BGP Policies (Part 3)

At the most basic level, there are only three BGP policies: pushing traffic through a specific exit point; pulling traffic through a specific entry point; preventing a remote AS (more than one AS hop away) from transiting your AS to reach a specific destination. In this series I’m going to discuss different reasons for these kinds of policies, and different ways to implement them in interdomain BGP.

There are many reasons an operator might want to select which neighboring AS through which to send traffic towards a given reachable destination (for instance, 100::/64). Each of these examples assumes the AS in question has learned multiple paths towards 100::/64, one from each peer, and must choose one of the two available paths to forward along.

In the following network—

From AS65001’s perspective

Assume AS65001 is some form of content provider, which means it offers some service such as bare metal compute, cloud services, search engines, social media, etc. Customers from AS65006 are connecting to its servers, located on the 100::/64 network, which generates a large amount of traffic returning to the customers.
From the perspective of AS hops, it appears the path from AS65001 to AS65006 is the same length—if this Continue reading

Weekend Reads 032522

A Chinese national was recently caught entering China with 160 Intel processors strapped to his body, an act that customs officials amount to smuggling.

In 2022, Facebook has 2.91 billion active users, making it the most-used social media platform. But to me, it will always pale in comparison to early MySpace.

As a CSIRT consultant, I cannot overemphasize the importance of effectively managing the first hour in a critical incident.

A few weeks ago, $3.6 billion in bitcoin was seized from a Manhattan couple who were arrested and charged with money laundering in connection with a 2016 hack on the Hong Kong cryptocurrency exchange Bitfinex. It was the largest financial seizure in the Justice Department’s history.

In a low-light Culver City control room, Lily Shaw is getting her pilot mood on.

This is not the first war in the digital age. But the role played by digital technologies and tech companies in the conflict is in many ways unprecedented.

Economic Denial of Sustainability (EDoS) is a cybersecurity threat targeting cloud environments. EDoS attacks exploit the elasticity of clouds, particularly auto-scaling capabilities, to inflate the billing of a cloud user until the account reaches bankruptcy or large-scale service withdrawal.

Continue reading

Hedge 123: Geoff Huston and the State of BGP

Another year of massive growth in the number and speed of connections to the global Internet—what is the impact on the global routing table? Goeff Huston joins Tom Ammon and Russ White to discuss the current state of the BGP table, the changes in the last several years, where things might go, and what all of this means. This is part 1 of a two part episode.

download

DC Fabric Webinar

Sorry for the short notice … I’m teaching a three-hour webinar on DC fabrics and control planes this coming Friday, the 25th, through Safari Books Online. This course covers the basics of spine-and-leaf fabrics, as well as some high level information on various DC fabric control plane options (BGP, RIFT, and IS-IS). Please register here.

Controversial Reads 031922

If you work in advertising or marketing, you’re probably aware of Apple’s privacy efforts over the last year. Apple now requires apps ask customers if they want to ‘opt-in’ to allow behavioral data tracking.

Among gamers and parents and even within the medical community, there’s disagreement about whether gaming addiction is real.

When discussing our relationship with technology, for whatever reason—whether it’s due to aimless maximum engagement algorithms, the ruthless economic incentive structure of the global market, or just our own sheer inability to think critically in the face of incessant propaganda—we’re led to believe that there are only two possible paths from here: 1. Integration with Technology or 2. Luddism.

I was struck by how easily he assumes that large doses of data, math, and computing power make computers smarter than humans. He is hardly alone, but he is badly mistaken.

When Shiri Melumad was working on her doctorate in 2012, she found herself reaching for her smartphone during moments of stress, before a tough exam, for example. She didn’t always use it, she just held it. It was comforting.

There is an estimated $12 billion market of companies that buy and sell location data collected from your cellphone. Continue reading

Weekend Reads 031722

We should instead be choosing authentication processes that appropriately match site risks; using a password should be the last thing you want to rely on.

Public companies would have to report material cybersecurity incidents no later than four business days after they occur if a rule proposed by the Securities and Exchange Commission (SEC) on Wednesday takes effect.

Researchers have disclosed a new technique that could be used to circumvent existing hardware mitigations in modern processors from Intel, AMD, and Arm, and stage speculative execution attacks such as Spectre to leak sensitive information from host memory.

The directive was accompanied by a catalog of known exploited vulnerabilities maintained by CISA that includes mandatory remediation deadlines. Essentially, it means “fix these fast or else” for applicable agencies and organizations.

Just being aware of surveillance has chilling effects in how we exercise speech, which is often under attack by all sorts of actors from criminals to our own governments.

Threat actors have been observed abusing a high-impact reflection/amplification method to stage sustained distributed denial-of-service (DDoS) attacks for up to 14 hours with a record-breaking amplification ratio of 4,294,967,296 to 1.

Since its birth, Yara has become a common ground to exchange threat Continue reading

Hedge 122: The Internet Architecture Board

What is the Internet Architecture Board (IAB) of the IETF? What role does the IAB play in the larger ecosystem of building and deploying standard protocols? In this episode of the Hedge, Tom and Ethan “flip roles” with Russ to ask these questions.

download

BGP Policies (Part 2)

At the most basic level, there are only three BGP policies: pushing traffic through a specific exit point; pulling traffic through a specific entry point; preventing a remote AS (more than one AS hop away) from transiting your AS to reach a specific destination. In this series I’m going to discuss different reasons for these kinds of policies, and different ways to implement them in interdomain BGP.

There are many reasons an operator might want to select which neighboring AS through which to send traffic towards a given reachable destination (for instance, 100::/64). Each of these examples assumes the AS in question has learned multiple paths towards 100::/64, one from each peer, and must choose one of the two available paths to forward along.

In the following network—

From AS65004’s perspective…

Transit providers primarily choose the most optimal exit from their AS to reduce the amount of peering settlement they are paying by using and maintaining settlement-free peering where possible and reducing the amount of time and distance traffic is carried through their network (through hot potato routing, discussed in more detail below).
If, for instance, AS65004 has a paid peering relationship with AS65002, and a contract with AS65003 which Continue reading

Weekend Reads 031122

The big ISPs all lobbied hard against the net neutrality rules, but the CEO of every big ISP was on the record at least once saying that the net neutrality rules were not a big deal and that they could live with net neutrality. So why did the big carriers lobby so hard about what the FCC was doing?

VESA, which makes the DisplayPort spec, today announced a certification program aimed at helping consumers understand if a DisplayPort 2.0 cable, monitor, or video source can support the max refresh rates and resolutions the spec claims.

Over the past week, the Akamai researchers said, they have detected multiple DDoSes that used middleboxes precisely the way the academic researchers predicted. The attacks peaked at 11Gbps and 1.5 million packets per second.

The metaverse, as Microsoft Corp. and Facebook parent Meta Platforms Inc. would have us call it, raises a remarkable prospect: For the first time, all of the technology giants are going to compete over the same turf.

A group of academics from the North Carolina State University and Dokuz Eylul University have demonstrated what they say is the “first side-channel attack” on homomorphic encryption that could be exploited to Continue reading

Hedge 121: Computing in the Network with Marie-Jose Montpetit

Can computation be drawn into the network, rather than always being pushed to the edge of the network? Taking content distribution networks as a starting point, the COIN research group is looking at ways to make networks more content and computationally aware, bringing compute into the network itself. Join Alvaro Retana, Marie-Jose Montpetit, and Russ White, as we discuss the ongoing research around computing in the network.

download

BGP Policies (part 1)

At the most basic level, there are only three BGP policies: pushing traffic through a specific exit point; pulling traffic through a specific entry point; preventing a remote AS (more than one AS hop away) from transiting your AS to reach a specific destination. In this series I’m going to discuss different reasons for these kinds of policies, and different ways to implement them in interdomain BGP.

In the following network—

There are many reasons an operator might want to select which neighboring AS through which to send traffic towards a given reachable destination (for instance, 100::/64). Each of these examples assumes the AS in question has learned multiple paths towards 100::/64, one from each peer, and must choose one of the two available paths to forward along.

Examining this from AS65006’s Perspective …

Assuming AS65006 is an edge operator (commonly called enterprise, but generally just originating and terminating traffic, and never transiting traffic), there are several reasons the operator may prefer one exit point (through an upstream provider), including:

• An automated system may determine AS65004 has some sort of brownout; in this case, the operator at 65006 has configured the system to prefer the exit through AS65005
• The traffic Continue reading

Weekend Reads 030422

The notion that email security should be prioritized is emphasized during this time where more and more businesses are still working in a remote or hybrid dynamic environment.

After quizzing 8,000 job applicants and 2,250 hiring managers in the U.S., Germany, and Great Britain, researchers at Harvard Business School, working with the consultancy Accenture, discovered that many tens of millions of people are being barred from consideration for employment by résumé screening algorithms that throw out applicants who do not meet an unfeasibly large number of requirements, many of which are utterly irrelevant to the advertised job.

We developed attacks that exploit the transparency of the DNS lookups to tunnel injection payloads over DNS records. These attacks exploit two key factors. Firstly, DNS resolvers do not alter the DNS records received in lookups, so the malicious payload is preserved intact

In response to what industry observers call the second quantum revolution, Israel announced on Feb. 15 an ambitious goal to build its first quantum computer within a year.

PCIe 6.0 was announced on January 11, 2022, so at the earliest, we’re looking at PCIe 6.0 products rolling out at the end of 2022 or early 2023.

Continue reading

Hedge 120: Information Centric Networking with Dirk Kutscher

In today’s Internet, packets are at the core of information flows. Routers only know (very minimally) about what is in the packets they’re carrying around. Caching and content distribution networks (CDNs) are used to place information at various locations throughout the ‘net for users to access, making the distribution of this information more efficient. Information Centric Networking “flips the script,” making named information, rather than packets, the core construct of networks.

Join Dirk Kutscher, Alvaro Retana, and Russ White, as they discuss this interesting research area at the future edge of networking. You can find out more about ICN here.

download

Weekend Reads 022522

To some degree, cyber AI suffers from the pressures exerted by the quest for never-ending sales growth.

The websites for several banks in Ukraine, the Ministry of Defense, and Armed Forces were hit with a distributed denial-of-service (DDoS) attack on Feb. 15.

Threat actors are using software and developer infrastructure, platforms, and providers as valuable entry points into governments, corporations, and critical infrastructure.

Cybercriminals and nation-state actors adapted to defenders’ tactics and became more efficient in 2021, with attackers relying more on data leaks combined with ransomware to extort increasing sums of money from companies — and in some cases using data leaks without encrypting data to force a company to pay, according to two analyses published this week.

Cloud and multi-cloud adoption has greatly increased the workload of already burdened IT teams. Of the 200 IT leaders surveyed, only about half of the respondents said that they are adequately staffed to manage the frequency of alerts they receive.

Imagine that you run an organization out of a building. Imagine that the landlord comes one day and says, “Oh I didn’t know you are a resident of country X or dealing with anybody from country X. I have to close Continue reading

Hedge 119: Product Marketing with Cathy Gadecki

Marketing is an underappreciated (and even demonized) part of the process in creating and managing networking products. Cathy Gadecki of Juniper joins Russ White and Tom Ammon on this episode of the Hedge to fill in the background and discuss the importance of marketing, and some of the odd corners where marketing impacts product development.

download

Controversial Reads 021921

The main purpose of algorithms, like digital programs and datacenters more broadly, is not to make money or influence thoughts, but to control people—in a direct and alien way hostile to our core beliefs and principles.

But as I testified to the Senate last week, you can basically reidentify anything. “Anonymity” is an abstraction.

Many people think that NoSQL databases are the “next big thing” in technology, and that we should write all of our core applications using them. However, NoSQL databases actually predate relational databases, and common relational databases were established to solve the problems that NoSQL brings.

One reason is that the most widely used methods of recycling more traditional batteries, like lead-acid batteries, don’t work well with Li batteries. The latter are typically larger, heavier, much more complex and even dangerous if taken apart wrong.

Apple has a rather complicated relationship with privacy, which it always points to as a differentiator with Google. But delivering on it is a different tale.

The problem is Web3 is not all that distributed, nor is it particularly equitable or transparent. It is highly centralized, despite being touted as a decentralized alternative to the web.

But rampant misinformation and days-long internet Continue reading

Weekend Reads 021821

A new DeadBolt ransomware group is encrypting QNAP NAS devices worldwide using what they claim is a zero-day vulnerability in the device’s software.

A simulated phishing attack against more than 82,000 workers found that emails with a personal impact resulted in more clicks and that technical teams — such as IT workers and DevOps teams — clicked just as often and reported suspected phishing attacks less often compared with nontechnical teams

Google on Tuesday announced that it is abandoning its controversial plans for replacing third-party cookies in favor of a new Privacy Sandbox proposal called Topics, which categorizes users’ browsing habits into approximately 350 topics.

NFTs continue to explode in popularity, reaching $25 billion in sales in 2021 as reported by Reuters. NFTs, or non-fungible tokens, are cryptoassets in which each token is unique.

The use in almost every aspect of human activity adds value to the need of UAS evolution, but it also increases security risks. Imagine what can happen when smart and cheap drones that anyone can easily purchase from a local hobby store become weapons at the hands of adversaries and cyber criminals.

Researchers have demonstrated a new type of fingerprinting technique that exploits a machine’s graphics Continue reading

Hedge 118: Integrating New Ideas with William Collins

When vendors build something new—or when you decide to go a different direction in your network—you have to figure out how to integrate these new things. Integration of this type often includes cultural, as well as technical, changes. William Collins joins Tom Ammon and Russ White to discuss his experience in integrating new technologies on Hedge 118.

Infrastructure Privacy Webinar

I’m teaching a three-hour webinar on privacy over at Safari Books on Friday. From the description there—

Privacy is important to every IT professional, including network engineers—but there is very little training oriented towards anyone other than privacy professionals. This training aims to provide a high-level overview of privacy and how privacy impacts network engineers. Information technology professionals are often perceived as “experts” on “all things IT,” and hence are bound to face questions about the importance of privacy, and how individual users can protect their privacy in more public settings.

Please join me for this—it’s a very important topic largely ignored in the infrastructure space.

Providers and Privacy at NANOG 84

I’m speaking (in person) at NANOG84 on providers and privacy—

Privacy is a hot topic, but there’s little information for the networking professional in this area. This presentation will provide a quick overview and thoughts on the area of privacy aimed at transit provider operations personnel, including packet processing and logging. Note this presentation does not constitute legal advice, but rather just presents general concepts and thoughts from the perspective of a network engineer in an area of interest.