Russ

Author Archives: Russ

Worth Reading: Why Disaggregation?

White box networking and servers, Virtualization and cloud based computing. All of these are related to a single trend in the computer networking world: disaggregation, or rather the splitting of hardware from software. The buzz around this new trend is obvious once you connect all the pieces together, but the drivers behind the disaggregation movement might not be. Why disaggregate, and why now?

This is my first post over at LighTALK, the official blog of ECI.

LinkedInTwitterGoogle+FacebookPinterest

The post Worth Reading: Why Disaggregation? appeared first on 'net work.

Worth Reading: Rethinking Path Validation

As it’s difficult to secure what you cannot describe, it’s best to begin looking at the problem of BGP security with an accurate description of BGP. While most engineers would describe BGP as a routing protocol, this seems to fall short of the mark, as BGP uses policy as its primary metric, only falling back to the “shortest path” when multiple available paths have the same policy weight. So perhaps a more complete definition would be: BGP is a distributed system that describes peering relationships, policy, and reachability grounded in transitive trust. -via the LinkedIn Engineering Blog

This is my first post on the LinkedIn Engineering Blog—but definitely not my last.

This post is a written version of the presentation I recently gave at NANOG, and complements the series I’ve been doing on BGP security as a case study. Part 2 should publish next week; I’ll post a link to it here when it does.

LinkedInTwitterGoogle+FacebookPinterest

The post Worth Reading: Rethinking Path Validation appeared first on 'net work.

New Address

To make this blog a little easier to find, I’ve pointed rule11.us here as well. ntwrk.guru will continue to work, as well, but people seem to have a hard time remembering the url, so I added a second one.

LinkedInTwitterGoogle+FacebookPinterest

The post New Address appeared first on 'net work.

Slicing and Dicing Flooding Domains (1)

This week two different folks have asked me about when and where I would split up a flooding domain (IS-IS) or area (OSPF); I figured a question asked twice in one week is worth a blog post, so here we are…

Before I start on the technical reasons, I’m going to say something that might surprise long time readers: there is rarely any technical reason to split a single flooding domain into multiple flooding domains. That said, I’ll go through the technical reasons anyway.

There are really three things to think about when considering how a flooding domain is performing:

  • SPF run time
  • flooding frequency
  • LSDB size

design-files
Let’s look at the third issue first, the database size. This is theoretically an issue, but it’s really only an issue if you have a lot of nodes and routes. I can’t ever recall bumping up against this problem, but what if I did? I’d start by taking the transit links out of the database entirely—for instance, by configuring all the interfaces that face actual host devices as passive interfaces (which you should be doing anyway!), and configuring IS-IS to advertise just the passive interfaces. You can pull similar tricks in OSPF. Continue reading

Security ‘net: Internet of Things and iPhones edition

One of my college professors has suggested that the question of whether or not Apple should help the FBI break the encryption on the iPhone used by a terrorist is an ideal diagnostic question for your view of all things privacy. There are, of course, gray area answers, like “Apple should help the FBI break the encryption in this case, but not others.” The problem is, of course, that this isn’t the simple answer it might seem. First, there are motives behind the apparent motives. Many people see Apple as just “doing what’s right to save the world.” I don’t see it that way at all. Given I’m a bit cynical (who would have guessed), I see two motives from Apple’s point of view.

First, Apple is trying to protect a marketing stance. They’ve as much as admitted this in court documents and the implied threat of suing the U.S. Government for loss of revenue if they’re forced to build a version of their O/S that will allow the FBI to break the encryption. Just Security notes—

There are other interests at stake here too. Apple has a liberty interest in not being dragooned into writing forensic Continue reading

Why you should care about complexity

If you look across a wide array of networking problems, you will see what is an apparently wide array of dissimilar and unrelated problems engineers deal with on a daily basis. For instance—

  • Should I split this flooding domain into multiple parts? If so, where should I divide it?
  • Which routing protocol should I use on this network topology, and to solve this set of problems?
  • How should I configure the Quality of Service parameters on this network?
  • Should I use MPLS on my data center fabric, or straight IP?

Over my years as a network engineer, I’ve always treated these as separate sorts of problems, each with their own tradeoffs, concepts, and models. In fact, I’ve been a kindof “collector of models” over the years, trying to find different models to address each situation. In the Art of Network Architecture, there’s an entire chapter on the models Denise and I have run in to over the years, where they seem to be useful, and where they seem to be limited. complexity-model

But keeping all of these models in my head didn’t help me generalize the problems I faced in building and troubleshooting networks. For instance, in the flooding domain instance Continue reading

Worth Reading: The myth of in-memory computing

These days when you talk to people in the tech industry, you will get the idea that in-memory computing solves everything. The story is that RAM has become so cheap that you can just stuff all your data in-memory and you won’t have to worry about speed any more. But it is just a myth. Companies that buy into this myth will almost certainly regret that choice in the near future. -via the next platform

LinkedInTwitterGoogle+FacebookPinterest

The post Worth Reading: The myth of in-memory computing appeared first on 'net work.

Security ‘net: Security by obscurity

This week I have two major themes to discuss on the topic of security, and one interesting bit of research. Let’s start with some further thoughts on security by obscurity.

First: Obscurity isn’t security

I’ve heard this at least a thousand times in my life as a network engineer, generally stated just about the time someone says, “well, we could hide this server…” Reality, of course, is far different; I still put curtains on my house even though they don’t increase the amount of time it takes a thief to break in. Whether or not we want to believe it, obscurity does play a positive role in security.

But there are two places where obscurity is a bad thing in the world of security. The first is the original reference of this common saying: algorithms and implementations. Hiding how you encrypt things doesn’t improve security; in fact, it decreases the overall security of the system. The second place? Communication between companies and security professionals about the types, frequency, and methods of attack. Imagine, for a moment, that you were commanding a unit on a battlefield. You hear the sounds of combat in the distance. Realizing a unit in your army is Continue reading

Worth Reading: IPv6 Paradigm Change

Link-Local Addresses (LLAs) have the rather obvious property of being linked locally. This means that a layer-3 route cannot route IP packets destined to a LLAs. Instead they can only be forwarded within a layer-2 domain. As such, LLAs have an interesting security property – they cannot be reached from outside of the layer-2 link as they are hidden and isolated. -via apnic

LinkedInTwitterGoogle+FacebookPinterest

The post Worth Reading: IPv6 Paradigm Change appeared first on 'net work.

Securing BGP: A Case Study (4)

In part 1 of this series, I looked at the general problem of securing BGP, and ended by asking three questions. In part 2 and part 3, I considered the third question: what can we actually prove in a packet switched network. For this section, I want to return to the first question:

Should we focus on a centralized solution to this problem, or a distributed one?

There are, as you might expect, actually two different problems within this problem:

  • Assuming we’re using some sort of encryption to secure the information used in path validation, where do the keys come from? Should each AS build its own private/public key pairs, have anyone they want to validate the keys, and then advertise them? Or should there be some central authority that countersigns keys, such as the Regional Internet Registries (RIRs) so everyone has a single trust root?
  • Should the information used to validate paths be distributed or stored in a somewhat centralized database? At the extreme ends of this answer are two possibilities: every eBGP speaker individually maintains a database of path validation information, just like they maintain reachability information; or there are a few servers (like the root DNS servers) Continue reading

Worth Reading: In the Trenches with OpenStack

In a sense, and oversimplifying a bit, OpenStack is an automation framework for Linux that just happens to allow Windows instances to run on KVM, just like the Azure cloud and Azure Stack are similar extensions to Windows Server that just so happen to also support Linux instances on Hyper-V. There have been a dozen releases of OpenStack since that time, on a six-month cadence of April and October launches that, interestingly enough, have also regularized the pattern for Linux operating system launches, too. -via the next platform

The post Worth Reading: In the Trenches with OpenStack appeared first on 'net work.

1 136 137 138 139 140 162