Russ

Author Archives: Russ

Network Disaggregation Live Lesson

For those of you interested in the world of network disaggregation, the LiveLesson Dinesh Dutt and I recorded back in January is up on Safari Books Online as a “rough cut.” I’m not entirely certain when the official release will be available, but the rough cut versions are usually pretty good anyway. The one humorous mistake I see on the current page is the topic is listed as “travel.” Well, I do travel a lot, but I’ve never made a video on travel.

The rough cut is here.

Throwing the baby out with the bathwater (No, you’re not Google, but why does this matter?)

It was quite difficult to prepare a tub full of bath water at many points in recent history (and it probably still is in some many parts of the world). First, there was the water itself—if you do not have plumbing, then the water must be manually transported, one bucket at a time, from a stream, well, or pump, to the tub. The result, of course, would be someone who was sweaty enough to need the forthcoming bath. Then there is the warming of the water. Shy of building a fire under the tub itself, how can you heat enough water quickly enough to make the eventual bathing experience? According to legend, this resulted in the entire household using the same tub of water to bathe. The last to bathe was always the smallest, the baby. By then, the water would be murky with dirt, which means the child could not be seen in the tub. When the tub was thrown out, then, no-one could tell if the baby was still in there.

But it doesn’t take a dirty tub of water to throw the baby out with the bath. All it really takes is an unwillingness to learn from Continue reading

Weekend Reads 050219

To say that Kubernetes provides no security features would be wrong. Kubernetes provides some functionality designed to help secure a containerized application. But it would be equally wrong to call Kubernetes a container security tool. Kubernetes’s ability to secure containers is strictly limited. —Sonya Koptyev

There is no denying the impact of the European Union General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. We were all witness — or victim — to the flurry of updated privacy policy emails and cookie consent banners that descended upon us. It was such a zeitgeist moment that “we’ve updated our privacy policy” became a punchline. —Daniel Barber

One of the fascinating parts of my job is seeing how different groups in email have radically disparate points of view. A current example is how much value senders put on spamtraps compared to ISPs and filtering companies —Laura Atkins

I loosely define capability decay as things that happen when security teams go backwards, and the specific ways — the decay modes — in which this may happen (this is my inner physicist speaking). —Hinne Hettema

On April 12 the FCC issued a new Notice for Proposed Rulemaking in Docket 19-71 Continue reading

History of MIME with Nathaniel Borenstein

On this episode of the History of Networking, Donald and I are joined by Nathaniel Borenstein, who is the primary author of the original MIME specifications.

Outro Music:
Danger Storm Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/

About that Easy Button …

We love layers and abstraction. After all, building in layers and it’s corollary, abstraction, are the foundation of large-scale system design. The only way to build large-scale systems is to divide and conquer, which means building many different component parts with clear and defined interaction surfaces (most often expressed as APIs) and combining these many different parts into a complete system. But abstraction, layering, and modularization have negative aspects as well as positive ones. For instance, according to the State/Optimization/Surface triad, any time we remove state in order to control complexity, we either add an interaction surface (which adds complexity) or we reduce optimization.

Another impact of abstraction, though, is the side effect of Conway’s Law: “organizations which design systems … are constrained to produce designs which are copies of the communication structures of these organizations.” The structure of the organization that designs a system is ultimately baked into the modularization, abstraction, and API schemes of the system itself.

To take a networking instance, many networks use one kind of module for data centers and another for campuses. The style of network built in each place, where the lines are between these different topological locations in the network, the Continue reading

Weekend Reads 042619

EVPN-VXLAN is an open industry standard developed by leading vendors to solve these problems and more. With EVPN fabrics, all major types of networking connectivity services can be virtualized using a single protocol suite. —SDX Central

The cybercriminal group behind the infamous DNSpionage malware campaign has been found running a new sophisticated operation that infects selected victims with a new variant of the DNSpionage malware. —Swati Khandelwal

The internet – created in the 80s, but the world wide web officially went live in 1991 and has since then grown into a beast with around 3.2 billion of the worlds population currently online. Internet guru and entrepreneur Jay Adelson has witnessed the explosion of interconnection labelling it as the hub and central point of the internet. —Jay Adelson

When the future is certain to be multivendor, how do we collectively go about making technology work? It’s a pretty basic question, but gets to the point on how technology is developed and propagated throughout the industry. It’s not enough to be innovative, developers must do so in a way that facilitates mass adoption by not only customers, but competitors, too. —Mike Bushong

I believe that there are two simple reasons why Continue reading

Mentorship and Early Career Development

In this episode of the Network Collective, John Fraizer, Denise Fishburn, and Trey Aspelund join the NC crew to talk about the importance of mentorship and practical advice on how to mentor and be mentored.

Outro Music:
Danger Storm Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/

Practical Simplification

Simplification is a constant theme not only here, and in my talks, but across the network engineering world right now. But what does this mean practically? Looking at a complex network, how do you begin simplifying?

The first option is to abstract, abstract again, and abstract some more. But before diving into deep abstraction, remember that abstraction is both a good and bad thing. Abstraction can reduce the amount of state in a network, and reduce the speed at which that state changes. Abstraction can cover a multitude of sins in the legacy part of the network, but abstractions also leak!!! In fact, all nontrivial abstractions leak. Following this logic through: all non-trivial abstractions leak; the more non-trivial the abstraction, the more it will leak; the more complexity an abstraction is covering, the less trivial the abstraction will be. Hence: the more complexity you are covering with an abstraction, the more it will leak.

Abstraction, then, is only one part of the solution. You must not only abstract, but you must also simplify the underlying bits of the system you are covering with the abstraction. This is a point we often miss.

Which returns us to our original question. The Continue reading

Weekend Reads 041919

A cybersecurity professional today demonstrated a long-known unpatched weakness in Microsoft’s Azure cloud service by exploiting it to take control over Windows Live Tiles, one of the key features Microsoft built into Windows 8 operating system. —Mohit Kumar

A team of security researchers on Wednesday issued a stern warning about a DNS Hijacking campaign being carried out by an advanced, state-sponsored actor believed to be targetting sensitive networks and systems. —CircleID

Security researchers say they have found a new victim of the hacking group behind the potentially destructive malware, which targets critical infrastructure, known as Triton or Trisis. —Lorenzo Franceschi-Bicchierai

By pushing client-side DNS queries into HTTPS the Internet itself has effectively lost control of the client end of DNS, and each and every application, including the vast array of malware, can use DOH and the DNS as a command and control channel in a way that is undetectable by the client or client’s network operator. —Geoff Huston

The expectations are often high, not only for the MDM solutions ability to massively reduce the administrative workload of keeping track, updating and managing the often hundreds or thousands of devices within a company but also regarding the improvements towards the level Continue reading

Why You Should Block Notifications and Close Your Browser

Every so often, while browsing the web, you run into a web page that asks if you would like to allow the site to push notifications to your browser. Apparently, according to the paper under review, about 12% of the people who receive this notification allow notifications. What, precisely, is this doing, and what are the side effects?

Papadopoulos, Panagiotis, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, and Giorgos Vasiliadis. “Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation.” In Proceedings 2019 Network and Distributed System Security Symposium. San Diego, CA: Internet Society, 2019. https://doi.org/10.14722/ndss.2019.23070.

Allowing notifications allows the server to kick off one of two different kinds of processes on the local computer, a service worker. There are, in fact, two kinds of worker apps that can run “behind” a web site in HTML5; the web worker and the service worker. The web worker is designed to calculate or locally render some object that will appear on the site, such as unencrypting a downloaded audio file for local rendition. This moves the processing load (including the power and cooling use!) from the server to the client, saving money Continue reading

Weekend Reads 041119

Since at least the middle of the last century, the question of how to get employees to improve has generated a good deal of opinion and research. —Marcus Buckingham and Ashley Goodall

Should the IETF publish standard specifications of technologies that facilitate third-party eavesdropping on communications or should it refrain from working on such technologies? —Geoff Huston

n February, the company announced its intention to move forward with the development of the Curie cable, a new undersea line stretching from California to Chile. It will be the first private intercontinental cable ever built by a major non-telecom company. Tyler Cooper—

You have your morning coffee in hand, you’ve just finished your daily scrum, and you sit down at your computer to start your day. Up pops a Slack message. You scan your emails, then bounce back to Slack. —Sarah Wall

“Open core” evolved as one of the primary ways for companies that maintain an open source project to make money. They offer a product that at the “core” is the open source project, but with features that only paying customers have access too. MongoDB and Elastic, —Eric Anderson

EU antitrust regulators should consider forcing tech giants such as Google and Continue reading

BIER Basics

Multicast is, at best, difficult to deploy in large scale networks—PIM sparse and BIDIR are both complex, adding large amounts of state to intermediate devices. In the worst case, there is no apparent way to deploy any existing version of PIM, such as large-scale spine and leaf networks (variations on the venerable Clos fabric). BEIR, described in RFC8279, aims to solve the per-device state of traditional multicast.

In this network, assume A has some packet that needs to be delivered to T, V, and X. A could generate three packets, each one addressed to one of the destinations—but replicating the packet at A is wastes network resources on the A->B link, at least. Using PIM, these three destinations could be placed in a multicast group (a multicast address can be created that describes T, V, and X as a single destination). After this, a reverse shortest path tree can be calculated from each of the destinations in the group towards the source, A, and the correct forwarding state (the outgoing interface list) be installed at each of the routers in the network (or at least along the correct paths). This, however, adds a lot of state to the network.
Continue reading

1 34 35 36 37 38 162