Hedge 103: BGP Security with Geoff Huston

Our community has been talking about BGP security for over 20 years. While MANRS and the RPKI have made some headway in securing BGP, the process of deciding on a method to provide at least the information providers need to make more rational decisions about the validity of individual routes is still ongoing. Geoff Huston joins Alvaro, Russ, and Tom to discuss how we got here and whether we will learn from our mistakes.

download

Weekend Reads 100121

Bowles is showing off her whatever-it-takes strategy for narrowing the digital divide between people with reasonably speedy internet access and those without.

Articles 33 and 34 outline the requirements for breach notification; however, most businesses are still unaware of their responsibilities. Details such as what an organization should report, when, to whom it should be reported, and what should be included in the breach notification are some of the major aspects that businesses overlook.

The idea behind Security.txt is straightforward: The organization places a file called security.txt in a predictable place — such as example.com/security.txt, or example.com/.well-known/security.txt.

Air is an absolutely terrible medium with which to move or remove heat from a system, but it sure is a lot easier and cheaper (well, at least in terms of the cost of goods sold sense) than adding some sort of liquid cooling to a system.

The EU aims to have a common charging port for mobile phones, tablets, and headphones under a European Commission proposal presented on Thursday in a world first, with the move impacting iPhone maker Apple more than its rivals.

As we head toward the annual Supercomputing Conference season we wanted Continue reading

Hedge 102: BGP Security with Geoff Huston

Our community has been talking about BGP security for over 20 years. While MANRS and the RPKI have made some headway in securing BGP, the process of deciding on a method to provide at least the information providers need to make more rational decisions about the validity of individual routes is still ongoing. Geoff Huston joins Alvaro, Russ, and Tom to discuss how we got here and whether we will learn from our mistakes.

download

Keith’s Law (1)

I sometimes reference Keith’s Law in my teaching, but I don’t think I’ve ever explained it. Keith’s Law runs something like this:

Any large external step in a system’s capability is the result of many incremental changes within the system.

The reason incremental changes within a system appear as a single large step to outside observers is the smaller changes are normally hidden by abstraction. This is, in fact, the purpose of abstraction—to hide small changes inside a system from external view. Keith’s law is closely related to Clarke’s third law that “Any sufficiently advanced technology is indistinguishable from magic.” What looks like magic from the outside is really just a bunch of smaller things—each easier to understand on its own—combined into one single “thing” through abstraction.
If you’ve read this far, you’re probably thinking—what does this have to do with network engineering?
Well, several things, really.

First—the network is just an abstraction that moves packets to its users. Moving packets seems so … simple … to network users. You put data in here, and data comes out over there. All the little stuff that goes into making a network work are lost in the abstraction of the virtual Continue reading

Controversial Reads 092521

Apple then made public what was private. The company, under CEO Tim Cook’s leadership, had actually been consulting the FBI on various methods for hacking the phone. In fact, the FBI had botched one of the suggested techniques after a mistake. The agency wasn’t willing to risk another gaffe.

Software locks, API restrictions, legal threats, forced downgrades and more – these are why Big Tech stays big.

Megan Borovicka joined Facebook in 2013 and then forgot she even had an account. But Facebook never forgot about her.

On May 27, 2020, in the French National Assembly, Cédric O, the French Secretary of State for Digital Economy, forcibly expressed his government’s frustration with Apple and Google in terms more appropriate to a cold war confrontation between superpowers.

Almost everything we do online today is designed to be addictive. The average American spent more than two hours a day on social media in 2020.

Gary Gensler, Joe Biden’s deeply establishmentarian SEC head, has dropped a bomb on the crypto community with his sudden attack on Coinbase, the leading crypto platform.

As the data these devices collect is sold and shared—and hacked—deciding what risks you’re comfortable with is a necessary part of making Continue reading

Weekend Reads 092421

Microsoft on Tuesday addressed a quartet of security flaws as part of its Patch Tuesday updates that could be abused by adversaries to target Azure cloud customers and elevate privileges as well as allow for remote takeover of vulnerable systems.

To meet current demands, as well as those of the next normal and an unpredictable future, retailers are now adopting software-driven strategies to deliver connected retail experiences and operations, ultimately resulting in the software-defined store.

Network measurement techniques have been mostly developed independently from protocols and, therefore, typically build upon externally visible semantics. One example of this is TCP sequence numbers and acknowledgements, which can be used to derive a flow’s round-trip time (RTT).

Ordinarily, when developing something, you start with a set of requirements or goals. But DNSSEC was a research project, so in place of requirements, developers set expectations of what needed to be done and what could be done to solve the DNS security problem.

Open-source M1-style chips may be in our future, according to a reverse-engineering document released online, Tom’s Hardware reports.

But how can they know that the plan they have is efficient enough to alleviate future cyber incidents? By using a cyber crisis tabletop Continue reading

Hedge 101: In Situ OAM

Understanding the flow of a packet is difficult in modern networks, particularly data center fabrics with their wide fanout and high ECMP counts. At the same time, solving this problem is becoming increasingly important as quality of experience becomes the dominant measure of the network. A number of vendor-specific solutions are being developed to solve this problem. In this episode of the Hedge, Frank Brockners and Shwetha Bhandari join Alvaro Retana and Russ White to discuss the in-situ OAM work currently in progress in the IPPM WG of the IETF.

download

Thoughts on the Collapsed Spine

One of the designs I’ve been encountering a lot of recently is a “collapsed spine” data center network, as shown in the illustration below.

In this design, and B are spine routers, while C-F are top of rack switches. The terminology is important here, because C-F are just switches—they don’t route packets. When G sends a packet to H, the packet is switched by C to A, which then routes the packet towards F, which then switches the packet towards H. C and F do not perform an IP lookup, just a MAC address lookup. A and B are responsible for setting the correct next hop MAC address to forward packets through F to H.
What are the positive aspects of this design? Primarily that all processing is handled on the two spine routers—the top of rack switches don’t need to keep any sort of routing table, nor do any IP lookups. This means you can use very inexpensive devices for your ToR. In brownfield deployments, so long as the existing ToR devices can switch based on MAC addresses, existing hardware can be used.

This design also centralizes almost all aspects of network configuration and management on the spine routers. Continue reading

Weekend Reads 091721

Relationships also evolved during this uprooting of typical routines. Pandemic “pods” helped some Americans maintain connection, but they complicated relationships and family dynamics at the same time.

Attackers are actively exploiting a Microsoft remote code execution vulnerability using malicious Office files, the tech giant has warned.

“When you have a high percentage of all AI activity in Bay Area metros, you may be overconcentrating, losing diversity, and getting groupthink in the algorithmic economy. It locks in a winner-take-most dimension to this sector, and that’s where we hope that federal policy will begin to invest in new and different AI clusters in new and different places to provide a balance or counter.”

Email isn’t just a communication tool; it’s also an identifier and a security measure. Companies use it to create profiles of you when you start accounts with them and it often doubles as your username.

However, it looks like most phishing emails could be used to obtain user credentials according to the 2021 Annual State of Phishing Report by Cofense. After analyzing millions of emails, Cofense found that 57% are credential phishing emails.

Computer programmers are a pretty predictable bunch. Every time they approach legacy code, the gut Continue reading

Hedge 100: Supply Chain Diversity with Brooks Westbrook and Mike Bushong

Most network engineers don’t spend a lot of time thinking about their supply chain—you must call your favorite vendor, order, and a few weeks later the hardware shows up on your loading dock. It’s not so simple any more. If you disaggregate, you need to manage your software and hardware supply chains separately. You need to think about security in your supply chain—is that software package backdoored? Moving to the cloud might seem to solve these problems, but they don’t. Even virtual networks have physical limits.

Listen in as Mike Bushong, Brooks Westbrook, Eyvonne Sharp, Tom Ammon, and Russ White discuss supply chain diversity and security.

download

Russ’ Rules of Network Design

We have the twelve truths of networking, and possibly Akin’s Laws, but is there a set of rules for network design? I couldn’t find one, so I decided to create one, containing 18 laws I’ve listed below.

Russ’ Rules of Network Design

1. If you haven’t found the tradeoffs, you haven’t looked hard enough.
2. Design is an iterative process. You probably need one more iteration than you’ve done to get it right.
3. A design isn’t finished when everything needed is added, it’s finished when everything possible is taken away.
4. Good design isn’t making it work, it’s making it fail gracefully.
5. Effective, elegant, efficient. All other orders are incorrect.
6. Don’t fix blame; fix problems.
7. Local and global optimization are mutually exclusive.
8. Reducing state always reduces optimization someplace.
9. Reducing state always creates interaction surfaces; shallow and narrow interaction surfaces are better than deep and broad ones.
10. The easiest place to improve or screw up a design is at the interaction surfaces.
11. The optimum is almost always in the middle someplace; eschew extremes.
12. Sometimes its just better to start over.
13. There are a handful of right solutions; there is an infinite array of wrong ones.
14. You are not immensely smarter than anyone else in Continue reading

Troubleshooting Webinar this Friday

I’m teaching my troubleshooting webinar this Friday. I’ve revamped the slides entirely, so this will likely be a big change for anyone who’s attended previous versions of this. Three hours, 109 slides, and interaction through the chat window … all to develop some really good skills in how to troubleshoot. For those who are curious, I was taught formal troubleshooting skills in my early life in electronics, learning my lessons on ILS, RADAR, and radio systems of various kinds. This webinar is my adaptation of those skills for network engineers.

You can register here.

Weekend Reads 091021

At some point, don’t be surprised if IBM ends up acquiring Nutanix. But not now, with Nutanix having a nearly $8 billion market capitalization and possibly commanding a $10 billion acquisition cost.

Some of the most successful and lucrative online scams employ a “low-and-slow” approach — avoiding detection or interference from researchers and law enforcement agencies by stealing small bits of cash from many people over an extended period.

If you were hit by ransomware, you are part of the rapidly growing number of organizations that have had to decide how to respond — legally, quickly and often quietly.

As the pandemic unfolded in spring 2020, many Americans saw their lives swiftly reshaped by stay-at-home orders, school closures and the onset of remote work.

With increased demands placed on home internet connections and the nation’s internet infrastructure during the pandemic, the quality and affordability of home internet connections became a focus for users on several fronts.

The graphics card inside your computer is a powerful tool for gaming and creative work, but it can also potentially serve as a Trojan horse for malware.

Decentralized solutions, in our case, which come with the ambitious promise of providing everything their centralized counterpart Continue reading

Hedge 99

Two things have been top of mind for those who watch the ‘net and global Internet policy—the increasing number of widespread outages, and the logical and physical centralization of the ‘net. How do these things relate to one another? Alban Kwan joins us to discuss the relationship between centralization and widespread outages. You can read Alban’s article on the topic here.

download

Weekend Reads 090321

In our professional practice, we are often called to perform rapid, approximate calculations without a calculator. Any available scrap of paper such as an envelope will do to scribble on.

The wireless carrier initially confirmed 47.8 million former, prospective and existing customers were impacted, but found the data of an additional 5.3 million customers was compromised.

A recent measurement study suggests that BBR is already being deployed by 22% of the Alexa Top 20k websites on the Internet.

Zero trust improves the security of IT environments as demonstrated over time by reduced attacker dwell time. The challenge many people face is understanding where to begin.

In recent months, we’ve been sharing information collected by APNIC honeypots with our community at several conferences, seminars, and workshops. ‘Information’ here basically means observations from the logs/traffic, as well as artefacts collected (such as scripts and binaries).

The Internet plays a crucial role in our increasingly digital daily lives. But who shapes and governs the patchwork that enables this essential utility? And how do their actions bear on the rights and interests of users all over the world?

We are facing the same paradox with respect to privacy and influence on the Continue reading

Hedge 098: DRIP with Stuart Card

Drones are becoming—and in many cases have already become—an everyday part of our lives. Drones are used in warfare, delivery services, photography, and recreation. One of the problems facing the world of drones, however, is the strong tie-in between the controller and the drone; this proprietary link limits innovation and reduces the information available to public officials to manage traffic, and even to protect the privacy of drone operators. The DRIP working group is building protocols designed to standardize the drone-to-controller interface, advancing the state of the art in drones and opening up the field for innovation. Stuart Card joins Alvaro Retana and Russ White to discuss DRIP.

download

Marketing Wins

Off-topic post for today …

In the battle between marketing and security, marketing always wins. This topic came to mind after reading an article on using email aliases to control your email—

For example, if you sign up for a lot of email newsletters, consider doing so with an alias. That way, you can quickly filter the incoming messages sent to that alias—these are probably low-priority, so you can have your provider automatically apply specific labels, mark them as read, or delete them immediately.

One of the most basic things you can do to increase your security against phishing attacks is to have two email addresses, one you give to financial institutions and another one you give to “everyone else.” It would be nice to have a third for newsletters and marketing, but this won’t work in the real world. Why?

Because it’s very rare to find a company that will keep two email addresses on file for you, one for “business” and another for “marketing.” To give specific examples—my mortgage company sends me both marketing messages in the form of a “newsletter” as well as information about mortgage activity. They only keep one email address on file, Continue reading

Worth Listening: Heidi Roizen

Project AI+Compassion just interviewed Heidi Roizen about compassion in IT; it’s worth listening to. From the show notes—

Storytelling is a powerful way for humans to connect and for humans to move other humans to action. To understand your story and understand the stories of others, we can develop a lot more compassion for people when we understand that everybody has a story. Everybody story is important. So, don’t dismiss other people’s stories. Take the time to get to know everyone has a story.

Weekend Reads 082721

Since the start of the pandemic, Huang has delivered keynotes from his kitchen. GTC 2021 still featured a kitchen keynote, but a section featured a virtual kitchen made entirely in Omniverse. Even more impressive, the Nvidia team managed to create a CG model of Huang that delivered part of the keynote.

The U.S. is presently combating two pandemics–coronavirus and ransomware attacks. Both have partially shut down parts of the economy. However, in the case of cybersecurity, lax security measures allow hackers to have an easy way to rake in millions.

Microsoft has disclosed details of an evasive year-long social engineering campaign wherein the operators kept changing their obfuscation and encryption mechanisms every 37 days on average, including relying on Morse code, in an attempt to cover their tracks and surreptitiously harvest user credentials.

We at PowerDNS have been getting questions about ‘DNS server cache snooping remote information disclosure’ attacks lately, mostly coming from reports generated by one very popular security scanner:

Researchers have long debated whether it would be worth the effort for scammers to train machine learning algorithms that could then generate compelling phishing messages.

IBM’s Cost of a Data Breach Report 2021 analyzed 537 real breaches and Continue reading

Hedge 97: Low Context DevOps

Language is deeply contextual—one of my favorite sayings from the theological world is if you take the text out of its context, you are just left with the con. What does context have to do with development and operations, though? Can there be low and high context situations in the daily life of building and running systems? Thomas Limoncelli joins Tom Ammon and Russ White to discuss the idea of low context devops, and the larger issue of context in managing projects and teams, on this episode of the Hedge.

download