Getting to the point of dual homing

I wonder how many times I’ve seen this sort of diagram across the many years I’ve been doing network design?

It’s usually held up as an example of how clever the engineer running the network is about resilience. “You see,” the diagram asserts, “I’m smart enough to purchase connectivity from two providers, rather than one.”

Can I point something out? Admittedly it might not be all that obvious from the diagram, but… Reality is just about as likely to squish your network connectivity like a bug no a windshield as it is any other network. Particularly if both of these connections are in the same regional area. The tricky part is knowing, of course, what a “regional area” might happen to mean for any particular provider.

The problem with this design is very basic, and tied to the concept of shared link risk groups. But let me start someplace a little simpler than that—with the basic, and important, point that putting fiber in the ground, and maintaining fiber that’s in the ground, is expensive. Unless you live in Greenland, fiber can be physically buried pretty easily (fiber in Greenland is generally buried with dynamite by a blasting crew, or Continue reading

Worth Reading: Who is responsible for your application security?

The dividing line between developers and IT operations used to be distinct. Developers were responsible for adding new features securely, but it was IT operations who had responsibility for infrastructure and network security. For the most part, developers didn’t have to think too much about the wider security context. With the advent of the cloud, and of devops, things changed radically. Now developers are quite capable of deploying cloud infrastructure at will, and the tools exist to make infrastructure deployment programmatic. These changes mean that developers do have to think about security, both within the scope of the code they are responsible for and within the wider organizational scope. – CircleID

The post Worth Reading: Who is responsible for your application security? appeared first on 'net work.

Worth Reading: Docker meets zombies

Last week a Dutch site reliability engineer at Wehkamp Labs shared a way to combine Docker container management with the video game Half-Life 2. The labs created an exotic hybrid where applications are represented in the game-world as virtual people who all need defending from an attack of zombies. -The New Stack

The post Worth Reading: Docker meets zombies appeared first on 'net work.

Bird in flight

The post Bird in flight appeared first on 'net work.

Worth Reading: The history of the Intel CPU

The first microprocessor sold by Intel was the four-bit 4004 in 1971. It was designed to work in conjunction with three other microchips, the 4001 ROM, 4002 RAM and the 4003 Shift Register. Whereas the 4004 itself performed calculations, those other components were critical to making the processor function. -Tom’s Hardware
(Note: this is a slide show, rather than an article)

The post Worth Reading: The history of the Intel CPU appeared first on 'net work.

Worth Reading: Public cloud versus private data center

Few companies can afford to spend $20 billion a year on global data centers, have the cachet to employ some of the best and brightest engineers and thought leaders of the computing world, the ability to build and deploy their own custom microchips, access to training datasets comprising the web itself or the hardware and personnel capacity to iterate their infrastructure in realtime. Whether you’re talking about Google, Amazon, Microsoft or any of the other cloud vendors, this is the power of the commercial cloud today – trading hardware management for solving problems in realtime at nearly limitless scale. -Forbes

The post Worth Reading: Public cloud versus private data center appeared first on 'net work.

DNS Cookies and DDoS Attacks

DDoS attacks, particularly for ransom—essentially, “give me some bitcoin, or we’ll attack your server(s) and bring you down,” seem to be on the rise. While ransom attacks rarely actually materialize, the threat of DDoS overall is very large, and very large scale. Financial institutions, content providers, and others regularly consume tens of gigabits of attack traffic in the normal course of operation. What can be done about stopping, or at least slowing down, these attacks?

To answer, this question, we need to start with some better idea of some of the common mechanisms used to build a DDoS attack. It’s often not effective to simply take over a bunch of computers and send traffic from them at full speed; the users, and the user’s providers, will often notice machine sending large amounts of traffic in this way. Instead, what the attacker needs is some sort of public server that can (and will) act as an amplifier. Sending this intermediate server should cause the server to send an order of a magnitude more traffic towards the attack target. Ideally, the server, or set of servers, will have almost unlimited bandwidth, and bandwidth utilization characteristics that will make the attack appear Continue reading

Worth Reading: The danger of macros

Back in 2012, faced with the need to write the identical thing—language regarding FISA minimization procedures—many, many times, NSA tried to develop some efficiency by automating a portion of their Word templates. This worked fine, until for whatever reason, NSA Hawaii redesigned its network to block external access from other parts of the NSA. -Lawfare

The post Worth Reading: The danger of macros appeared first on 'net work.

Worth Reading: Leaky end users

Insider threat once again tops the list of enterprise cyber security threats in the 2016 Verizon Data Breach Investigations Report (DBIR). For the second straight year, Verizon research showed that the average enterprise is less likely to have its data stolen than to have an end user give away sensitive credentials and data—whether unintentionally or maliciously. -Cloud Security Alliance

The post Worth Reading: Leaky end users appeared first on 'net work.

People Skills

The post People Skills appeared first on 'net work.

Worth Reading: Leaving fixed function switches behind

There are two competing trends in platform designs that architects always have to contend with. They can build a platform that performs a specific function and does it well, or create a more generic platform that sacrifices some efficiency but does a lot of jobs well. Sometimes you try to shoot the gap between these two poles. -The Next Platform

The post Worth Reading: Leaving fixed function switches behind appeared first on 'net work.

Worth Reading: The end of the hypervisor

The death knell of the hypervisor was sounded when Intel provided much of the unique capabilities of the hypervisor directly in the chip via the Intel-VTx instruction set. Prior to this, VMware and Xen had two unique approaches to providing hypervisor capabilities: binary translation and paravirtualization respectively. Arguments raged about which was faster, but once Intel-VTx came along, by virtue of being on the chip die, it was the de facto speed winner. -Cloud Scaling

The post Worth Reading: The end of the hypervisor appeared first on 'net work.

No Capes, No Wands

As a keen observer of the network engineering world for the last twenty… okay, maybe longer, but I don’t want to sound like an old man telling stories quite yet… years, there’s one thing I’ve always found kind-of strange. We have a strong tendency towards hero worship.

I don’t really know why this might be, but I’ve seen it in Cisco TAC—the almost hushed tones around a senior engineer who “is brilliant.” I’ve seen it while sitting in a meeting in the middle of an argument over some technical point in a particular RFC. Someone says, “we should just ask the author…” Which is almost always followed by something like: “Really? You know them?”

To some degree, this is understandable—network engineering is difficult, and we should truly honor those in our world who have made a huge impact. In many other ways, it’s unhelpful, and even unhealthy. Why?

First, it tends to create an “us versus them,” atmosphere in our world. There are engineers who work on “normal” networks, and then there are those who work on, well, you know, special ones. Not everyone needs those “special skills,” so we end up creating a vast pool of people Continue reading

Worth Reading: Policymakers are from Mars

This week, Herb Lin and I are giving a joint talk about the suit-hoodie divide, and whether relations between Washington and Silicon Valley are getting worse (I think the answer is yes). Part of the problem stems from conflicting interests and serious differences of opinion about policy. But a large part of the problem—and perhaps the hardest and most hidden part—stems from cultural differences. -Lawfare

The post Worth Reading: Policymakers are from Mars appeared first on 'net work.

Worth Reading: Big thinkers leave Cisco

The industry is reeling from Monday’s report that four of Cisco’s best-known executives are leaving the company. An internal memo from Cisco CEO Chuck Robbins, first reported by the Wall Street Journal, announced the resignations of Mario Mazzola, Prem Jain, Luca Cafiero and Soni Jiandani, effective June 17. The four formed a team that many referred to as MPLS — letters that represent the initials of their first names. -Channel Partners

The post Worth Reading: Big thinkers leave Cisco appeared first on 'net work.

When prepend fails, what next? (3)

We began this short series with a simple problem—what do you do if your inbound traffic across two Internet facing links is imbalanced? In other words, how do you do BGP load balancing? The first post looked at problems with AS Path prepend, while the second looked at de-aggregating and using communities to modify the local preference within the upstream provider’s network.

There is one specific solution I want to discuss a bit more before I end this little series: de-aggregation. Advertising longer prefixes is the “big hammer” of routing; you should always be careful when advertising more specifics. The Default Free Zone (DFZ) is much like the “commons” of an old village. No-one actually “owns” the routing table in the global Internet, but everyone benefits from it. De-aggregating don’t really cost you anything, but it does cost everyone else something. It’s easy enough to inject another route into the routing table, but remember the longer prefix you inject shows up everywhere in the world. You’re fixing your problem by taking up some small amount of memory in every router that’s connected to the DFZ in the world. If everyone de-aggregates, everyone has to buy larger routers and more Continue reading

Worth Reading: GeekPwn Hacking Contest

Geeks showed their power at the GeekPwn Macau and succeeded in finding vulnerabilities in dozens of mainstream routers, remote controls, smart cameras, hacker-proof safes and other smart devices including TCP protocol stack vulnerabilities leading to remote hijacking. -Mitnick Security

The post Worth Reading: GeekPwn Hacking Contest appeared first on 'net work.

Worth Reading: Radicalizing data collection

Like many Silicon Valley start-ups, Larry Gadea’s company collects heaps of sensitive data from his customers. Recently, he decided to do something with that data trove that was long considered unthinkable: He is getting rid of it. The reason? Gadea fears that one day the FBI might do to him what it did to Apple in their recent legal battle: demand that he give the agency access to his encrypted data. Rather than make what he considers a Faustian bargain, he’s building a system that he hopes will avoid the situation entirely. Washington Post

The post Worth Reading: Radicalizing data collection appeared first on 'net work.

The License Agreement

The post The License Agreement appeared first on 'net work.

Worth Reading: Journey to the CCDE

On May the 17th I passed the CCDE practical in Madrid and became Swedens 2nd CCDE, CCDE #20160011. This post describes my journey to passing the CCDE practical in my 1st attempt and the materials that I used to do so. Lost in Transit

The post Worth Reading: Journey to the CCDE appeared first on 'net work.