On the ‘net: Spectre, Meltdown, and Flexible Scaleout

The recent Meltdown and Spectre attacks illustrate the problematic nature of modern computing systems. While the earlier Rowhammer attack could read or attack one process running in a virtual environment from another process running on the same processor, the Meltdown and Spectre attacks are of a completely different class, enabling a process to read large amounts of information from another process’ memory space. @GestaltIT

Worth Reading: Three strategies for navigating moral disagreement

We in America and Western Europe, and by now many other places in the world, have this idea of people as fundamentally rational. On this account, our profound cognitive abilities are designed to help us discover objective truths about the world through logical argument and empirical observation. Contemporary research in cognitive science, psychology and related fields paints a much different picture. —Musa Al-Gharbi @Heterodox Academy

Worth Reading: How bad is IPv4 address exhaustion?

I often get asked questions along the lines of “How bad is IPv4 address exhaustion, honestly?”. I take the responsibility of answering questions like these seriously; I think it’s important that a broad cross section of people understand the issue. —Paul Wilson @APNIC

Enterprise versus Provider?

Two ideas that are widespread, and need to be addressed—

FANG (read this hyper/web/large scale network operators) have very specific needs; they run custom-built single-purpose software in a very big scale. So all the really want/need are dumb boxes and smart people. … Enterprise have another view, they want smart boxes run by dumb people.

First, there is no enterprise, there are no service providers. There are problems, and there are solutions.

When I was young (and even more foolish than I am now) I worked for a big vendor. When this big vendor split the enterprise and service provider teams, I thought this kindof made sense. After all, providers have completely different requirements, and should therefore run with completely different technologies, equipment, and software. When I thought of providers in those days, I thought of big transit network operators, like AT&T, and Verizon, and Orange, and Level3, and Worldcom, and… The world has changed since then, but our desire to split the world into two neat halves has not.

If you want to split the world into two halves, split it this way: There are companies who consider the network an asset, and companies that consider the network a Continue reading

Worth Reading: How self sufficient do you want to be?

The first car I got decades ago was a simple mechanical beast – you’d push something, and a cable would make sure something else moved somewhere. I could also fix 80% of the problems, and people who were willing to change spark plugs and similar stuff could get to 90+%. —Ivan Pepelnjak

Weekend Reads 180216: Skimmers and MITM and x509 Covert Channels, oh my…

When you realize how easy it is for thieves to compromise an ATM or credit card terminal with skimming devices, it’s difficult not to inspect or even pull on these machines when you’re forced to use them personally — half expecting something will come detached. For those unfamiliar with the stealth of these skimming devices and the thieves who install them, read on. @Krebs on Security

Here is a short blog post that explains how you can make your own Man-in-the-Middle (MitM) setup for sniffing the traffic between a SIM card and the backend server. This is NOT a new research but I hope this will help anyone who doesn’t have a telco background to get started to play with mobile data sniffing and fake base stations. This is applicable to many scenarios today as we have so many IoT devices with SIM cards in it that connects to the backend. —Priya Chalakkal @The Insinuator

He got the idea while analyzing the Vawtrak malware after discovering that it read multiple fields in the X.509 certificate provided by the server before proceeding. Jason initially thought these fields were used as a C2 channel, but then realized that Vawtrak performed a Continue reading

Windowed Dome

Worth Reading: The Future of IPv6

In reviewing the IPv6 threat concerns identified in the 13th Annual Worldwide Infrastructure Security Report (WISR), I am stricken by how today’s perceived threats are similar to what was observed and expected by early adopters 10 (or even 15) years ago. —Bill Cerveny @Arbor

Worth Reading: SDN and tech policy

Software-defined networking (SDN) describes a type of network design where a software program runs separately from the underlying hardware routers and switches can control how traffic is forwarded through the network. —Nick Feamster @Freedom to Tinker

On the ‘net: Rethinking Firewalls

In January of 1995, Network Translation’s PIX firewall received the “hot product of the year” award from Data Communications Magazine. While the PIX was originally designed to perform Network Address Translation (NAT), doing for the IP host market what the PBX market did for the telephone, the PIX itself quickly morphed into the original appliance-based firewall. In those heady days in the Cisco Technical Assistance Center (TAC), we spent hours thinking through how best to build a Demilitarized Zone (DMZ) using PIX’s and routers so the network simply could not be penetrated. We built walls around our networks to defend them against the hoards of horseback riding invaders. @ECI

Worth Reading: DNS resolution to protect networks

The vast majority of DNS Resolvers perform its one core function – taking a unique domain name and resolved queries for these names into IPv4/IPv6 addresses for the purpose of locating computer services and devices worldwide. This is why DNS is Internet critical. Every device is dependent on a DNS Resolver for normal Internet functioning – creating a critical dependency and choke point. —Barry Greene @ Senki

Worth Reading: Automation won’t cost you your job

Sure, what you’re doing now works, but there’s so much else you could be doing if the management of these tasks were optimized. That’s where network automation solutions can step in and give you more free time than you could have dreamed of. Why automation? Well, let’s get into what problems it eliminates and the benefits it brings — you can thank us later! —Kelsey Havens and Madison Emery @ Cumulus

Why You Should Have Two Careers

Worth Reading: Understanding Spoofing

IP source address spoofing is regularly leveraged in amplification and reflection attacks. Even though we have the technical means to prevent IP spoofing through strict ingress filtering, as detailed in BCP38, we still get reports of spoofing-based attacks on a daily basis. —Franziska Lichtblau @APNIC

Worth Reading: NSX-T

VMware’s network virtualization platform, called NSX, creates network services like routing, load balancing, firewalling and more. All of it is done in software that can be implemented on any underlying infrastructure as long as it does IP transfer. @The New Stack

The DNS Negative Cache

Considering the DNS query chain—

• A host queries a local recursive server to find out about banana.example
• The server queries the root server, then recursively the authoritative server, looking for this domain name
• banana.example does not exist

There are two possible responses in this chain of queries, actually. .example might not exist at all. In this case, the root server will return a server not found error. On the other hand, .example might exist, but banana.example might not exist; in this case, the authoritative server is going to return an NXDOMAIN record indicating the subdomain does not exist.

Assume another hosts, a few moments later, also queries for banana.example. Should the recursive server request the same information all over again for this second query? It will unless it caches the failure of the first query—this is the negative cache. This negative cache reduces load on the overall system, but it can also be considered a bug.

Take, for instance, the case where you set up a new server, assign it banana.example, jump to a host and try to connect to the new server before the new DNS information has been propagated through the system. On Continue reading

Worth Reading: Containers will not fix your culture problem

According to noted thought leader Jane Austen, it is a truth universally acknowledged that a techie in possession of any production code whatsoever must be in want of a container platform. Or is it? —Bridget Kromhout @ACM Queue

Worth Reading: It’s bright, shiny, and new

Vendors and operators urgently go away in huddles to define and develop the new technology. This is closely followed by extensive promotional campaigns explaining how good the new technology will be for the industry. —David Stokes @ECI

Reaction: The Pace of Innovation

Dave Ward has an excellent article over at the Cisco blog on the three year journey since he started down the path of trying to work the standards landscape (called SDOs) to improve the many ways in which these organizations are broken. Specifically, he has been trying to connect the open source and open standards communities better—a path I heartily endorse, as I have been intentionally trying to work in both communities in parallel over the last several years, and find places where I can bring them together.

While the entire blog is worth reading, there are two lines I think need some further thought. The first of this is a bit of a scold, so be prepared to have your knuckles rapped.

My real bottom line here is that innovators can’t go faster than their customers and customers can’t go faster than their own understanding of the technology and integration, deployment and operational considerations.

Precisely. Maybe this is just an old man talking, but I sometimes want to scold the networking industry on this very point. We fuss about innovation, but innovation requires customers who understand the technology—and the networking world has largely become a broad set of meta-engineers, Continue reading

Worth Reading: Bringing DNS security to the user

All of these efforts are aimed at protecting the complete path between the user and the service. This means authentication and encryption should start at the edge of the network, with the end user. As just about any interaction on the Internet starts out with a query for a domain name, it puts the DNS at the core of achieving this ultimate goal. —Benno Overeinder @APNIC