Current Work in BGP Security

I’ve been chasing BGP security since before the publication of the soBGP drafts, way back in the early 2000’s (that’s almost 20 years for those who are math challenged). The most recent news largely centers on the RPKI, which is used to ensure the AS originating an advertisements is authorized to do so (or rather “owns” the resource or prefix). If you are not “up” on what the RPKI does, or how it works, you might find this old blog post useful—its actually the tenth post in a ten post series on the topic of BGP security.

Recent news in this space largely centers around the ongoing deployment of the RPKI. According to Wired, Google and Facebook have both recently adopted MANRS, and are adopting RPKI. While it might not seem like autonomous systems along the edge adopting BGP security best practices and the RPKI system can make much of a difference, but the “heavy hitters” among the content providers can play a pivotal role here by refusing to accept routes that appear to be hijacked. This not only helps these providers and their customers directly—a point the Wired article makes—this also helps the ‘net in a larger way Continue reading

Weekend Reads 120420

CrowdSec is an open source security engine that analyzes visitor behavior and provides an adapted response to all kinds of attacks. It parses logs from any source and applies heuristic scenarios to identify aggressive behavior and protect against most attack classes.

The “network perimeter” is an increasingly meaningless term; the perimeter is everywhere and the network is constantly interacting with employees, workloads and even the networks of both suppliers and customers. Integration enables success, but it also means that prevention of information security compromise events.

As cryptographic analysis and related technologies advance, the signing algorithms at the heart of DNSSEC have to keep up. Moritz Müller and colleagues take a look at barriers on the road to more secure algorithms and discuss ways to make the journey faster.

When a website you visit asks permission to send notifications and you approve the request, the resulting messages that pop up appear outside of the browser. For example, on Microsoft Windows systems they typically show up in the bottom right corner of the screen — just above the system clock. These so-called “push notifications” rely on an Internet standard designed to work similarly across different operating systems and web browsers.

Open source Continue reading

BGP Training on Ignition

The first hour of material in my new BGP course over at Ignition dropped this week. I’m not going to talk about configuration and other operational things—this is all about understanding how BGP works, why it works that way, and thinking about design. This course will apply to cloud, Internet edge, DC fabric, and other uses of BGP. From the official site:

BGP is one of the fundamental protocols for routing traffic across the Internet. This course, taught by networking expert and network architect Russ White, is designed to take you from BGP basics to understanding BGP at scale. The 6-hour course will be divided into several modules. Each module will contain multiple video courses of approximately 15 minutes each that drill into key concepts. The first module contains four videos that describe how BGP works. They cover basics including reachability, building loop-free paths, BGP convergence, intra-AS models, and route reflectors.

Available here.

The Hedge Podcast #62: Jacob Hess and the Importance of History

At first glance, it would seem like the history of a technology would have little to do with teaching that technology. Jacob Hess of NexGenT joins us in this episode of the Hedge to help us understand why he always includes the history of a technology when teaching it—a conversation that broadened out into why learning history is important for all network engineers.

download

You can find the history of networking here.

Data Center Master Classes

I’m doing a series of three master classes through Juniper on various DC fabric topics—

Join Juniper’s Russ White, a widely published 30-year network engineering veteran, in a three-part masterclass exploring the data center. Choose from classes on data center fabric, physical topologies, or data center security.

You can register here.

From the schedule—

• Class 1: Data Center Fabric, December 2, 12 PM EST
• Class 2: Physical Topologies, January 13, 12 PM EST
• Class 3: Security in the Data Center, February 10, 12 PM EST

The EXPERIENCE HAS SHOWN THAT Keyword (RFC2915, Rule 4)

The world of information technology is filled, often to overflowing, with those who “know better.” For instance, I was recently reading an introduction to networking in a very popular orchestration system that began with the declaration that routing was hard, and therefore this system avoided routing. The document then went on to describe a system of moving packets around using multiple levels of Network Address Translation (NAT) and centrally configured policy-based routing (or filter-based forwarding) that was clearly simpler than the distributed protocols used to run large-scale networks. I thought, for a moment, of writing the author and pointing out the system in question had merely reinvented routing in a rather inefficient and probably broken way, but I relented. Why? Because I know RFC2915, rule 4, by heart:

Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network.

Ultimately, the people who built this system will likely not listen to me; rather, they are going to have to experience the pain caused by large-scale failures for themselves before they will listen. Many network Continue reading

Commodity or Not?

The commodification of networks is in full swing and everyone seems to think it is a good thing. You might hear this phrased as treating network devices like cattle, rather than pets. Or maybe you’ve heard that the network should move packets and do nothing more. Even, perhaps, that network bandwidth should be treated just like memory—you just add more when you need it.

Innovation Myths

Innovation has gained a sort-of mystical aura in our world. Move fast and break stuff. We recognize and lionize innovators in just about every way possible. The result is a general attitude of innovate or die—if you cannot innovate, then you will not progress in your career or life. Maybe it’s time to take a step back and bust some of the innovation myths created by this near idolization of innovation.

You can’t innovate where you are. Reality: innovation is not tied to a particular place and time. “But I work for an enterprise that only uses vendor gear… Maybe if I worked for a vendor, or was deeply involved in open source…” Innovation isn’t just about building new products! You can innovate by designing a simpler network that meets business needs, or by working with your vendor on testing a potential new product. Ninety percent of innovation is just paying attention to problems, along with a sense of what is “too complex,” or where things might be easier.

You don’t work in open source or open standards? That’s not your company’s problem, that’s your problem. Get involved. It’s not just about protocols, anyway. What about certifications, training, and Continue reading

Weekend Reads 112720

There are a lot of factors to consider when investing in a home automation ecosystem. In my first article in this series, I explained why I picked Home Assistant, and in this article, I’ll explain some of the foundational issues and technologies in home automation, which may influence how you approach and configure your Internet of Things (IoT) devices.

Speculation in one form of another has an ancient and honorable history. It not only creates entrepreneurial activity but fuels markets for selling wares and offering services, but also generates competition for consumers and wars over loyalty. The commercialization of the Internet in the 1990s, which extended market activity into virtual (cyber) space, has many of the virtues of the actual but also its vices: cheating and fraud, and other skullduggery.

Verizon recently conducted a trial of quantum key distribution technology, which is the first generation of quantum encryption. Quantum cryptography is being developed as the next-generation encryption technique that should protect against hacking from quantum computers.

Researchers at Carnegie Mellon University’s CyLab security and privacy institute have devised what they say is the world’s fastest open source intrusion detection and prevention system (IDS/IPS).

Case in point: a broken soap dispenser. Continue reading

The Hedge Podcast #61: Pascal Thubert and the RAW Working Group

RAW is a new working group recently chartered by the IETF to work on:

…high reliability and availability for IP connectivity over a wireless medium. RAW extends the DetNet Working Group concepts to provide for high reliability and availability for an IP network utilizing scheduled wireless segments and other media, e.g., frequency/time-sharing physical media resources with stochastic traffic: IEEE Std. 802.15.4 timeslotted channel hopping (TSCH), 3GPP 5G ultra-reliable low latency communications (URLLC), IEEE 802.11ax/be, and L-band Digital Aeronautical Communications System (LDACS), etc. Similar to DetNet, RAW will stay abstract to the radio layers underneath, addressing the Layer 3 aspects in support of applications requiring high reliability and availability.

download

The History of EARN, RARE, and European Networks (part 1)

European networks from the mid-1980’s to the late 2000’s underwent a lot of change, bolstered by the rise and fall of America Online, the laying of a lot of subsea cables, and the creation of several organizations, including EARN and RARE, to bolster the spread and use of the Internet. Daniele Bovio joins Donald Sharp and Russ White on this episode of the History of Networking to give us a good overall perspective of this history.

You can find more information about the history of EARN at https://earn-history.net.

download

The Senior Trap

How do you become a “senior engineer?” It’s a question I’m asked quite often, actually, and one that deserves a better answer than the one I usually give. Charity recently answered the question in a round-a-bout way in a post discussing the “trap of the premature senior.” She’s responding to an email from someone who is considering leaving a job where they have worked themselves into a senior role. Her advice?

Quit!

This might seem to be counter-intuitive, but it’s true. I really wanted to emphasize this one line—

There is a world of distance between being expert in this system and being an actual expert in your chosen craft. The second is seniority; the first is merely .. familiarity

Exactly! Knowing the CLI for one vendor’s gear, or even two vendor’s gear, is not nearly the same as understanding how BGP actually works. Quoting the layers in the OSI model is just not the same thing as being able to directly apply the RINA model to a real problem happening right now. You’re not going to gain the understanding of “the whole ball of wax” by staying in one place, or doing one thing, for the rest of Continue reading

Weekend Reads 112020

The Internet is the quintessential example of collaboration across stakeholders and geographic boundaries resulting in both economic gain and seismic innovations. Yet as the Internet evolves it is increasingly regulated by nation states as they claim sovereignty over one issue or another, and dominated by a few large players.

The pandemic ushered in a golden age of remote test proctoring – but students say the technology can be invasive and biased

For those that have been in the industry for more than a couple of years, you will remember when Microsoft retired the very powerful and well-documented security bulletins back in 2017. At the time, we felt that it was a severe reduction in the availability of information; Microsoft was suddenly communicating much less information.

If you’re an IT security professional, mastering mystifying terminology and arcane acronyms is a rite of passage — maybe even a badge of honor. But there’s one unusually blunt cybersecurity term anyone can understand — the “kill chain.” A successful attack (the “kill”) doesn’t just happen.

Upgrading a security protocol in an ecosystem as complex as the Internet is difficult. You need to update clients and servers and make sure everything in between continues Continue reading

The Hedge Podcast #60: Ben Andresen and Growing Teams

How can managers grow teams that add value to the company? Teams are made up of people, and people need to grow, so the key is in learning how to grow people. Join us at the Hedge as we discuss learning paths, doing what’s right for the company and the person, and growing teams by growing people.

download

Technologies that Didn’t: Asynchronous Transfer Mode

One of the common myths of the networking world is there were no “real” networks before the early days of packet-based networks. As myths go, this is not even a very good myth; the world had very large-scale voice and data networks long before distributed routing, before packet-based switching, and before any of the packet protocols such as IP. I participated in replacing a large scale voice and data network, including hundreds of inverse multiplexers that tied a personnel system together in the middle of the 1980’s. I also installed hundreds of terminal emulation cards in Zenith Z100 and Z150 systems in the same time frame to allow these computers to connect to mainframes and newer minicomputers on the campus.

All of these systems were run through circuit-switched networks, which simply means the two end points would set up a circuit over which data would travel before the data actually traveled. Packet switched networks were seen as more efficient at the time because the complexity of setting these circuits up, along with the massive waste of bandwidth because the circuits were always over provisioned and underused.

The problem, at that time, with packet-based networks was the sheer overhead of switching Continue reading

Upcoming Webinar: Network Troubleshooting

I’m teaching a webinar on troubleshooting theory on the 20th; register here. From the course description:

This training focuses on the half-split system of troubleshooting, which is widely used in the electronic and civil engineering domains. The importance of tracing the path of the signal, using models to put the system in context, and the use of a simple troubleshooting “loop” to focus on asking how, what, and why are added to the half-split method to create a complete theory of troubleshooting. Other concepts covered in this course are the difference between permanent and temporary fixes and a review of measuring reliability. The final third of the course contains several practical examples of working through problems to help in applying the theory covered in the first two sections to the real world.

Casual Dress Considered Harmful?

I remember a time long ago—but then again, everything seems like it was “long ago” to me—when I was flying out to see an operator in a financial district. Someone working with the account asked me what I normally wear… which is some sort of button down and black or grey pants in pretty much any situation. Well, I will put on a sport jacket if I’m teaching in some contexts, but still, the black/grey pants and some sort of button down are pretty much a “uniform” for me. The person working on the account asked me if I could please switch to ragged shorts, a t-shirt, and grow a pony tail because … the folks at the operator would never believe I was an engineer if I dressed to “formal.”

Now I’ve never thought of what I wear as “formal…” it’s just … what I wear. Context, however, is king.

In other situation, I saw a sales engineer go to a store and buy an entirely new outfit because he came to the company’s building wearing a suit and tie … The company in question deals in outdoor gear, and the location was in a small midwestern town, Continue reading

Weekend Reads 111320

With so many organizations’ employees working remotely due to the pandemic, what security teams can do to help secure their home routers/firewalls is getting renewed attention.

PUE, thanks to its simplicity and universal applicability, has become the critical benchmark for scoring data centers for efficiency and “greenness” (environmental responsibility). But it is often used uncritically.

Google’s Project Zero says that hackers have been actively exploiting a Windows zero-day that isn’t likely to be patched until almost two weeks from now.

Every few years; some self-proclaimed academic imparts an article on the future of work, with conflicting information from various experts leaving many uncertain about its impact on jobs, skills, and wages.

The video downloading utility youtube-dl, like other large open source projects, accepts contributions from all around the globe. It is used practically wherever there’s an Internet connection.

Called NAT Slipstreaming, the method involves sending the target a link to a malicious site (or a legitimate site loaded with malicious ads) that, when visited, ultimately triggers the gateway to open any TCP/UDP port on the victim, thereby circumventing browser-based port restrictions.

Using this technique means that the manager is not a “boss” but a partner, someone who provides guidelines, but Continue reading