Securing BGP: A Case Study

What would it take to secure BGP? Let’s begin where any engineering problem should begin: what problem are we trying to solve? This series of posts walks through a wide range of technical and business problems to create a solid set of requirements against which to measure proposed solutions for securing BGP in the global Internet, and then works through several proposed solutions to see how they stack up.

Post 1: An introduction to the problem space
Post 2: What can I prove in a routing system?
Post 3: What I can prove in a routing system?
Post 4: Centralized or decentralized?
Post 5: Centralized or decentralized?
Post 6: Business issues with centralization
Post 7: Technical issues with centralization
Post 8: A full requirements list
Post 9: BGPSEC (S-BGP) compared to the requirements
Post 10: RPKI compared to the requirements

I will continue updating this post as I work through the remaining segments of this series.

The post Securing BGP: A Case Study appeared first on 'net work.

Worth Reading: Breaches at eMail Providers

Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia’s criminal underworld, a security expert told Reuters. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru (MAILRq.L), Russia’s most popular email service, and smaller fractions of Google (GOOGL.O), Yahoo (YHOO.O) and Microsoft (MSFT.O) email users, said Alex Holden, founder and chief information security officer of Hold Security. -via Reuters

The post Worth Reading: Breaches at eMail Providers appeared first on 'net work.

Worth Reading: Feinstein-Burr, Encryption, and “The Rule of Law”

There’s a lot to say about the substance of the misguided anti-encryption legislation sponsored by Sens. Dianne Feinstein and Richard Burr, which was recently released as a “discussion draft” after a nearly-identical version leaked earlier this month. I hope to do just that in subsequent posts. But it’s also worth spending a little time on the proposal’s lengthy preamble, which echoes the rhetorical tropes frequently deployed by advocates for mandating government access to secure communications and stored data. -via Just Security

The post Worth Reading: Feinstein-Burr, Encryption, and “The Rule of Law” appeared first on 'net work.

Buenos Aires Garden

The post Buenos Aires Garden appeared first on 'net work.

Worth Reading: SD-WAN Consolidation?

In normal conditions, having as many as 20 companies chasing the same dollars would be unsustainable, so I’ve been waiting for consolidation—that is, for the market to coalesce around a handful (three? four? five?) companies that will emerge as winners after Hunger Games-like forces of capitalism eliminate the other tributes. -via Packet Pushers

The post Worth Reading: SD-WAN Consolidation? appeared first on 'net work.

Worth Reading: Yes, you should always update your software

We have all received those annoying interruptions to our work — yes, the dreaded “update your software” message. Updates can be cumbersome — they can force you to stop what you’re doing, restart your computer, or change the interface you were working in upon the restart. But as unfun as they might be, they are an essential part of strong digital hygiene and one of the most important steps you can take to protect and secure your personal devices. -via CDT

The post Worth Reading: Yes, you should always update your software appeared first on 'net work.

Slideshare: Engineer versus Complexity

These are the slides from my Interop presentation this last week.

The post Slideshare: Engineer versus Complexity appeared first on 'net work.

Worth Reading: It’s worth learning to troubleshoot

Since I have been working in IT for many years there are a few traits that generally separate a good engineer from a great engineer. One of those traits is troubleshooting. For those of you out there who have been doing this a long time would hopefully agree. -via Packet Pushers

The post Worth Reading: It’s worth learning to troubleshoot appeared first on 'net work.

Worth Reading: Increasing the Strength of the Zone Signing Key for the Root Zone

A major milestone was achieved in mid-2010 when Verisign and the Internet Corporation for Assigned Names and Numbers (ICANN), in cooperation with the U.S. Department of Commerce, successfully deployed DNSSEC for the root zone. Following that point in time, it became possible for DNS resolvers and applications to validate signed DNS records using a single root zone trust anchor. -via CircleID

The post Worth Reading: Increasing the Strength of the Zone Signing Key for the Root Zone appeared first on 'net work.

DR versus DIS: What’s the Diff?

OSPF and IS-IS, both link state protocols, use mechanisms that manage flooding on a broadcast link, as well as simplify the shortest path tree passing through the broadcast link. OSPF elects a Designated Router (or DR) to simplify broadcast links, and IS-IS elects a Designated Intermediate System (or DIS—a topic covered in depth in the IS-IS Livelesson I recently recorded). Beyond their being used in two different protocols, there are actually subtle differences in the operation of the two mechanisms. So what is the difference?

Before we dive into differences, let’s discuss the similarities. We’ll use the illustration below as a basis for discussion.

Q1 and Q2 illustrate the operation of a link state protocol without any optimization on a broadcast network, with Q1 showing the network, and Q2 showing the resulting shortest path tree. Q3 and Q4 illustrate link state operation with optimization over a broadcast link. It’s important to differentiate between building a shortest path tree (SPT) across the broadcast link and flooding across the broadcast link—flooding is where the primary differences lie in the handling of broadcast links in the two protocols.

Let’s consider building the SPT first. Both protocols operate roughly the same in this Continue reading

Worth Reading: Are Blockchains the Most Expensive Database?

One of the oft-made claims about Bitcoin and its blockchain transaction ledger is that they make transactions really cheap, so you can pay someone anywhere in the world for free, or close to it. But when you look closer, is that really true? Not by a long shot. -via CircleID

The post Worth Reading: Are Blockchains the Most Expensive Database? appeared first on 'net work.

Worth Reading: On the Quants and the Creatives

One of the things I find most interesting about the history of advertising is the long-running conflict between the “creatives” and their more quantitative, data-driven opponents within ad agencies. It’s a long-running, widespread opposition between a more humanistic, intuitive, interpretative style of decision-making and professional practice and a more rules-driven, empirical, formalistic approach. -via Easily Distracted

The post Worth Reading: On the Quants and the Creatives appeared first on 'net work.

Securing BGP: A Case Study (10)

The next proposed (and actually already partially operational) system on our list is the Router Public Key Infrastructure (RPKI) system, which is described in RFC7115 (and a host of additional drafts and RFCs). The RPKI systems is focused on solving a single solution: validating that the originating AS is authorized to originate a particular prefix. An example will be helpful; we’ll use the network below.

(this is a graphic pulled from a presentation, rather than one of my usual line drawings)

Assume, for a moment, that AS65002 and AS65003 both advertise the same route, 2001:db8:0:1::/64, towards AS65000. How can the receiver determine if both of these two advertisers can actually reach the destination, or only one can? And, if only one can, how can AS65000 determine which one is the “real thing?” This is where the RPKI system comes into play. A very simplified version of the process looks something like this (assuming AS650002 is the true owner of 2001:db8:0:1::/64):

• AS65002 obtains, from the Regional Internet Registry (labeled the RIR in the diagram), a certificate showing AS65002 has been issued 2001:db8:0:1::/64.
• AS65002 places this certificate into a local database that is synchronized with all the other operators participating in Continue reading

Worth Reading: How Big Data Creates False Confidence

It’s tempting to think that with such an incredible volume of data behind them, studies relying on big data couldn’t be wrong. But the bigness of the data can imbue the results with a false sense of certainty. Many of them are probably bogus—and the reasons why should give us pause about any research that blindly trusts big data. -via Nautilus

The post Worth Reading: How Big Data Creates False Confidence appeared first on 'net work.

Worth Reading: Linux Underlays

Linux is the vodka of operating systems. It can run in a stripped down manner on a variety of systems and leave very little trace behind. BSD is similar in this regard but doesn’t have the driver support from manufacturers or the ability to strip out pieces down to the core kernel and few modifications. Linux gives vendors and operators the flexibility to create a software environment that boots and gets basic hardware working. The rest is up to the creativity of the people writing the applications on top. -via the Networking Nerd

The post Worth Reading: Linux Underlays appeared first on 'net work.

Frogs and Other Frogs…

The post Frogs and Other Frogs… appeared first on 'net work.

Worth Reading: Broadband Speed Tests

Everyone is familiar with broadband ‘speed test’ applications. When you have an ISP service quality problem, it is common to grab one of these tools to see if you are getting the service you feel you are entitled to get. Whenever you upgrade your broadband, the first thing you might do is to run a speed test. Then you can show off to your mates how superior your blazing fast service is compared to their pitiful product. -via Circle ID

The post Worth Reading: Broadband Speed Tests appeared first on 'net work.

Worth Reading: Data Tiering and NVM

In short, much higher capacity, at one fifth of the cost of DRAM – but this is paid for with increased read latency (4x) and reduced write bandwidth (8x). The higher capacity and lower cost characteristics are very attractive for in-memory workloads when using NVM as a DRAM replacement/complement. -via the morning paper

The post Worth Reading: Data Tiering and NVM appeared first on 'net work.

Book Signing at Interop

I’ll be signing books at the Interop book store at around 1’ish this afternoon, until I need to run off to present this afternoon. Come by and grab a copy to be signed, or just bring a copy you already own.

The post Book Signing at Interop appeared first on 'net work.

Worth Reading: Moving towards a better Internet

Those of us who have been working on IPv6 for over 15 years know what it means to be an advocate for an infrastructure technology that cannot be easily tied to new revenue or short-term risks. It is a battle on an icy uphill slope with head winds and a gallery of skeptics who call themselves realists and cheer your every bruise. -via APNIC

The post Worth Reading: Moving towards a better Internet appeared first on 'net work.