 2016, Delta lost power to its Atlanta data center, causing the entire data center to fail. Thousands of flights were cancelled, many more delayed, and tens of thousands of travellers stranded. What’s so unusual about this event is in the larger scheme of network engineering, it’s not that unusual. If I think back to my time on the Escalation Team at a large vendor, I can think of hundreds of situations like this. And among all those events, there is one point in common: it takes longer to boot the system than it does to fix the initial problem. —CircleID

The post On the ‘net: Crashes and Complexity appeared first on 'net work.

Worth Reading: Networking needs information, not data

Data is useless. We need to perform analysis on it to get information. That’s where a new wave of companies is coming into the networking market. They are building on the frameworks and systems that are aggregating data and presenting it in a way that makes it useful information. Instead of random data points about NetFlow, these solutions tell you that you’ve got a huge problem with outbound traffic of a specific type that is sent at a specific time with a specific payload. The difference is that instead of sorting through data to make sense of it, you’ve got a tool delivering the analysis instead of the raw data. —Networking Nerd

The post Worth Reading: Networking needs information, not data appeared first on 'net work.