On the ‘web: Failure Isn’t an Option

As I have been told many times, these sorts of Chaos Monkey things simply cannot be applied to the average “enterprise grade” network. For instance, “if you think the hospital administration is going to allow me to break things randomly to see how these systems work, you are crazy—people’s lives depend on this stuff!” Or, “this is all fine when you are dealing with maybe losing your photographs of that last hamburger you ate; you’d think twice if you were losing your checking account.” —ECI

The post On the ‘web: Failure Isn’t an Option appeared first on rule 11 reader.

Worth Reading: TLS and Data Center Monitoring

Over the course of four years, Transport Layer Security (TLS) 1.3 has been designed to be more secure in order to prevent the interception of sessions over the Internet. It has a more secure key exchange, based on the Elliptic Curve Diffie-Hellman algorithm, formally deprecating the use of RSA static keys to ensure forward secrecy (FS). The end user and privacy were top-of-mind with this and other TLS working group consensus decisions when the zero round trip time (0-RTT) option is not in use. —Kathleen Moriarty @APNIC

The post Worth Reading: TLS and Data Center Monitoring appeared first on rule 11 reader.

BGPsec and Reality

From time to time, someone publishes a new blog post lauding the wonderfulness of BGPsec, such as this one over at the Internet Society. In return, I sometimes feel like I am a broken record discussing the problems with the basic idea of BGPsec—while it can solve some problems, it creates a lot of new ones. Overall, BGPsec, as defined by the IETF Secure Interdomain (SIDR) working group is a “bad idea,” a classic study in the power of unintended consequences, and the fond hope that more processing power can solve everything. To begin, a quick review of the operation of BGPsec might be in order. Essentially, each AS in the AS Path signs the “BGP update” as it passes through the internetwork, as shown below.

In this diagram, assume AS65000 is originating some route at A, and advertising it to AS65001 and AS65002 at B and C. At B, the route is advertised with a cryptographic signature “covering” the first two hops in the AS Path, AS65000 and AS65001. At C, the route is advertised with a cryptogrphic signature “covering” the first two hops in the AS Path, AS65000 and AS65002. When F advertises this route to H, at Continue reading

Worth Reading: The Economics of DDoS

These days, there are typically three parties to a distributed denial of service attack. You probably know about two of them: the perpetrator and the target. Less well known is the vast and growing number of third-party providers of DDoS attacks as a service. Brazenly advertising their wares online, these providers will perform an attack on the customer’s behalf and provide detailed reports of their accomplishments. Their fees are shrinking due to rapidly expanding competition and the abundant supply of readily available attack resources, such as botnets. As a result, the DDoS attack business is very much a buyer’s market. —Kevin Whalen @Arbor

The post Worth Reading: The Economics of DDoS appeared first on rule 11 reader.

Wooden Bridge

The post Wooden Bridge appeared first on rule 11 reader.

Worth Reading: Stealing Passwords by Asking

Do you want the user’s Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just ask your users politely, they’ll probably just hand over their credentials, as they’re trained to do so. —Felix Krause

The post Worth Reading: Stealing Passwords by Asking appeared first on rule 11 reader.

If you haven’t found the tradeoff…

This week, I ran into an interesting article over at Free Code Camp about design tradeoffs. I’ll wait for a moment if you want to go read the entire article to get the context of the piece… But this is the quote I’m most interested in:

Just like how every action has an equal and opposite reaction, each “positive” design decision necessarily creates a “negative” compromise. Insofar as designs necessarily create compromises, those compromises are very much intentional. (And in the same vein, unintentional compromises are a sign of bad design.)

In other words, design is about making tradeoffs. If you think you’ve found a design with no tradeoffs, well… Guess what? You’ve not looked hard enough. This is something I say often enough, of course, so what’s the point? The point is this: We still don’t really think about this in network design. This shows up in many different places; it’s worth taking a look at just a few.

Hardware is probably the place where network engineers are most conscious of design tradeoffs. Even so, we still tend to think sticking a chassis in a rack is a “future and requirements proof solution” to all our network design Continue reading

Worth Reading: Stop Blaming Open Source

Despite the known threats, many organisations continue to point fingers at open source platforms for poor security practices. But do you really think these platforms are the ones that need to be blamed? Coming back to the Equifax example, soon after this, the company began to examine how the breach occurred, many unsubstantiated reports and theories surfaced in an attempt to pinpoint the vulnerability. One such theory included was the software (an open source framework) to be responsible for the breach. This gave rise to some of the most unwarranted open source shaming. —Nishtha Singh @ opensourceforu

The post Worth Reading: Stop Blaming Open Source appeared first on rule 11 reader.

Worth Reading: Responsible Encryption Fallacies

Moreover, instead being a solution to cyber threats, law enforcement has become a threat itself. The DNC didn’t have the FBI investigate the attacks from Russia likely because they didn’t want the FBI reading all their files, finding wrongdoing by the DNC. It’s not that they did anything actually wrong, but it’s more like that famous quote from Richelieu “Give me six words written by the most honest of men and I’ll find something to hang him by”. Give all your internal emails over to the FBI and I’m certain they’ll find something to hang you by, if they want. —Robert Graham @ Errata Security

The post Worth Reading: Responsible Encryption Fallacies appeared first on rule 11 reader.

Worth Reading: 10 Layers of Container Security

Containers provide an easy way to package applications and deliver them seamlessly from development to test to production. This helps ensure consistency across a variety of environments, including physical servers, virtual machines (VMs), or private or public clouds. These benefits are leading organizations to rapidly adopt containers in order to easily develop and manage the applications that add business value. —Daniel Oh @ Opensource

The post Worth Reading: 10 Layers of Container Security appeared first on rule 11 reader.

IS-IS Multi Instance: RFC8202

Multi-Instance IS-IS
One of the nice things about IS-IS is the ability to run IPv6 and IPv4 in the same protocol, over a single instance. So long as the two topologies are congruent, deploying v6 as dual stack is very simply. But what if your topologies are not congruent? The figure below illustrates the difference.

In this network, there are two topologies, and each topology has two different set of level 1/level 2 flooding domain boundaries. If topology 1 is running IPv4, and topology 2 is running IPv4, it is difficult to describe such a pair of topologies with “standard” IS-IS. The actual flooding process assumes the flooding domain boundaries are on the same intermediate systems, or that the two topologies are congruent.

One way to solve this problem today is to use IS-IS multi-topology, which allows the IPv6 and IPv4 routing information to be carried in separate TLVs so two different Link State Databases (LSDBs), so each IS can compute a different Shortest Path Tree (SPT), one for IPv4, and another for IPv6. Some engineers might find the concept of multi-topology confusing, and it seems like it might be overkill for other use cases. For instance, perhaps you do Continue reading

Worth Reading: The Largest Hole in Cloud Security

Configuration errors made while using cloud-storage services are common, security experts say, and often occur when users set access permissions so someone outside of the company—say, a vendor—can see data. “More data has been lost due to poor configuration than anything else on the cloud,” says Vincent Liu a partner at Bishop Fox, a computer-security consulting firm. —Robert McMillan @ Market Watch

The post Worth Reading: The Largest Hole in Cloud Security appeared first on rule 11 reader.

Rush Reflection

The post Rush Reflection appeared first on rule 11 reader.

Worth Reading: The Ascendancy of Ethernet Storage Fabrics

It is hard to remember that for decades, whether a system was large or small, its storage was intricately and inescapably linked to its compute. Network attached storage, as pioneered by NetApp, helped break those links between compute and storage in the enterprise at the file level. But it was the advent of storage area networks that allowed for storage to still be reasonably tightly coupled to servers and work at the lower block level, below file systems, while at the same time allowing that storage to scale independently from the number of disks you might jam into a single box. —Timothy Prickett Morgan @ The Next Platform

The post Worth Reading: The Ascendancy of Ethernet Storage Fabrics appeared first on rule 11 reader.

History of Networking: Radia Perlman and Spanning Tree

On this episode of the History of Networking over at the Network Collective, we interviewed Radia Perlman about the origin of Spanning Tree. She is really delightful, and we plan on bringing her back on in the future to talk about other topics in the history of networking technology.

The post History of Networking: Radia Perlman and Spanning Tree appeared first on rule 11 reader.

Forthcoming: Computer Networking Problems and Solutions

The new book should be out around the 29th of December, give or take a few days. For readers interested in what Ethan and I (and Ryan, and Pete Welcher, and Jordan Martin, and Nick Russo, and… the entire list is in the front matter), the general idea is essentially grounded in RFC1925, rule 11. There is really only a moderately sized set of problems computer system needs to solve in order to carry data from one application to another. For instance, in order to transport data across a network, you need to somehow format the data so everyone can agree on how to write and read it, ensure the data is carried without errors, ensure neither the sender nor the receiver overrun or underrun one another, and find some way to allow multiple applications (hosts, etc.), to talk over the same media. These four problems have somewhat proper names, of course: marshaling, which involves dictionaries and grammars; error control; flow control; and multiplexing. So the first step in understanding network engineering is to figure out what the problems are, and how to break them apart.

Once you understand the problems, then you can start thinking about solutions. As Continue reading

Worth Reading: GDPR and Personal Data

With the General Data Protection Regulation (GDPR) becoming effective May 25, 2018, organizations (or rather, organisations) seem to be stressing a bit. Most we speak with are asking, “where do we even start?” or “what is included as personal data under the GDPR?” It is safe to say that these are exactly the questions organizations should be asking, but to know where to start, organizations first need to understand how the GDPR applies to their organization within this new definition for personal data. Without first understanding what to look for, an organization cannot begin to perform data discovery and data mapping exercises, review data management practices and prepare the organization for compliance with the GDPR. —Chris Lippert @ Cloud Security Alliance

The post Worth Reading: GDPR and Personal Data appeared first on rule 11 reader.

Worth Reading: The Importance of Setting Goals

As Tom Garriga, president of Tang Wei Martial Arts Institute, tells us, “A goal is an enemy to be conquered with a battle strategy and the commitment of a warrior. The leadership process is founded on resolve and commitment.” With this in mind, there are several components to the proper setting of goals that every leader should embody. —Chris Brady

The post Worth Reading: The Importance of Setting Goals appeared first on rule 11 reader.

Worth Reading: The Madness of Speed Tests

We know how to X-ray a network, and the results are rather revealing. If you use the right metrics, you can also model the performance limits of any application from the measurements you take. Even a speed test! So you don’t need to snap the wings off your broadband service every time you use it after all. —Martin Geddes @ CircleID

The post Worth Reading: The Madness of Speed Tests appeared first on rule 11 reader.

Adminstravia 20171009

Where’s Russ?

This is my second week of PhD seminars this fall—the only time in this program I intend to take two seminars back to back. One of the two was, in fact, very deep philosophy, so I was pretty taxed trying to pull the material together.

At the same time, the book has passed through technical review, and is now in author review. I hope it soon be in proofs. The combination of these two things, the book and the PhD work, along with multiple other things, is what caused me to call a pause in blogging for these two weeks. The date to watch is the 29th of December. It might be released earlier, but it is hard to tell right now. I will do a post a little later this week describing the book for those who are interested.

Tonight (Monday) I will be recording a new Network Collective show on the Intermediate System to Intermediate System (IS-IS) protocol, and we have a long list of History of Networking guests to bring on. The history material has turned out to be absolutely fascinating; I am thankful we have the connections available, and the recording venue, and someone Continue reading