Hedge 133: Brooks Westfield and Multifactor Testing

Multi-factor testing is one of the most important jobs a vendor takes on—and one of the most underrated. Testing across all possible configurations and use cases is nearly impossible. Brooks Westbrook joins Tom Ammon and Russ White on this episode of the Hedge to talk about the complexity of multi-factor testing and some of the consequences of that complexity.

download

Revisiting BGP Convergence

My video on BGP convergence elicited a lot of . . . feedback, mainly concerning the difference between convergence in a data center fabric and convergence in the DFZ. Let’s begin here—BGP hunt and the impact of the MRAI are very real in the DFZ. Withdrawing a route can take several minutes.

What about the much more controlled environment of a data center fabric?

Several folks pointed out that the MRAI is often set to 0 in DC fabrics (and many implementations by default). Further, almost all implementations will use an MRAI of 0 for the first received update, holding the second and subsequent advertisements by the MRAI. Several folks also pointed out that all the paths through a DC fabric are the same length, so the second part of the equation is also very small.

These are good points—how do they impact BGP convergence? Let’s use the network below, a small slice of a five-stage butterfly fabric, to think it through. Assume every router is in a different AS, so all the peering sessions are eBGP.

Start with A losing its connection to 101::/64—

• T1: A withdraws its route from B and C
• T2: B withdraws its route from D and E, Continue reading

Weekend Reads 060322

This edition of weekend reads begins with a few straight security stories of interest. I knew key loggers existed in the wild, but the logging of keystrokes before a web form is submitted is apparently a lot more common than I realized—

They found that 1,844 websites gathered an EU user’s email address without their consent, and a staggering 2,950 logged a US user’s email in some form. Many of the sites seemingly do not intend to conduct the data-logging but incorporate third-party marketing and analytics services that cause the behavior.

Illustrating that security is often a game of “whack-a-mole,” web skimmers are obfuscating their operation—

Microsoft security researchers recently observed that web skimming campaigns now employ various obfuscation techniques to deliver and hide skimming scripts.

Identity is fraught with problems even in the real world; just as people used to carry “letters of introduction” with them when they moved to a new area or started a new job, identity is often a matter of transitive trust. How to replicate transitive trust in the digital world is still a problem, but it’s also the foundation of decentralized systems—

The central thesis of the decentralized future is that I should be Continue reading

Hedge 132: DNS Complexity and the DNAME

We all intuitively know the DNS is complex—and becoming more complex over time. Describing just how complex, however, is difficult. Siva Kesava and Ryan Beckett just published a research paper taking on the task of describing DNS complexity, particularly in light of the new DNAME record type. It turns out its complex enough that you can no longer really validate zone files.

download

How BGP Really Converges

This lesson in Russ White’s BGP course gets into withdrawing a route, MRAI time, implicit withdraws, BGP Hunt, graceful restart, and other topics.

Original link at Packet Pushers here

Weekend Reads 052722

networks and policy

Leading off this weekend, an article by Simon Sharwood on the impact of the centralization of the Internet. I wrote a somewhat longer article on the Public Discourse a while back on the same topic.

The internet has become smaller, the result of a rethinking of when and where to use the ‘net’s intended architecture. In the process it may also have further concentrated power in the hands of giant technology companies.

Is softwarization really going to change the way we build networks from the ground up? I suspect things will change, but they’ve always changed. I also suspect we’ll be hearing about how software is going to eat the world ten years from now, and IPv6 still won’t be fully deployed.

DOCSIS 4.0 is set to deliver faster speeds for cable network operators, but the next generation technology will also spur an operational sea change, telecom consultant Sean McDevitt told Fierce.

By default, the Docker server configures container networks for IPv4-only, so I had a hard time running it in this environment.

security and other technologies

This one on Costa Rica is a serious warning—

A ransomware gang that infiltrated some Costa Rican government computer Continue reading

Hedge 131: Easier for the Computer or the Person?

One of the mainstays of scripting—and now network management—are increasingly focused on making things “easier” for the human operator. Does this focus on making things “easier” for the operator produce a better experience, though? Or does it create frustration as humans try to “outguess” the computer’s programming and process? Join Tom Ammon and Russ White as they discuss the problems with scripting, automation, and ease-of-use.

download

Weekend Reads 052022

The steepening trajectory towards event-driven and real-time API architecture is imminent.

The idea of this declaration has a lot to do with the “Past of the Internet.” When the Internet was developing in the 1980s and 1990s, it was seen primarily as a tool that would expand individual freedoms worldwide, strengthen democracy, and create prosperity through innovation and economic progress.

I’m not sure that most people understand the extent to which our online experience has moved to the cloud – and this movement to the cloud means we’re using a lot more bandwidth than in the recent past.

Among the many disruptions facing modern communication service providers (CSPs), one of the biggest is the growing role of data centers (DCs) in their business.

A bargain-basement, $5 price tag on a 3-year-old remote access Trojan (RAT) has concerned some security researchers, who see the move as signs of a possible race to the bottom in terms of pricing — or that new, disrupting developers are entering the cybercriminal market.

Researchers are marveling at the scope and magnitude of a vulnerability that hackers are actively exploiting to take full control of network devices that run on some of the world’s biggest Continue reading

Hedge 130: The Importance of Network Inventories

Inventories are generally hard, and hence don’t tend to be where you’d like to spend your time. The importance of having a good inventory, however, can hardly be overstated. Malcom Booden joins Tom Ammon and Russ White to talk about the importance of inventories and inventory ideas.

download

OT’N: BGP Loop Free Paths

Over at Packet Pushers—

Russ White’s BGP series continues with a discussion of building loop-free paths with the Border Gateway Protocol (BGP). Topics include AS (Autonomous System) paths, loop prevention, why loop checks are inbound, and more on IBGP and EBGP.

Weekend Reads 051322

Cloudflare, a company that specializes in web security and distributed denial of service (DDoS) attack mitigation, just reported that it managed to stop an attack of an unprecedented scale.

Cloud operators provide price incentives so that users gravitate towards newer generations (and between server architectures). Figure 1 shows lines of best fit for the average cost per virtual central processing unit (vCPU, essentially a physical processor thread as most processor cores run two threads simultaneously) of a range of AWS virtual instances over time.

Passwordless sign-ins are already a practical reality, but they’re sometimes clunky — and three of the biggest tech companies believe they can reduce the friction.

Within a decade, the growth of powerful quantum computers will lead to a new era in security, in which once-impenetrable public-key techniques like RSA and ECC will fall to higher levels of brute force.

Cisco Systems on Wednesday shipped security patches to contain three flaws impacting its Enterprise NFV Infrastructure Software (NFVIS) that could permit an attacker to fully compromise and take control over the hosts.

Developers understand the importance of security, and overwhelmingly want to deploy secure and quality code, but software vulnerabilities continue to be exploited.

The National Institute Continue reading

Hedge 129: Open Source Mentoring

Mentoring is a topic we return to time and again—because it’s one of the most important things we can talk about in terms of building your people skills, your knowledge, and your career. On this episode of the Hedge, Guedis Cardenas joins Tom Ammon and Russ White to talk about open source mentoring. We discuss how this is different than “regular” mentoring, and how it’s the same. Join us as we talk about one of the most important career and personal growth things you can do.

download

BGP Policy (Part 7)

At the most basic level, there are only three BGP policies: pushing traffic through a specific exit point; pulling traffic through a specific entry point; preventing a remote AS (more than one AS hop away) from transiting your AS to reach a specific destination. In this series I’m going to discuss different reasons for these kinds of policies, and different ways to implement them in interdomain BGP.

In this post—the last post in this series—I’m going to cover do not transit options from the perspective of AS65001 in the following network—

There are cases where an operator does not traffic to be forwarded to them through some specific AS, whether directly connected or multiple hops away. For instance, AS65001 and AS65005 might be operated by companies in politically unfriendly nations. In this case, AS65001 may be legally required to reject traffic that has passed through the nation in which AS65005 is located. There are at least three mechanisms in BGP that are used, in different situations, to enforce this kind of policy.

Do Not Advertise Communities (Provider Specific)

Many providers supply communities a customer can use to block the advertisement of their routes to a particular AS. For instance, if Continue reading

Controversial Reads 050722

In January a federal judge denied Facebook’s motion to dismiss the Federal Trade Commission’s amended complaint seeking to force the company to sell off Instagram and WhatsApp.

Tech companies earn staggering profits by targeting ads to us based on our online behavior. This incentivizes all online actors to collect as much of our behavioral information as possible, and then sell it to ad tech companies and the data brokers that service them.

And often, when doing business in these countries, company’s interests in revenue and profits conflict with America’s national security interests, a conflict that profit always seems to win.

European Union lawmakers voted today in favor of controversial measures to outlaw anonymous crypto transactions, a move the industry said would stifle innovation and invade privacy.

His story is sobering: “The pressure comes from both above and below. You’ve got the United States Senate basically saying: ‘Nice little social network you got there. Real shame for anything to happen to it.’… From below, you’ve got the employees and the tweet mobs and basically forming these boycotts and subjecting the management of the company to pressure.

Twitter founder Jack Dorsey would like you to know he too misses the early Continue reading

Weekend Reads 050622

Video meetings dampen brainstorming because we are so hyper-focused on the face in that box that we don’t let our eyes and minds wander as much, a new study found.

Have you recently been on a video confefence call, hit the “mute” button and then offered up some nasty comments about a client or a colleague — or even the boss?

Comcast and other broadband providers are utilizing 10G technology in their quest to deliver “multigigabit symmetrical speeds” to the consumer market.

Yet, simultaneously, AI has been touted as both a panacea to virtually any problem in any field, as well as the source of humankind’s demise. “AI will push us to boundless innovation,” “AI will go rogue,” – across the industry, there remains a mix of skepticism and fear on how AI will specifically impact us as individuals.

It’s not often we can say this, but 2022 is shaping up to be an exciting time in information governance, especially for those interested in compliance and compliance frameworks.

Janczewski thought again of the investigative method that had brought them there like a digital divining rod, revealing a hidden layer of illicit connections underlying the visible world. He hoped, not for Continue reading

Hedge May Update

A short update on upcoming classes and episodes of the Hedge for May, as well an update on what I’m working on and other places where I’m publishing material.

Live Training: How Routers Really Work

On the 27th of May, I’ll be teaching a three-hour course called How Routers Really Work? From the course description:

This training will peer into the internal components of a router, starting with an explanation of how a router switches packets. This walk through of a switching path, in turn, will be used as a foundation for explaining the components of a router, including the various tables used to build forwarding tables and the software components used to build these tables.

Sign up here.

Hedge 128: Network Engineering at College

Have you ever thought about getting a college degree in computer networking? What are the tradeoffs between this and getting a certification? What is the state of network engineering at colleges—what do current students in network engineering programs think about their programs, and what they wish was there that isn’t? Rick Graziani joins Tom Ammon and Russ White in a broad ranging discussion on network engineering and college. Rick teaches network engineering full time in the Valley.

download

BGP Policy (Part 6)

At the most basic level, there are only three BGP policies: pushing traffic through a specific exit point; pulling traffic through a specific entry point; preventing a remote AS (more than one AS hop away) from transiting your AS to reach a specific destination. In this series I’m going to discuss different reasons for these kinds of policies, and different ways to implement them in interdomain BGP.

In this post I’m going to cover local preference via communities, longer prefix match, and conditional advertisement from the perspective of AS65001 in the following network—

Communities an Local Preference
As noted above, MED is the tool “designed into” BGP for selecting an entrance point into the local AS for specific reachable destinations. MED is not very effective, however, because a route’s preference will always win over MED, and because it is not carried between autonomous systems.
Some operators provide an alternate for MED in the form of communities that set a route’s preference within the AS. For instance, assume 100::/64 is geographically closer to the [65001,65003] link than either of the [65001,65002] links, so AS65001 would prefer traffic destined to 100::/64 enter through AS65003.
In this case, AS65001 can advertise 100::/64 with Continue reading

Is an IP Address Protected Information?

My third article on privacy and networking is up over at Packet Pushers—

Here’s a question for network or application folks tasked with protecting user and/or customer privacy: Is an IP address personally identifiable information (PII)? While there are many kinds of PII in networks (see the last column for more details), the IP address is just about the most common.