Russ

Author Archives: Russ

Security ‘net 0x1339ECB: Who let the malware out?

According to ScadaFence, as quoted by Computer Weekly, industrial control systems are up next on hacker’s lists as a prime malware target. Apparently, they’ve grown tired of just defacing web sites and the like, and are moving to hard targets in meat space. What kind of damage could they do? Well, consider this attack, by way of Bruce Schneier:

We’re heading toward a world where driverless cars will automatically communicate with each other and the roads, automatically taking us where we need to go safely and efficiently. The confidentiality threats are real: Someone who can eavesdrop on those communications can learn where the cars are going and maybe who is inside them. But the integrity threats are much worse. Someone who can feed the cars false information can potentially cause them to crash into each other or nearby walls. Someone could also disable your car so it can’t start. Or worse, disable the entire system so that no one’s car can start.

Bruce Schneier moves the needle a little farther, discussing the current security model of confidentiality, integrity, and availability, and how it won’t work in the world that we’re building. Instead, he argues that it’s time to rethink our Continue reading

Worth Reading: Disaggregation at LinkedIn

Disaggregation has been on the top of my mind a good bit recently, partially because of our work at LinkedIn around this topic. Zaid has just posted a piece on the LinkedIn Engineering Blog about Project Falco, which is our internal disaggregation project for our data centers. Just a little taste to convince you to jump over there and read this one, because I think this sort of thing will have a major impact in the networking industry over the next three to five years.

Pigeon is a 3.2Tbps switching platform that can be used as a leaf or spine switch. Pigeon is our first foray into active switch software development. We are not venturing into developing our own switch because we aspire to become experts in the switching and routing space, but because we want control of our destiny. We continue to be supportive of our commercial vendors and work with them in a decoupling model.

LinkedInTwitterGoogle+FacebookPinterest

The post Worth Reading: Disaggregation at LinkedIn appeared first on 'net work.

Worth Reading: What They’re Not Telling You About Global Deduplication

When it comes to endpoint backup, is global deduplication a valuable differentiator? Not if data security and recovery are your primary objectives. Backup vendors that promote global deduplication say it minimizes the amount of data that must be stored and provides faster upload speeds. What they don’t say is how data security and recovery are sacrificed to achieve these “benefits.” -via csa

The post Worth Reading: What They’re Not Telling You About Global Deduplication appeared first on 'net work.

Technology ‘net 0x1339ECA: 2015 Measured and Plumbed

technology-netOne of the great things about APNIC is the amount of information about the state of the Internet Geoff Huston puts out each year. He’s recently posted two studies on the state of BGP and the state of IPv4 addresses as of 2015; they’re both well worth reading in full, but here are several key takeaways of particular interest.

BGP in 2015
Addressing in 2015

First, the size of the global (DFZ) table has crossed 512,000 routes. While the actual table size varies by your view of the network (BGP is a path vector protocol, which has many of the same attributes as a distance-vector protocol, including multiple views of the network), this is the first time the route view servers have actually crossed that number. Why is 512,000 a magic number? If there are 512,000 routes, there are likely 512,000 FIB entries (unless there’s some sort of FIB compression involved), and there are a number of older boxes that cannot support 512,000 routes in their FIB.

Second, the DFZ has been growing at a rate of about 7%-8% per year for a number of years. Given the number of new devices being added to the Internet, how can this Continue reading

Worth Reading: Standardized Models For Networking

From an operator’s perspective, one challenge with network automation is the lack of standard interfaces. In other words, it’s hard to configure a network programmatically if the details vary from device to device. Today, most operators know these differences in the form of CLI syntax. For example, the commands required to configure BGP on a Cisco device running IOS differ from the commands required to accomplish the same task on a Juniper device running Junos. -via packet pushers

The post Worth Reading: Standardized Models For Networking appeared first on 'net work.

Securing BGP: A Case Study (2)

In part 1 of this series, I pointed out that there are three interesting questions we can ask about BGP security. The third question I outlined there was this: What is it we can actually prove in a packet switched network? This is the first question I want dive in too—this is a deep dive, so be prepared for a long series. :-) This question feels like it is actually asking three different things, what we might call “subquestions,” or perhaps “supporting points.” These three questions are:

  • If I send a packet to the peer I received this update from, will it actually reach the advertised destination?
  • If I send this information to this destination, will it actually reach the intended recipient?
  • If I send a packet to the peer I received this update from, will it pass through an adversary who is redirecting the traffic so they can observe it?

These are the things I can try to prove, or would like to know, in a packet switched network. Note that I want to intentionally focus on the data plane and then transfer these questions to the control plane (BGP). This is the crucial point to remember: If I Continue reading

Worth Reading: Inside the Internet Archive

To most of the web surfing public, the Internet Archive’s Wayback Machine is the face of the Archive’s web archiving activities. Via a simple interface, anyone can type in a URL and see how it has changed over the last 20 years. Yet, behind that simple search box lies an exquisitely complex assemblage of datasets and partners that make possible the Archive’s vast repository of the web. How does the Archive really work, what does its crawl workflow look like, how does it handle issues like robots.txt, and what can all of this teach us about the future of web archiving? -via forbes

The post Worth Reading: Inside the Internet Archive appeared first on 'net work.

Technology ‘net: End-to-end Disaggregation?

Quite a lot seems to be going on on the technology side of things—as the morning paper points out, everything seems to be changing at once right now. Ever feel like you’re sipping from a firehose? Maybe there’s a reason… Let’s discuss just a few of these in a little more detail.

First, there has been a lot of discussion around IPv6 in the last year or so. The folks within the IETF who designed IPv6 decided to do “more than just” adding more address space, instead deciding to change some fundamental things about the way IP works in the process of developing a new protocol. For instance, fragmentation by network devices is gone in IPv6, and the option headers are much richer. These kind of fundamental changes in protocol design invariably lead to the question—what impact do these things have on performance? A recent series of tests set out to answer this question. The results are pretty clear; over time, as IPv6 has been deployed natively, the protocol’s performance has moved closer to the performance of IPv4. There are still some gaps, but they are narrowing. Those gaps may never be gone, but IPv6 may come close enough, over Continue reading

Worth Reading: Intel becomes irrelevant

We’re approaching the end of the closed, proprietary, single source technology era. ARM processors are freely licensed, more open, and much more cost competitive than similar products from Intel or AMD. If you need 10 million chips for your next product do you buy them from Intel? Or do you get a license from ARM and hire a foundry to make them for you? -va cringely

The post Worth Reading: Intel becomes irrelevant appeared first on 'net work.

Security ‘net: Digital Copyright Edition

security-netThe world of digital copyright is somewhat tangential to “real” security, but it’s a culture issue that impacts every network engineer in myriad ways. For instance, suppose you buy a small home router, and then decide you really want to run your own software on it. For instance, let’s say you really want to build your own router because you know what you can build will outperform what’s commercially available (which, by the way, it will). But rather than using an off box wireless adapter, like the folks at ARS, you really want to have the wireless on board.

Believe it or not, this would be considered, by some folks, as a pretty large act of copyright infringement. For instance, the hardware manufacturer may object to you replacing their software. Or the FCC or some other regulatory agency might even object because they think you’re trying to hog wireless spectrum, or because you don’t like what the wireless providers are doing. The EFF has a good piece up arguing that just such tinkering as replacing the operating system on a commercially purchased device is at the heart of digital freedom.

One of the most crucial issues in the fight for Continue reading

Worth Reading: Light at the end of the silicon

Silicon photonics has emerged as one of those areas of such far-reaching potential that its challenges and benefits tend to be clouded in generalities. Light as the main medium does indeed promise to alter fields including biological and chemical sensing, navigation, radio frequency sensing, communications, but for our purposes here, the potential within large-scale computing is of greater interest. -via the next platform

The post Worth Reading: Light at the end of the silicon appeared first on 'net work.

Securing BGP: A Case Study (1)

What would it take to secure BGP? Let’s begin where any engineering problem should begin: what problem are we trying to solve?

A small collection of autonomous systems

In this network—in any collection of BGP autonomous systems—there are three sorts of problems that can occur at the AS level. For the purposes of this explanation, assume AS65000 is advertising 2001:db8:0:1::/64. While I’ve covered this ground before, it’s still useful to outline them:

  1. AS65001 could advertise 2001:db8:0:1::/64 as if it is locally attached. This is considered a false origination, or a hijacked route.
  2. AS65001 could advertise a route to 2001:db8:0:1::/64 with the AS path [65000,65001] to AS65003. This is another form of route hijacking, but instead of a direct hijack it’s a “one behind” attack. AS65001 doesn’t pretend to own the route in question, but rather to be connected to the AS that is originating the route.
  3. AS65000 could consider AS65003 a customer, or rather AS65003 might be purchasing Internet connectivity from AS65000. This would mean that any routes AS65000 advertises to AS65003 are not intended to be retransmitted back to AS65004. If, for instance, 2001:db8:0:1::/64, is advertised by AS65000 to AS65003, and AS65003 readvertises it to AS65004, AS65003 would be an unintentional transit AS in the Continue reading

Worth Reading: Net Neutrality

The world is watching and taking note of the FCC’s blatant competition double standard that totally favors America’s dominant edge platforms above most everyone and everything else. Consider an apt and illuminating comparison between the competition U.S. wireless broadband providers face versus the competition Silicon Valley’s edge platforms face. -via somewhat reasonable

The post Worth Reading: Net Neutrality appeared first on 'net work.

1 138 139 140 141 142 162