Rapid Progress in BGP Route Origin Validation
In 2022, I was invited to speak about Internet routing security at the DEEP conference in Zadar, Croatia. One of the main messages of the presentation was how slow the progress had been even though we had had all the tools available for at least a decade (RFC 7454 was finally published in 2015, and we started writing it in early 2012).
At about that same time, a small group of network operators started cooperating on improving the security and resilience of global routing, eventually resulting in the MANRS initiative – a great place to get an overview of how many Internet Service Providers care about adopting Internet routing security mechanisms.
Rapid Progress in BGP Route Origin Validation
In 2022, I was invited to speak about Internet routing security at the DEEP conference in Zadar, Croatia. One of the main messages of the presentation was how slow the progress had been even though we had had all the tools available for at least a decade (RFC 7454 was finally published in 2015, and we started writing it in early 2012).
At about that same time, a small group of network operators started cooperating on improving the security and resilience of global routing, eventually resulting in the MANRS initiative – a great place to get an overview of how many Internet Service Providers care about adopting Internet routing security mechanisms.
Getting Aggressive with Cloud Cybersecurity
Cloud cybersecurity should be addressed proactively in order to detect lurking vulnerabilities before threat actors can attack. Here’s what IT leaders need to know to get the upper hand on cloud cybersecurity.Tech Bytes: How VMware And HPE Greenlake Tackle AI And Multi-Cloud For Customers (Sponsored)
VMware and HPE are partnering on HPE Greenlake for VMware Cloud Foundation. On today's episode we discuss how the HPE and VMware partnership benefits customers’ multi-cloud initiatives and how VMware and HPE Greenlake can help customers take advantage of AI by providing scalable hardware and software infrastructure for training and inference. VMware is our sponsor.
The post Tech Bytes: How VMware And HPE Greenlake Tackle AI And Multi-Cloud For Customers (Sponsored) appeared first on Packet Pushers.
Tech Bytes: How VMware And HPE Greenlake Tackle AI And Multi-Cloud For Customers (Sponsored)
On today’s Packet Pusher’s Tech Bytes podcast, sponsored by VMware, the conversation delves into HPE’s partnership with VMware, particularly around HPE Greenlake for VMware Cloud Foundation. HPE was recently recognized as VMware’s 2023 partner of the year. Today’s podcast features an interview with Frances Guida, Director, Compute Workload Solutions Product Management at HPE. The podcast... Read more »NB454: Is Bad InfoSec Now Securities Fraud?
On today's Network Break we discuss potential repercussions for security executives after the SEC charges Solar Winds' CISCO with fraud, examine a new SD-LAN offering from Versa Networks that aims to integrate security controls into a campus fabric, and look at a new open-source tool from Cloudflare for scrubbing sensitive authentication tokens from HAR files.
The post NB454: Is Bad InfoSec Now Securities Fraud? appeared first on Packet Pushers.
NB454: Is Bad InfoSec Now Securities Fraud?
We discuss potential repercussions for security executives after the SEC charges Solar Winds’ CISCO with fraud, examine a new SD-LAN offering from Versa Networks that aims to integrate security controls into a campus fabric, and discuss a new open-source tool from Cloudflare for scrubbing sensitive authentication tokens from HAR files. Extreme Networks posts strong revenues... Read more »DCAUTO Exam Experience by Nick Russo
On 17 October 2023, I took and passed the Automating and Programming Cisco Data Center Solutions (DCAUTO) exam on my first attempt. This is the seventh DevNet exam I’ve passed. After the retirement of the Webex and IoT specialty exams, the Collaboration specialty and Expert exams remain the only two I haven’t attempted. Much like my experience with enterprise, service provider, and security automation, I have years of real-life experience automating various data center solutions, primarily by working with Nexus and NDO (formerly MSO). I’ve spoken about the topic on various podcasts and professional training courses many times. Believe it or not, I don’t have as much real-life automation experience with ACI or UCS, which are key data center products for Cisco, so I studied those areas intensely.
It’s worth mentioning that Cisco’s new certification road map introduces small changes at regular intervals to all of their certification exams. This is smart as it leads to less “blueprint shock” every few years, plus gives learners an opportunity to master the newest technologies in an incremental way. Because Cisco updated DCAUTO earlier this year, I took the v1.1 exam. I’m not kidding when I say the exam was Continue reading
Fibre Channel Addressing
Whenever we talk about LAN data-link-layer addressing, most engineers automatically switch to the “must be like Ethernet” mentality, assuming all data-link-layer LAN framing must somehow resemble Ethernet frames.
That makes no sense on point-to-point links. As explained in Early Data-Link Layer Addressing article, you don’t need layer-2 addresses on a point-to-point link between two layer-3 devices. Interestingly, there is one LAN technology (that I’m aware of) that got data link addressing right: Fibre Channel (FC).
Fibre Channel Addressing
Whenever we talk about LAN data-link-layer addressing, most engineers automatically switch to the “must be like Ethernet” mentality, assuming all data-link-layer LAN framing must somehow resemble Ethernet frames.
That makes no sense on point-to-point links. As explained in Early Data-Link Layer Addressing article, you don’t need layer-2 addresses on a point-to-point link between two layer-3 devices. Interestingly, there is one LAN technology (that I’m aware of) that got data link addressing right: Fibre Channel (FC).
Non-interactive SSH password authentication
SSH offers several forms of authentication, such as passwords and public keys. The latter are considered more secure. However, password authentication remains prevalent, particularly with network equipment.1
A classic solution to avoid typing a password for each connection is sshpass, or its more correct variant passh. Here is a wrapper for Zsh, getting the password from pass, a simple password manager:2
pssh() { passh -p <(pass show network/ssh/password | head -1) ssh "$@" } compdef pssh=ssh
This approach is a bit brittle as it requires to parse the output of the ssh
command to look for a password prompt. Moreover, if no password is required, the
password manager is still invoked. Since OpenSSH 8.4, we can use
SSH_ASKPASS and SSH_ASKPASS_REQUIRE instead:
ssh() { set -o localoptions -o localtraps local passname=network/ssh/password local helper=$(mktemp) trap "command rm -f $helper" EXIT INT > $helper <<EOF #!$SHELL pass show $passname | head -1 EOF chmod u+x $helper SSH_ASKPASS=$helper SSH_ASKPASS_REQUIRE=force command ssh "$@" }
If the password is incorrect, we can display a prompt on the Continue reading
Worth Reading: Confusing Git Terminology
Julia Evans wrote another great article explaining confusing git terminology. Definitely worth reading if you want to move past simple recipes or reminiscing about old days.
Worth Reading: Confusing Git Terminology
Julia Evans wrote another great article explaining confusing git terminology. Definitely worth reading if you want to move past simple recipes or reminiscing about old days.
Post Mortem on Cloudflare Control Plane and Analytics Outage
Beginning on Thursday, November 2, 2023 at 11:43 UTC Cloudflare's control plane and analytics services experienced an outage. The control plane of Cloudflare consists primarily of the customer-facing interface for all of our services including our website and APIs. Our analytics services include logging and analytics reporting.
The incident lasted from November 2 at 11:44 UTC until November 4 at 04:25 UTC. We were able to restore most of our control plane at our disaster recovery facility as of November 2 at 17:57 UTC. Many customers would not have experienced issues with most of our products after the disaster recovery facility came online. However, other services took longer to restore and customers that used them may have seen issues until we fully resolved the incident. Our raw log services were unavailable for most customers for the duration of the incident.
Services have now been restored for all customers. Throughout the incident, Cloudflare's network and security services continued to work as expected. While there were periods where customers were unable to make changes to those services, traffic through our network was not impacted.
This post outlines the events that caused this incident, the architecture we had in place to prevent issues Continue reading
Can European Telcos Afford 5G and Broadband?
A group of telcos is pressing the European Commission to have the biggest data users pay their “fair share.” The top U.S. tech content companies are seen as the targets of the effort.On the ‘net: Two on AI
I occasionally write over at Mind Matters on topics “other than technical.” Here are my two latest posts over there.
On the ‘net: Model Based Thinking
Running a little late on cross posting stuff from Packet Pushers … but I suppose better late than never. 