Archive

Category Archives for "packetmischief.ca"

Auto Renew Let’s Encrypt Certificates

I’m a big fan of Let’s Encrypt (free, widely trusted SSL certificates) but not a big fan of most of the client software available for requesting and renewing certificates. Unlike a typical certificate authority, Let’s Encrypt doesn’t have a webui for requesting/renewing certs; everything is driven via an automated process that is run between a Let’s Encrypt software client and the Let’s Encrypt web service.

Since the protocols that Let’s Encrypt uses are standards-based, there are many open source clients available. Being security conscious, I have a few concerns with most of the clients:

  • Complication. Many of the clients are hundreds of lines long and unnecessarily complicated. This makes the code really hard to audit and since this code is playing with my crypto key material, I do want to audit it.
  • Elevated privilege. At least one of the clients I saw required root permission. That’s a non starter.

I can’t remember how, but I discovered a very clean, very simple client called acme-tiny at github.com/diafygi/acme-tiny. This script was obviously written by someone who shares the same concerns as I do and I highly recommend it to others.

I used acme-tiny to request my initial certificates — and it Continue reading

Auto Renew Let’s Encrypt Certificates

I'm a big fan of Let's Encrypt (free, widely trusted SSL certificates) but not a big fan of most of the client software available for requesting and renewing certificates. Unlike a typical certificate authority, Let's Encrypt doesn't have a webui for requesting/renewing certs; everything is driven via an automated process that is run between a Let's Encrypt software client and the Let's Encrypt web service.

Since the protocols that Let's Encrypt uses are standards-based, there are many open source clients available. Being security conscious, I have a few concerns with most of the clients:

  • Complication. Many of the clients are hundreds of lines long and unnecessarily complicated. This makes the code really hard to audit and since this code is playing with my crypto key material, I do want to audit it.
  • Elevated privilege. At least one of the clients I saw required root permission. That's a non starter.

Label Switched Multicast – Ethernet Header

I got an interesting email from Ying Lu who had read my posts on LSM:

I am curious about the Ethernet DA and codepoint used for multicast MPLS. Previously, I understand that:
– Ethernet DA is unicast MAC of nexthop of each replication leg.
– codepoint is 0x8847
However, looking at RFC5332, I am not so sure…
Quote:
“Ethernet is an example of a multipoint-to-multipoint data link. Ethertype 0x8847 is used whenever a unicast ethernet frame carries an MPLS packet.

Ethertype 0x8847 is also used whenever a multicast ethernet frame carries an MPLS packet, EXCEPT for the case where the top label of the MPLS packet has been upstream-assigned.

Ethertype 0x8848, formerly known as the “MPLS multicast codepoint”, is to be used only when an MPLS packet whose top label is upstream assigned is carried in a multicast ethernet frame.

Interesting question. What is the ethernet destination address (DA) and the value of the ethernet type field (codepoint) when the MPLS packet is being sent on an LSM LSP?

Getting back into the lab, I started a ping from CE1 to a group that CE3 had joined. I then ran a sniff on the segment between P and PE3.

Sample LSM Topology
Sample LSM Topology

Examining the Continue reading

Label Switched Multicast — Ethernet Header

I got an interesting email from Ying Lu who had read my posts on LSM: I am curious about the Ethernet DA and codepoint used for multicast MPLS. Previously, I understand that: Ethernet DA is unicast MAC of nexthop of each replication leg. codepoint is 0x8847 However, looking at RFC5332, I am not so sure… Quote: “Ethernet is an example of a multipoint-to-multipoint data link. Ethertype 0x8847 is used whenever a unicast ethernet frame carries an MPLS packet.

NSF and GR on Nexus 5000

NSF and GR are two features in Layer 3 network elements (NEs) that allows two adjacent elements to work together when one of them undergoes a control plane switchover or control plane restart.

The benefit is that when a control plane switchover/restart occurs, the impact to network traffic is kept to a minimum and in most cases, to zero.

NSF

  • Non-Stop Forwarding
  • When a control plane protocol such as BGP, OSPF, or EIGRP restarts and neighbors/adjacencies are reset, NSF will allow the data plane to hold onto the routes that were learned via that control plane protocol and continue to forward traffic while the neighbors/adjacencies are re-established.
  • Control plane restarts occur when you have a router or switch with dual route processors or supervisor engines and there is a switchover from the active to the hot standby. When the newly active RP/sup takes over, it has to re-establish neighbors/adjacencies because that information is not part of the synchronization that occurs between the two RPs/sups.
  • NSF keeps traffic moving — without the need to reroute — while the switchover is happening.
  • NSF happens locally, all within the network element where the switchover is happening.

GR

NSF and GR on Nexus 5000

NSF and GR are two features in Layer 3 network elements (NEs) that allows two adjacent elements to work together when one of them undergoes a control plane switchover or control plane restart.

The benefit is that when a control plane switchover/restart occurs, the impact to network traffic is kept to a minimum and in most cases, to zero.

BRKRST-3014 – Policy, Complexity, and Modern Control Planes


Presented by: Russ White, LinkedIn

Networks are complex. How do we measure complexity? How do we measure scale? What’s the unit of measure?

You can’t “solve” complexity.

Alderson D and J Dole “complexity in highly organized systems arises primarily from design strategies intended to create robustness to uncertainty.” There’s a point on the complexity scale where robustness actually drops. “Robust but fragile”.

Dunning Kruger effect?

What is complexity?

  • Anything you don’t understand?
  • Anything with many parts?
  • Anything with unintended consequences?
  • Something that can’t be solved; can’t be easily defined.
  • We need to develop a model to understand complex systems quickly

“If you haven’t found the trade off, you haven’t looked hard enough” — Russ

The model:

  • Ask, Why?
  • Ask ,What & How?
  • State
  • Optimization
  • [Interaction] Surface (where two components interact with each other [which could be, and often is, human on CLI])
  • Ask, This is like what? (what’s it similar to?)
  • Now matter how you’re analyzing a network (protocols, applications, whatever), you’ll find these 3 things.
  • Good examples of questions to ask for each point in different use cases

3-way trade off:

  • Quick/Cheap/Quality, or
  • State/Surface/Optimization

“Adding more state to the system should result in an increase in optimization” Continue reading

BRKEWN-2011 – Managing An Enterprise WLAN With Cisco Prime Infrastructure

Presenter: Paul Lysander, Technical Marketing Engineer, Cisco

“How many of you are not using PI 3.x?” –Paul; perhaps 10-20% put up their hands.

Morning after the customer Appreciation Event. Good turnout. ?

Where does PI fit in the network? 

  • PI gets information from the network; it’s not the source of data
  • Sources include: wireless LAN controller, CMX, ISE

Side note: PI 3.1 maintenance release 1 (MR1) is coming next week. When released, it will be the generally recommended release for customers to run.

Create Sites and Location Groups before adding devices to the inventory. These groups are used throughout PI. Eg: a Site can be used with a Virtual Domain to provide role-based access to devices in the environment (Admin1 can’t see Admin2’s devices; Admin1 only session Campus1 and SuperAdmin sees all). Device membership in a site can be done statically or by policy.

  • Administration > Users > Virtual Domains (create and edit Virtual Domains)
  • Administration > Users > Users, Roles & AAA (map users to a Domain)

Config Templates:

  • Discovery: templates can be discovered by pulling in the config (or parts thereof) from an already configured WLC

New feature in 3.1: Plug and Play for Continue reading

BRKRST-2042 – Highly Available Wide Area Network Design

Presented by: David Prall, Communications Architect, Cisco

For reference, David is the “father of IWAN”.

This session was not what I was expecting. I was expecting design and architecture, but it was all about features in IOS and IOS-XE (eg, FHRPs, talked about routing protocol timers, PfRv3, BFD). I guess I need to pay more attention to the session code (RST == routing; ARC == architecture).

Original article: BRKRST-2042 – Highly Available Wide Area Network Design

Copyright © 2016 Joel Knight . All Rights Reserved.

BRKEWN-2017 – Understanding RF Fundamentals and the Radio Design of 11n/ac Networks


Presenter: Fred Niehaus, Technical Marketing Engineer, Cisco Wireless Networking Group

Basic understanding of radio:

  • Every radio wave has a physical size (proportionate to its wavelength)
  • The lower the frequency, the physically longer the radio wave
  • Higher frequencies have shorter waves and as such, takes more power to move them greater distances
  • 5Ghz UNI 2 and UNI 2 Ext overlap with DFS (RADAR)
  • Dynamic Freq Selection (DFS) requires that if a radio is operating in UNI 2/UNI 2 Ext and it hears something that is not WiFi, it has to get off that channel

Antenna basics:

  • Directional or omnidirectional (360 degree)
  • Cisco color markings: blue: 5, black 2.4, orange 2.4 and 5ghz
  • Low gain omnidirectional antennas radiate in a beach ball pattern
  • Omni-direction dipoles in a pancake pattern
  • Yagis are directional; radiate more like a flashlight
  • Patch: multiple elements in a square form factor; radiates like a flashlight
  • Dipole: does not require a ground plane as the bottom half is the ground
  • Monopole requires a (conductive surface) ground plate; monopoles are shorter than dipoles and often used on APs (because of the smaller size) and they can use the metal in the AP as the ground plate.
  • Azimuth: how Continue reading

BRKARC-3300 – IOS-XE: Enabling the Digital Network Architecture

Presented by Muhammad A Imam, Sr Manager Technical Marketing Engineering

Brand new session!

The goal of the session is to give an understanding of IOS-XE Denali 16.x.

How many have downloaded 16.x?” — maybe 10% put up their hands

The upcoming 16.3 (target for this month) will support Cat 3850,3650, ISR, and ASR 1000.

The original operating system on the AGS, back in 1986, was simply called “Operating System”. There are still parts of Operating System in IOS today (scary!!).

IOS-XE (code name BinOS) came around in 2007 on the ASR 1000. In 2010, IOS-XE (code name Nova) was released for the Cat4k. These two editions of XE were similar, but different and were written by different engineering teams.

The vision for IOS-XE Denali is a single code base across Cisco enterprise platforms. Benefits include: similar features, consistent version numbers, consistent release schedule, consistent test and validation of releases, consistent commands (eg “show platform …”).

“We are changing the way we write code” –Muhammad; code is being pulled out of the IOSd blob and written as a subsystem within IOS-XE (over time).

Crimson database:

  • New component in Denali
  • Maintains state for subsystems
  • Holds configuration
  • Continue reading

BRKRST-2042 — Highly Available Wide Area Network Design

Presented by: David Prall, Communications Architect, Cisco For reference, David is the “father of IWAN”. This session was not what I was expecting. I was expecting design and architecture, but it was all about features in IOS and IOS-XE (eg, FHRPs, talked about routing protocol timers, PfRv3, BFD). I guess I need to pay more attention to the session code (RST == routing; ARC == architecture).

BRKNMS-2701 – How I Learned to Stop Worrying and Love Prime Infrastructure

Presenters:

  • Lewis Hickman, Consulting Systems Engineer
  • Jennifer Valentine, Systems Engineer


Quick survey in the room: 60-70% of attendees running PI 3.x; 10-20 PI 2.x; some still on LMS.

“There are 37 different ‘Cisco Prime’ products” — Lewis

“Cisco Prime” isn’t a product; “Cisco Prime Infrastructure” is. Cisco Prime is a family of products.

PI traces its lineage back to 1996: CWSI > Cisco Works LMS > Cisco Prime LMS > WCS > NCS > Prime Infrastructure.

“1232 SysObjIds supported in PI today” — Lewis (aka, 1232 different devices supported by PI)

Two people (only!!) in the room running Network Analysis Module.

UCS Server Assurance module: enables mgmt of UCS servers; will integrate into vCenter and map VMs to physical hosts for you. 

Operations Center: manager of managers for PI

Licensing in PI 3.x:

  • One license for Lifecycle and Assurance now
  • Different license files for different device types
  • Different device types require a specific number of “tokens”
  • When a license is installed in PI 3.x, it gets converted into the appropriate number of tokens
  • As you add devices to PI, it draws down on the number of free tokens in the pool
  • Hint: You don’t Continue reading

BRKEWN-2019 – 7 Ways to Fail as a Wireless Expert

Presenter: Steven Heinsius, Product Manager, Enterprise Networking Group

I’m hoping the title of this session could also be “7 Ways to not be a TOTAL Wireless Noob” since that’s more my level. ?

The Basics

  • WiFI has been a standard since 1997

Taking a 100 employee company….

  • 1999: 1-2 clients on the network
  • 2005: 5 or 10
  • 2007: 25+ (802.11n came around)
  • 2010: 150 (smartphones in the office; laptops becoming the norm in the office)
  • 2013: > 200
  • 2016: > 300 (3 devices per person)

In 2007-2009, networks were designed for coverage. Those networks are still around and are being asked to support (on average) 3 devices per person.

WiFi is

  • Half duplex
  • A shared medium (like a hub!)
  • AP talks to one client at a time; airtime is time sliced amongst all clients
  • AP asks a client to ack every packet (?) it sends to a client
  • Acks are retransmitted if not answered which means all other clients have to remain silent (and lowers performance)

Distance vs modulation

  • When a client is farther away from the AP, the modulation is stepped down to increase the likelihood that the signal will make it
  • The trade off is that Continue reading

BRKIOT-2109 – Connecting Oil and Gas Pipelines


Presenters:

  • Rick Irons-Mclean, Oil & Gas and Energy Architecture Lead
  • Jason Greengrass, IoT Solution Architect


Connected Pipelines Validated Design: coming this week! Cisco.com/go/cvd > Oil & Gas area

  • This CVD was built with customer input (from around the globe) and Cisco account team input (including yours truly)
  • Next iteration of the CVD will contain more security, including providing better visibility into  traffic and events in the control center network

For those that aren’t familiar with the oil/gas business, there’s three areas:

  • Upstream: discovery and extraction
  • Midstream: storage and transport
  • Downstream: refining (turning it into product) and marketing/selling

Cisco can work and play in all three areas. Eg:

  • Connected Pipeline
  • Connected Refinery
  • Secure Ops (managed security services from Cisco)
  • Connected Oilfield

ISA95/99 (aka Perdue Model) – describes an architecture for different security zones within the industrial environment.

  • Bottom is Level 0 – where the process actually happens (valves, pumps, etc)
  • Top is Level 5 – the business/enterprise network

Operational principles (compare this with a typical enterprise environment and principles):

  • Continuous operation: 24×7, 365 days a year
  • Continuous visibility and control: operators need constant communication to the pipeline
  • Safety and compliance: pipeline integrity, safety, security and reliability

With respect to 24×7 Continue reading

1 4 5 6 7 8 16