What is SD WAN?

Software Defined Wide Area Networking (SD WAN) –sometimes known as SD-WAN and occasionally as Hybrid WAN– is evidently still the flavor of the month in Silicon Valley. Much as it seemed that anything with the word “Cloud” in it a few years back would have money thrown at it indiscriminately by investors, the current favored (funded) feature surely has to be SD WAN. As there doesn’t seem to be one unifying definition of what constitutes “SD WAN” any more than there’s a precise definition of Software Defined Networking, I’m going to define it in the way that I believe best encompasses the intent behind the current flock of solutions.

SDN is a Solution Looking for a Problem

I’ve said before that SDN is a clever idea and eventually will change the way we do networking. However, many are hesitant to adopt SDN because it’s not always immediately obvious what the benefits are to the typical non-hyperscale datacenter other than having to do a lot of retraining. In other words SDN can potentially solve many problems, but it will most likely be necessary to find a ‘killer app’ that will encourage wider adoption, even in it’s only applicable to a limited Continue reading

Operational Annoyances: SSL Certificates and Keys

You’re asked to update the SSL certificate for movingpackets.net on a load balancer. The requestor (me, in this case) gives you the certificate file. I don’t need to give you the intermediate certificate bundle because you’re going to use the checkcert tool to sort that out. I also tell you to use the same private key as for the last certificate. How do you know that the old private key works with the new public certificate?

Checking SSL Certificates and Keys

My good friend OpenSSL can help us match a certificate and key. The basic premise is that the modulus of both the key and the cert file should be the same. The openssl commands to do this are:

# openssl x509 -noout -modulus -in microsoft.com.crt
Modulus=B788D872FFB6C827EF5656A0535CC1E36343D6A29F1824564238793737BB2C17EAB7FF6A2032AB95174FDA4A24AFF438DFB23B85746E7B37D657F5EB3E3580291218CA66AC8CF872C2A62FD1A7F1DB85C554E4DE803E3F9397D251C8A283FA0EF4314210BFF88AE0AF656C5953A71A8D6A4C2A4476B6AD1EADE1920D1CEEEB8E0C16583698CC735861FA98D63DA3EB5632968751D099AAB7D22321920AE962B065100FFEA7BC5EF7E3DC1398935F3C6F8C43DC689BC290DAACEEDD487ECD81795BC7CA702B20369029CE6F7527D0E16CD9CC603671B05940433D49590EB15C6768DF0A326AEE7AE77084BCCC4707D1AE2694E6E0477C038598F5552B46D04C95

# openssl rsa -noout -modulus -in microsoft.com.key
Modulus=B788D872FFB6C827EF5656A0535CC1E36343D6A29F1824564238793737BB2C17EAB7FF6A2032AB95174FDA4A24AFF438DFB23B85746E7B37D657F5EB3E3580291218CA66AC8CF872C2A62FD1A7F1DB85C554E4DE803E3F9397D251C8A283FA0EF4314210BFF88AE0AF656C5953A71A8D6A4C2A4476B6AD1EADE1920D1CEEEB8E0C16583698CC735861FA98D63DA3EB5632968751D099AAB7D22321920AE962B065100FFEA7BC5EF7E3DC1398935F3C6F8C43DC689BC290DAACEEDD487ECD81795BC7CA702B20369029CE6F7527D0E16CD9CC603671B05940433D49590EB15C6768DF0A326AEE7AE77084BCCC4707D1AE2694E6E0477C038598F5552B46D04C95

Are they the same? Did you check every byte? The lazy way to do this, then, is to take an md5 hash of the output and compare those instead; it’s little easier and while there’s a remote chance that two non-equal moduli could have the same md5 hash, it’s pretty unlikely. And so:

# openssl x509 -noout -modulus -in microsoft. Continue reading

Operational Annoyances: SSL Intermediate Certificates

You’re asked to update the SSL certificate for movingpackets.net on a load balancer. The requestor (me, I suppose) gives you the certificate, the private key and passphrase, and the intermediate bundle file provided by the certificate authority.

movingpackets.net.crt
movingpackets.net.key
movingpackets.net-intermediate-chain.crt

You faithfully go to the load balancer, upload the files, enter the passphrase, and create a client SSL profile referencing the cert/key/chain combination I provided, and all is well. The only thing is, you have 200 VIPs on the load balancer, mostly issued by the same certification authority (CA), so don’t they nominally share the same intermediate chain? (Hint: Almost certainly, yes)

Operational Annoyance

Here is the operational annoyance. The fact that the same intermediate certificate/chain has been uploaded 200 times with different names doesn’t stop things working, but it does seem rather inefficient. As far as I can determine, the F5 LTM load balancers (for example) actually concatenate all the uploaded certificates into a single bundle file and search the bundle when a certificate is referenced. I have no idea if there’s a huge performance gain here (unlikely), but it seems logical to want to minimize that file size regardless. On other Continue reading

Multi-datacenter Firewall Automation – Part 2

In my last post, I described the logical model I decided to use in order that I might be able to compute the path between endpoints using the Dijkstra shortest path algorithm. I’ve already discovered the handy Perl module module Paths::Graph that implements Dijkstra for me, so now all I need to do is to turn the network model into a data format that Paths::Graph will accept.

The Model

As a reminder, this is the model I’m using for my two-datacenter network:

To model this network, I need to allocate a cost to every network link. It turns out that Paths::Graph wants me to create separate links in each direction; this is a huge pain, and makes an already risk-laden process doubly painful. After initially creating the data model directly in the code, I realized that it would be much simpler (hah!) to model the network using YAML, and to remove the requirement to include both directions of any link. In my new YAML mode, a link from A->B automatically implies a link from B->A with the same cost; this halves the number of link descriptions required, which I’ll take as a win. The format is dead simple:

 Continue reading

The IOS XR CLI

If you liked this post, please do click through to the source at The IOS XR CLI and give me a share/like. Thank you!

NetBeez – Private Distributed Monitoring

I have a T-shirt from the nice folks at NetBeez, and on the back it says “Ask me about my Beez!” Naturally people can’t resist asking and I’ll happily explain, but on the off chance that you’re not lucky enough to be standing behind me I’m going to share my thoughts on NetBeez and the product sample they were kind enough to let me play with.

NetBeez at NFD9

I met NetBeez at Networking Field Day 9 where they presented their distributed monitoring solution. I’m not going to repeat what they said for the most part, so if you have time, it’s worth watching their full presentations from the NetBeez page at Tech Field Day.

The high level overview of the NetBeez solution is that they offer small, cheap, plug-and-play network agents that you can put on your network, from where they will perform connectivity and performance tests and report back to a central dashboard which can generate reports, statistics and alerts. The agents are designed to be cheap enough that you could put one on every remote site and monitor, say, access to a critical corporate server and find out quickly which remote sites are seeing Continue reading

Nuage Announces Underlay/Overlay Event Management Platform

During the ONUG event I met with Dimitri Stiliadis, the Co-Founder & Chief Technology Officer of Nuage Networks, who was excited to tell us about the latest product release, the Virtualized Services Assurance Platform (VSAP).

Virtualized Services Assurance Platform

The history of Nuage products has been fairly straightforward; they began with a virtualized networking solution targeted at data centers. More recently, Nuage Networks announced an expansion of that product into the branch office space. What was missing though, was a good way to monitor and manage the complex environment that was built, from underlay to overlay, from the WAN all the way to from virtual switch. When failures occur, they can be difficult to track down or, worse, you are flooded with alerts and left to figure out which ones are actually important, and which ones are the true root cause. To that end, Nuage Networks’ VSAP aims to provide visibility of the network and event correlation so that you can see what might be affected by a given network event.

VSAP is composed of two main components:

Route Monitor

The Nuage Route Monitor uses route protocols to peer with the production network in the data center, backbone, and anywhere else Continue reading

Liveblog from ONUG Day 2

Yesterday’s Liveblog was a success, so let’s try again. Today I’ll be covering the ONUG Town Hall meeting on the topic “Will the DevOps Model Deliver in the Enterprise?”, featuring such luminaries as:

• Najam Ahmad (Facebook)
• Mike Dvorkin (Cisco)
• Tim Gerla (Ansible)
• Dimitri Stiliadis (Nuage Networks)
• Marc Woolward (vArmor)

This has the potential to be a great discussion; based on lunch with Dvorkin I can confirm that he is in great form. Please join me by following along below!

If you liked this post, please do click through to the source at Liveblog from ONUG Day 2 and give me a share/like. Thank you!

Liveblog from ONUG!

We’re going to try out a new thing today – liveblogging from the ONUG Spring 2015 presentations here in NYC. If it doesn’t work, I apologize – but it’ll be fun trying!

If you liked this post, please do click through to the source at Liveblog from ONUG! and give me a share/like. Thank you!

Curious About ONUG? Wonder What It Is?

In case you’re interested in ONUG or wondering what the heck ONUG stands for, I write a short post called What Is An “ONUG” over at GestaltIT. I’m not going to duplicate it here, so please do the clicky over to GestaltIT and have a read. Bonus: there’s a registration discount code over there as well! Hope you enjoy it; ONUG looks like it’ll be very interesting.

Disclosure

My post at GestaltIT is a sponsored post as part of the ONUG Spring 2015 Tech Talk Series, part of the larger Tech Talks series.

If you liked this post, please do click through to the source at Curious About ONUG? Wonder What It Is? and give me a share/like. Thank you!

Cisco Introduces Two New Cisco CCIE Logos

Thanks to my contacts in Cisco PR I’m really excited to be able to share the news that Cisco is introducing two new CCIE Logos for 2015, under the title of “CCIE ABL”. If you’re wondering what “ABL” is, it’s not another specialization track, but rather it signifies progress towards the ultimate goal of a CCIE number.

Phillip A. Prull is the Senior VP with the responsibility to oversee the valuable CCIE® brand for Cisco, and he explained to me why Cisco felt that they needed an additional logo:

“One of the things we recognized was that many engineers were working for many months – even years – towards passing our rigorous CCIE® lab exam, but until they finally achieved that success, many of them told us that they felt unable to demonstrate to potential employers that they had made progress towards that goal. In response, we have created a new logo – the Cisco CCIE® ABL™.

Beginning in April 2015, any candidate who has passed a CCIE qualification exam (aka the “written”) will be able to download the new CCIE® ABL™ logo from our Certification Tracking System, and use it on their resumés and business cards, subject to Continue reading

Telling OpenSSL About Your Root Certificates

OpenSSL doesn’t come with its own trusted root certificates; you have to tell it where to find them. This should be straightforward – and it is – but Apple have found a way to make it trickier.

Normal *nix Systems

On a normal unix system, openssl is pretty good at locating the root certificates, but it still doesn’t automatically reference them. For example running Ubuntu:

john@ubuntu:~$ openssl s_client -connect www.microsoft.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network,
  OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN =
  VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
[...removed for brevity...]
    PSK identity hint: None
    SRP username: None
    Start Time: 1425842365
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Openssl is unable to validate the Verisign certificate. So where are the trusted root certificates stored? Actually, Openssl will tell us:

john@ubuntu:~$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"

Add that into the command as the -CApath parameter, and:

john@ubuntu:~$ openssl s_client -CApath /usr/lib/ssl -connect 
  www.microsoft.com:443
CONNECTED(00000003)
depth=3 C = US, O =  Continue reading

Office Word 2011 – An Annoying Little Bug

Today I take a gentle swoop away from networking into the world of documentation. Specifically, I’m looking at a bug in Microsoft Office Word for Mac that drives me bonkers.

Custom Properties

The management of custom properties in Microsoft Word has never been the most elegant part of Word’s interface. The mechanism by which the property values are managed has always been a bit clunky and unfriendly, but at least in the Windows version of Word, it at least functioned as stated.

In Office for Mac however, there’s a bug when you select a property to edit. Since it’s easier to show than tell, here’s a quick video demonstrating the issue.

Now isn’t that a silly bit of coding? Yes, I thought so too! Microsoft just announced availability of the Office 2016 Mac Preview, but sadly Document Properties is not yet available:

If you find out before I do, please let me know!

If you liked this post, please do click through to the source at Office Word 2011 – An Annoying Little Bug and give me a share/like. Thank you!

This man pressed Print. What happened next left me speechless.

Although I attended HP Discover in Barcelona as a guest of the folks at HP Networking (via their Independent Bloggers program), I didn’t restrict myself to looking at etherstuff; HP makes way too broad a portfolio of products to get away with that. I ended up looking at printers, and I found something that pretty much blew me away.

Before I forget, please accept my apologies for the clickbait headline. I’ve always wanted to do one of those; but unlike so many others I’ve seen, I hope that this article won’t disappoint. You’ll see “the man” in the headline in a video later.

A Sign of the Times

It was hard to miss at HP Discover that HP believes in eating their own dog food. The signage at the event – many large, inspiring, multicultural images reminding us that HP’s mission is to provide “solutions for the New Style of IT” – was all printed on HP printers. The signs looked pretty amazing, I have to say:

Not only were they printed using HP products, but the poster tells you which printer was used, you know, in case you wanted to buy one for your spare bedroom or something:

Given the price Continue reading

Why Do TFD Delegates Hate Gartner?

A thought, since I’ve just returned form Networking Field Day 9: I’ve heard it said that delegates to Tech Field Day events hate Gartner; that this is stupid, or that it’s some other form of snobbery. It’s certainly true that on the whole, TFD delegates do not like to see Gartner slides in presentations.

That Gartner Slide

So why do Tech Field Day delegates hate Gartner?

We don’t.

We do.

We don’t, but we do. It’s complicated.

Hey, it’s complicated, alright?

Bonus points for obvious movie reference identification. So look, here’s the thing. You folks reading this blog are likely pretty intelligent. The fact that you read tech blogs means you are looking to get information that will help you make a decision or solve a problem.

In my opinion, the problem with a company at Tech Field Day putting up a Gartner slide and maybe boasting that “we’re in the top right quadrant” is that it’s not what we think we’re there to hear. We’re sitting in front of the actual people who make the product, and instead of convincing us of their product’s merits by telling and showing us how amazing it is, they’re saying “Here’s what Continue reading

Netscreen Packet Capture – Snoop

I’ve worked with Netscreens for a few years now, starting with ScreenOS version 5.x, and when troubleshooting I had always been pointed towards debug flow as the way to see what was going on. I suspect many of you have also been taught:

• clear db
• debug flow basic
• (wait for packets you wanted to capture)
• undebug all
• get db stream (to view output)

This is definitely helpful for rule debugging but for simple packet capture is a bit over the top, which is where the snoop command comes in.

Snoop

To be clear, snoop won’t tell you anything about what decisions the firewall made about the packets, but it’s a simple way to see the actual traffic. Here’s an example of the output produced by snoop:

19944926.0: ethernet2/1(o) len=206:0010dbff2070->00005e000101/8100/0800, tag 1872
              1.4.63.82 -> 1.15.18.27/17
              vhl=45, tos=00, id=13096, frag=0000, ttl=64 tlen=188
              udp:ports 500->500, len=168
              00 00 5e 00 00 01 00 10 db a1 27 a1 81 00 07 50     ..^........p....
              08 00 45 00 00 bc 33 28 00 00 40 11 b6 18 01 04     ..E...3([email protected]
              3f 52 01 0e 12 1b 01 f4 01 f4 00  Continue reading

OpenGear at Interop – Introducing the CM7100

During my all too brief visit to Interop in New York last year, I did a quick tour of the expo hall to see if there were any interesting products around. I followed Greg Ferro’s suggestion which, to paraphrase, is to seek out the booths around the edge of the show in preference to the huge booths in the middle of the floor, because the small booths around the outside are more likely to be the startups with interesting products.

Towards the end of my “small booth” tour, I bumped into some familiar faces at the Opengear booth. I first heard of OpenGear at Networking Field Day 4 where they impressed me with the flexibility of their console server products, though to call the products “console servers” rather understates some of the product capabilities which can include RPS control, TTL I/O, GPS and 3G cellular capabilities. If you haven’t seen these products before I would encourage you to look at some of my other posts about OpenGear.

OpenGear CM7100

New for OpenGear at Interop was their CM7100 Console Server.

There’s not a lot going on on the front panel of the device, but as you’d probably expect, the back panel Continue reading

That HP SDN App Store

December 2014 found me in Barcelona as a guest of HP at the “HP Discover” event. Nominally I went to see what was up in the world of networking, but as you can imagine with the breadth of products that HP produces, I found myself looking at all sorts of things. I’ll cover a few fun things in other posts, but I’ll start with a bit of networking because, well, this is MovingPackets after all.

HP SDN App Store

I mentioned the HP SDN App Store in a previous post about HP Openflow. One of the fears I raised was how an App Store would work in terms of support. Talking to a contact at HP made things a little clearer, and there’s actually quite a nice – and perhaps obvious – support plan for the Apps you can download. Effectively, there are three tiers of supported applications as I understand it, and a glance at the App Store shows that these are now called “Apps Circles”:

1. App Circle 1: Apps that HP develops. These have full support direct from HP, as they are HP products, effectively.
2. App Circle 2: Apps that are developed by HP AllianceOne partners Continue reading

Welcome to MovingPackets.NET!

Welcome to my new home! If you’ve come over here because you used to read my drivel on LameJournal, then thank you! If you’re a new visitor, you are very welcome and I hope you choose to subscribe by RSS or Email so you can get notified of new posts.

MovingPackets.net is the new name for LameJournal. All the networking and computer-related content from LameJournal has been duplicated here at MovingPackets, but the photography content is gone and I’ll attempt to stay focused on things related to moving packets around as I post here going forward.

I have a new site theme, and with the new name as well, things are still likely to change a bit here visually (I have no logo yet for example). Still, there’s no time like the present so I decided to launch the site and I’ll tweak things as we go along with the aim of making the content more easily accessible. I hope you like my new home; it’s going to take a while before it feels comfortable!

Thanks for stopping in at MovingPackets.

John.

If you liked this post, please do click through to the source at Welcome to MovingPackets.NET! and give me a share/like. Thank you!

30 Blogs in 30 Days – Lessons Learned

So with some triumph and minor exhaustion, I completed Etherealmind’s 30 Blogs in 30 Days challenge; but so what? Does it change anything? Do I get a prize?

Here’s what I learned.

30 Blogs in 30 Days

As a reminder, I started this challenge on October 16 and posted every day from then until November 16 (actually just over 30 days, but who is counting). I found the process quite interesting, so I decided to share a few things that struck me along the way.

Write It Down

It sounds obvious, but if you’re a blogger, how many times have you thought to yourself “Oooh, such and such would make a good blog post,” then when you have a chance to write some content you go blank on what this great topic was? I have this happen a lot. Trying to create one blog post a day meant that forgetting posts topics was not a luxury I could afford to have if I wanted to avoid staring at my screen for hours. I had to start keeping a Notes file open on my phone, occasionally took an audio note, and kept an iCloud-synced “Ideas for Blog” file in MultiMarkdown Composer. I found Continue reading