Worth Reading: Microsegmentation

Network segmentation is a best-practice strategy for reducing the attack surface of data center networks. Just as the watertight compartments in a ship should contain flooding if the hull is breached, segmentation isolates servers and systems into separate zones to contain intruders or malware, limiting the potential security risks and damage. —Avishai Wool @Dark Reading

OSPF Topology Transparent Zones

Anyone who has worked with OSPF for any length of time has at least heard of areas—but perhaps before diving into Topology Transparent Zones (TTZs), a short review is in order.

In this diagram, routers A and B are in area 0, routers C and D are Area Border Routers (ABRs), and routers E, F, G, H, and K are all in area 1. The ABRs, C and D, do not advertise the existence of E, F, G, H, or K to the routers in area 0, nor the links to or between any of those routers. Any reachable destinations in area 1 are advertised using a em>summary LSA, or a type 3 LSA, towards A and B. From the perspective of A and B, 100::/64 and 101::/64 would be advertised by C and D as directly connected destinations, using the cost from C and D to each of these two destinations, based on a summary LSA.

What if you wanted to place H and K in their own area, with G as an ABR, behind the existing area 1? You cannot do this in OSPF using any form of a standard flooding domain, or area. There is no way Continue reading

Worth Reading: Blockers for IPv6 adoption

On a recent flight from the UK to the USA I sat next to the IT director for a global corporation. He asked me why I was travelling, to which I answered that I was giving the keynote presentation at an IPv6 conference held by the US Federal government. Without hesitation, his response was “IPv6 is not even on my radar”. —David Holder @APNIC

Worth Reading: Why people need to collide more

That’s why we’re observing that some of the most successful organizations today are those capable of shifting the way they think about the value of the interactions in the workplace. And to do that, they’ve radically altered their approach to management and leadership. —Jim Whitehurst

Reaction: DNS Complexity Lessons

Recently, Bert Hubert wrote of a growing problem in the networking world: the complexity of DNS. We have two systems we all use in the Internet, DNS and BGP. Both of these systems appear to be able to handle anything we can throw at them and “keep on ticking.”

But how far can we drive the complexity of these systems before they ultimately fail? Bert posted this chart to the APNIC blog to illustrate the problem—

I am old enough to remember when the entire Cisco IOS Software (classic) code base was under 150,000 lines; today, I suspect most BGP and DNS implementations are well over this size. Consider this for a moment—a single protocol implementation that is larger than an entire Network Operating System ten to fifteen years back.

What really grabbed my attention, though, was one of the reasons Bert believes we have these complexity problems—

DNS developers frequently see immense complexity not as a problem but as a welcome challenge to be overcome. We say ‘yes’ to things we should say ‘no’ to. Less gifted developer communities would have to say no automatically since they simply would not be able to implement all that new stuff. Continue reading

Worth Reading: The Easy Button

Automation has become this “all-encompassing thingy” much like SDN. It’s a software industry problem and it’s critical more now than ever that we do not slip backwards by trying to drag a broken idea forwards. —David Gee

Weekend Reading 041318: GDPR, and the ever deepening pile of security vulnerabilities

I think we are all hoping that when ICANN meets with the DPAs (Digital Protection Authorities) a clear path forward will be illuminated. We are all hoping that the DPAs will provide definitive guidance regarding ICANN’s interim model and that some special allowance will be made so that registrars and registries are provided with additional time to implement a GDPR-compliant WHOIS solution. —Matt Serlin @CircleID

Security researchers at Embedi have disclosed a critical vulnerability in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to execute arbitrary code, take full control over the vulnerable network equipment and intercept traffic. —Swati Khandelwal @The Hacker News

With the growing presence and sophistication of online threats like viruses, ransomware, and phishing scams, it’s increasingly important to have the right protection and tools to help protect your devices, personal information, and files from being compromised. Microsoft already provides robust security for Office services, including link checking and attachment scanning for known viruses and phishing threats, encryption in transit and at rest, as well as powerful antivirus protection with Windows Defender. Today, we’re announcing new advanced protection capabilities coming to Office 365 Home and Office 365 Personal subscribers to Continue reading

Sunlit Doorway

Worth Reading: Cisco switch exploits

Cisco is urging organizations to immediately address a critical flaw in its network switches running IOS and IOS XE software amid reports of widespread attacks against the devices in several countries. —Jai Vijayan @Dark Reading

On the ‘web: The Best Decicions

A long time ago, when I worked for a major vendor’s escalation team, I was called into a customer to help them move from one routing protocol to another. We spent some time looking over their network, discussing how best to approach the problems they would probably encounter, how long it would take to make the change, and many other issues involved. Finally, over lunch, I asked why they were planning on changing routing protocols. @ECI

Worth Reading: Little’s Law for estimation only

Most are quite familiar with the concepts of queuing theory, at least intuitively, so this is one of the more tangible topics in mathematics. —Rachel Traylor @The Math Citadel

Worth Reading: Measuring ATR

One of the more pressing and persistent problems today is the treatment of fragmented packets. We are seeing a very large number of end-to-end paths that no longer support the transmission of fragmented IP datagrams. —Geoff Huston and Joao Damas @potaroo

History of Networking: Dino Farinacci joins us to discuss LISP

Worth Reading: Most Important Skills

It’s easy to get blinded these days by all the talk about cloud, SDN and automation leading both new and existing people in networking to make decisions in their career which may not be the best ones long term. —Daniel Dibb

Worth Reading: Stuffing the Camel into the Bikeshed

Standards bodies exist to create new standards. Leaving things well alone is not part of the proposition here, and the temptation to tweak, poke, prod and massage existing standards is sometimes irresistible. —Geoff Huston @Potaroo

On the ‘web: How to Bridge the Network Skills Gap

The landscape is littered with training for all these new skills, but there is little time, or guidance, through the process of retraining into these new skills. The process of retraining, far too often, feels like leaving all your old skills behind and learning completely new ones. The seeming wide array of paths the average engineer faces, combined with the uncertainty of which of these paths forward represent the real future, can seem overwhelming. @TechTarget

Worth Reading: Has monolithic gotten a bad rap?

We tend to depict the microservice and the monolith as two polar opposite styles of software architecture — the natively decomposed versus the self-contained, the fluid versus the solid, the mercurial versus the integral. —Scott M. Fulton III @The New Stack

Worth Reading: Five things to know about microservices

New architectures typically require new architectural knowledge and new ideas about how to deploy systems. The microservices pattern affects the architectures of both software and the organizations that use it. —Jonathan Owens @The New Stack

The EIGRP SIA Incident: Positive Feedback Failure in the Wild

Reading a paper to build a research post from (yes, I’ll write about the paper in question in a later post!) jogged my memory about an old case that perfectly illustrated the concept of a positive feedback loop leading to a failure. We describe positive feedback loops in Computer Networking Problems and Solutions, and in Navigating Network Complexity, but clear cut examples are hard to find in the wild. Feedback loops almost always contribute to, rather than independently cause, failures.

Many years ago, in a network far away, I was called into a case because EIGRP was failing to converge. The immediate cause was neighbor flaps, in turn caused by Stuck-In-Active (SIA) events. To resolve the situation, someone in the past had set the SIA timers really high, as in around 30 minutes or so. This is a really bad idea. The SIA timer, in EIGRP, is essentially the amount of time you are willing to allow your network to go unconverged in some specific corner cases before the protocol “does something about it.” An SIA event always represents a situation where “someone didn’t answer my query, which means I cannot stay within the state machine, so I Continue reading

Worth Reading: The role of cellular in the ‘net

The tremendous growth of the mobile Internet, with over 11 billion devices connected by 2020, and its economic implications, have motivated several reports. And yet, we still lack an understanding of the impact of cellular networks around the world. —Fabián Bustamante @APNIC