When prepend fails, what next? (3)

We began this short series with a simple problem—what do you do if your inbound traffic across two Internet facing links is imbalanced? In other words, how do you do BGP load balancing? The first post looked at problems with AS Path prepend, while the second looked at de-aggregating and using communities to modify the local preference within the upstream provider’s network.

There is one specific solution I want to discuss a bit more before I end this little series: de-aggregation. Advertising longer prefixes is the “big hammer” of routing; you should always be careful when advertising more specifics. The Default Free Zone (DFZ) is much like the “commons” of an old village. No-one actually “owns” the routing table in the global Internet, but everyone benefits from it. De-aggregating don’t really cost you anything, but it does cost everyone else something. It’s easy enough to inject another route into the routing table, but remember the longer prefix you inject shows up everywhere in the world. You’re fixing your problem by taking up some small amount of memory in every router that’s connected to the DFZ in the world. If everyone de-aggregates, everyone has to buy larger routers and more Continue reading

Worth Reading: GeekPwn Hacking Contest

Geeks showed their power at the GeekPwn Macau and succeeded in finding vulnerabilities in dozens of mainstream routers, remote controls, smart cameras, hacker-proof safes and other smart devices including TCP protocol stack vulnerabilities leading to remote hijacking. -Mitnick Security

The post Worth Reading: GeekPwn Hacking Contest appeared first on 'net work.

Worth Reading: Radicalizing data collection

Like many Silicon Valley start-ups, Larry Gadea’s company collects heaps of sensitive data from his customers. Recently, he decided to do something with that data trove that was long considered unthinkable: He is getting rid of it. The reason? Gadea fears that one day the FBI might do to him what it did to Apple in their recent legal battle: demand that he give the agency access to his encrypted data. Rather than make what he considers a Faustian bargain, he’s building a system that he hopes will avoid the situation entirely. Washington Post

The post Worth Reading: Radicalizing data collection appeared first on 'net work.

The License Agreement

The post The License Agreement appeared first on 'net work.

Worth Reading: Journey to the CCDE

On May the 17th I passed the CCDE practical in Madrid and became Swedens 2nd CCDE, CCDE #20160011. This post describes my journey to passing the CCDE practical in my 1st attempt and the materials that I used to do so. Lost in Transit

The post Worth Reading: Journey to the CCDE appeared first on 'net work.

Worth Reading: The age of the GPU

Having made the improbable jump from the game console to the supercomputer, GPUs are now invading the datacenter. This movement is led by Google, Facebook, Amazon, Microsoft, Tesla, Baidu and others who have quietly but rapidly shifted their hardware philosophy over the past twelve months. Each of these companies have significantly upgraded their investment in GPU hardware and in doing so have put legacy CPU infrastructure on notice. The Next Platform

The post Worth Reading: The age of the GPU appeared first on 'net work.

Reading List: 060916

A few of the papers, RFCs, and drafts I’m reading this week, along with a short description of each.

A Survey of Worldwide Censorship Techniques
draft-hall-censorship-tech-03

Censorship is a large problem on the Internet—but it’s often difficult to find any good description of the various ways censors can both find and block “offending” content. This draft is a short, readable overview of the various techniques actually seen in the wild, along with pointers to research about the techniques themselves, and instances where they’ve been used in the real world.

IPv6 Extension Headers and Packet Drops
draft-gont-v6ops-ipv6-ehs-in-real-world

One of the interesting features of IPv6 is its support for extension headers, which are variable length bits of information—metadata about the packet, for instance—that can be attached to a packet and processed by either the receiving host or forwarding devices along the way. Extension headers are useful, in that they allow IPv6 to be easily extended on the fly, rather than forcing the protocol designer to create a set of metadata “in stone.” Extension headers, however, are also controversial; how should an ASIC designer decide which ones to support in hardware, and how should extension headers that cannot be handled in hardware Continue reading

Worth Reading: Big data and big trouble

Deluged with an unprecedented amount of information available for analysis, companies in just about every industry are discovering increasingly sophisticated ways to make market observations, predictions and evaluations. Big Data can help companies make decisions ranging from which candidates to hire to which consumers should receive a special promotional offer. As a powerful tool for social good, Big Data can bring new opportunities for advancement to underserved populations, increase productivity and make markets more efficient. MarketWatch

The post Worth Reading: Big data and big trouble appeared first on 'net work.

Worth Reading: How to fight latency

Given that minimizing latency, and by association, determining a path across the global Internet with minimal packet loss is still critical, how can we accomplish this? Using the $20 billion real-time ad serving market as an example, we’ll first look at the different components, and then introduce an approach to mitigate latency. New Stack

The post Worth Reading: How to fight latency appeared first on 'net work.

Worth Reading: Windows WPAD attack

Windows’ WPAD feature has for many years provided attackers and penetration testers a simple way to perform MITM attacks on web traffic. There is, for example, a great blog post by Tod Beardsley called “MS09-008: Web Proxy Auto-Discovery (WPAD), Illustrated” that highlights the problems with WPAD. Now finally, roughly 10 years after WPAD was introduced, the penetration testing framework Metasploit includes support for WPAD via a new auxiliary module located at “auxiliary/server/wpad”. This module, which is written by Efrain Torres, can be used to perform for man-in-the-middle (MITM) attacks by exploiting the features of WPAD. Netresec

The post Worth Reading: Windows WPAD attack appeared first on 'net work.

Worth Reading: IPv6 Link Local Addresses

In November 2014, after quite some controversy in the IETF OPSEC working group (for those interested look at the archives), the Informational RFC 7404 “Using Only Link-Local Addressing inside an IPv6 Network” was published. It is authored by Michael Behringer and Eric Vyncke and discusses the advantages and disadvantages of an approach using “only link-local addresses on infrastructure links between routers”. APNIC

The post Worth Reading: IPv6 Link Local Addresses appeared first on 'net work.

Building a “Network” Network

Over my years as a network engineer, I’ve notice that the engineering job tends to be somewhat isolated (or isolating). Part of the reason is probably that there tend to be one or two network engineers at a single company, munged in with a lot of other IT folks who share some common ground (but not entirely), so there’s little chance to interact with others who are working on the same sorts of problem sets on a day to day basis. This tends to produce network engineers who are more attached to their vendor than they are to their “day job.” In fact, this tends to make the entire network engineering world, to the average network engineer, appear to be “not much more” than the vendors who show up on our doorsteps, the vendor specific trade shows we can attend, and what we read online. This is—how can I say this gently—??

This is an unhealthy situation for your career as a network engineer—and as a person.

What you need to do is build a network of other network engineers—a network network—so you can broaden your scope, keep your ear to the ground for changes, prepare for changes, have Continue reading

Worth Reading: Encryption is a red herring

Spooky rhetorical flourishes have become commonplace in the debate about encrypted communications. We are told that the FBI is “going dark;” that “warrant-proof” communications are proliferating; and that terrorists and criminals are operating en masse and with impunity. But are evildoers really foiling law enforcement’s ability to investigate their crimes? Real Clear Policy

The post Worth Reading: Encryption is a red herring appeared first on 'net work.

Worth Reading: Privacy is disappearing

So the main question raised by all this surveillance tech is how much we’re willing to risk loss of liberty for the sake of greater security. A saying often attributed to Benjamin Franklin has it: “Those who prefer security to liberty deserve neither.” Assuming that’s true, we need to come together as a polity to decide when to say “Enough!” to all the spying. Intellectual Takeout

The post Worth Reading: Privacy is disappearing appeared first on 'net work.

When prepend fails, what next? (2)

This week’s post was written by Johnny Britt over at FreedomPay. I’ve edited in some small places to add more information, etc., but I think Johnny needs to start blogging…

Once you have determined that AS-Path prepending can no longer help us what are our next steps? Routing is based on the longest matched prefix, this is true when BGP routes are being compared as well regardless of the AS-PATH. So one option you have is to split your address space into longer advertised prefixes and advertise a slice to each of our upstream providers. In Fig. 1, AS65000 splits its /44 IPv6 into 2 prefixes and advertises them out to AS65001 and AS65004 respectively. This forces half of AS65000 subnet traffic to flow inbound from one specific provider and we can combine both this technique and AS-Path prepending to give us more load sharing capabilities.

Using longer prefixes to direct traffic to a more preferred inbound link can take us a long way in creating the desired inbound traffic pattern. Sometimes there are scenarios where you may need to direct traffic at a more granular level.

But what if you don’t have the ability to create longer prefixes Continue reading

Worth Reading: Troubleshooting Cisco Remote Access

The Cisco Mobile and Remote Access (MRA) feature is a “client edge” solution that allows external software and hardware clients to register to enterprise Cisco Unified Communication (UC) solutions without requiring a VPN. Like most things, there are a lot of moving parts working together to create a relatively seamless user experience. And, like most things, the first time you deploy MRA there are a few “gotchas” that can eat up a significant amount of troubleshooting time. Netcraftsmen

The post Worth Reading: Troubleshooting Cisco Remote Access appeared first on 'net work.

Worth Reading: Random number breakthrough

The generation of random numbers has been an interesting problem for mathematicians for thousands of years. Old methods of random number generation include rolling dice, flipping coins and shuffling playing cards, but using these techniques for producing large numbers of sufficiently random numbers is extremely time-consuming. The New Stack

The post Worth Reading: Random number breakthrough appeared first on 'net work.

Hilton Head

The post Hilton Head appeared first on 'net work.

Worth Reading: Open Flow Tables and Vendor Hype

An OpenFlow-based switch can do only whatever the underlying hardware can do and whatever the NOS vendor implemented in the OpenFlow agent. If Pica8 claims that their software works better with TTPs they’re just saying that their previous software sucked. IP Space

The post Worth Reading: Open Flow Tables and Vendor Hype appeared first on 'net work.

Worth Reading: Useful Utilities

Troubleshooting and managing a network is much easier when you have the proper tools. Anybody who has been in the IT world for a time likely has a stash of small, portable, and often free programs they use to help in this area. Here is a list of my most-used utilities. Packet Pushers

The post Worth Reading: Useful Utilities appeared first on 'net work.