Routing Security BoF – APRICOT 2018
On Sunday, 25 February, the first day of APRICOT 2018, a “Routing Security BoF” (birds of a feather: An informal discussion group) was organized to address the ever-growing routing related incidents happening on daily basis. We have discussed routing security in general within the Asia Pacific region but there was a need to have a platform for open and candid discussion among the network operator community to find a possible way forward, where operators can share their approach in securing their own infrastructure and keeping the internet routing table clean as well.
A quick introduction was provided by the moderator (Aftab Siddiqui) on why it is important to have this BoF. Here are the introductory slides:
The first technical community presenter was Yoshinobu Matsuzaki (Maz) from Internet Initiative Japan (IIJ), the first ISP in Japan started in 1992. IIJ is one of the few ISPs in the region implementing prefix filtering, source address validation for their end customers, and making sure that all their routing information is reflecting the current status in the peeringdb for AS2497. IIJ was the first Asia Pacific ISP to join MANRS (Mutually Agreed Norms for Routing Security), a global initiative, supported by the Continue reading
Model-Driven Telemetry Isn’t as New as Some People Think
During the Campus Evolution with Cat9K presentation (I hope I got it right - the whole event was an absolute overload) the presenter mentioned the benefits of brand-new model-driven telemetry, which immediately caused me to put my academic hat on and state that we had model-driven telemetry for at least 30 years.
Don’t believe me? Have you ever looked at an SNMP MIB description? Did it look like random prose to you or did it seem to have some internal structure?
Read more ...Istanbul (not Constantinople): Cloudflare’s 124th Data Center
Cloudflare is excited to turn up our newest data center in Istanbul, Turkey. This is our 124th data center globally (and 62nd country), and it is throwing a curveball in our data center by continent tracking. Istanbul is one of the only cities in the world to span two continents: Europe and Asia. Technically, we’ll specify this is our 34th data center in Europe. In the coming weeks, we’ll continue to attract more traffic to this deployment as more networks interconnect with us locally.
March 2018 is a big month for us, as we’ll be announcing (on average) nearly one new Cloudflare data center per day. Stay tuned as we continue to meaningfully expand our geographic coverage and capacity.
Turkish Internet
The Hagia Sophia - Photo by Blaque X / Unsplash
Istanbul itself is home to more than 16 million people, and Turkey is home to over 80 million people. For reference, Turkey’s population is comparable to Germany’s, where Cloudflare turned up its 11th, 31st, 44th, 72nd and 110th data centers in Frankfurt, Düsseldorf, Berlin, Hamburg and Munich. Internet usage in Turkey is approaching 70%, while the rate of Turkish households with access to Internet now exceeds Continue reading
Routing Security is a Serious Problem – and MANRS Can Help. A Report from APRICOT 2018.
Last week, at APRICOT 2018 in Kathmandu, Nepal, there were a lot of talks and discussions focused on routing security and the Mutually Agreed Norms for Routing Security (MANRS).
First, there was a Routing Security BoF, attended by about 150 people, where we talked about what it takes to implement routing security practices, how CDNs and other players can help, and why it is so difficult to make progress in this area. The BoF included an interactive poll at the end, and it showed some interesting results:
- Participants almost unanimously see lack of routing security as a serious problem.
- Slow progress in this area is largely seen as due to a lack of incentives
- Participants see community initiatives (like MANRS) as the main driving forces for improvement, followed by CDNs and cloud providers. They doubt that governments or end-customers can effectively drive change.
My colleague Aftab Siddiqui is writing a separate blog post just about that BoF, so watch the blog in the next day or two.
Later, in the security track of the main APRICOT programme, Andrei Robachevsky, ISOC’s Technology Programme Manager, presented statistics on routing incidents and suggested a way forward based on the MANRS approach. In his Continue reading
Cisco Live 2018 – Fun for grownups!
Cisco Live 2018 is just around the corner in in June from the 10th – 14th in Orlando, FL. Hard …
The post Cisco Live 2018 – Fun for grownups! appeared first on Fryguy's Blog.
We just added another module to our Ethical Hacker v9 Technology Course series
Last week we added Certified Ethical Hacker Module 7: Sniffing to our video Library. This is the 7th video to be released as part of an 18 video CEH course series. All Access Pass members can watch Module 7 by logging into their All Access Pass account. For those who are not members, you can buy the series here.
Why You Should Watch:
Attaining sniffing capabilities is a great achievement for hackers, because even when it’s difficult to get there, the rewards might be worth the risk.
About The Course:
This is the 7th of 18 video courses in our CEH v9 Technology Course series and will prepare viewers for the sniffing portion of the Certified Ethical Hacker v9 Exam. This Module is 3 hours in length and is taught by Josué Vargas.
What You’ll Learn:
During this module you will learn about gathering valuable data through sniffing techniques. You will learn LAN based and Internet based sniffing attacks and even use an experimental setting in Wireshark as a remote sniffing tool.
About The Instructor:
Josué Vargas is a networks and security engineer and also owns his own company in Costa Rica, Netquarks Technologies S.R.L. He started Continue reading
Infrastructure 2.0: Whatever We’re Calling it Now, It’s Here
The modern infrastructure needs to embrace DevOps principles and apply its methodologies to the network.
A ZTE Telco Customer Wants ZTE VNFs with Red Hat OpenStack
ZTE has its own customized NFVi layer built on OpenStack.
SDxCentral’s Top 10 Articles — February 2018
Cisco-Viptela breathes life into Orange's SD-WAN; the SD-WAN hype cycle starts its decline; AT&T SD-WAN hits 150 countries.
Related Stories
Responding to Readers: Questions on Microloops
Two different readers, in two different forums, asked me some excellent questions about some older posts on mircoloops. Unfortunately I didn’t take down the names or forums when I noted the questions, but you know who you are! For this discussion, use the network show below.
In this network, assume all link costs are one, and the destination is the 100::/64 Ipv6 address connected to A at the top. To review, a microloop will form in this network when the A->B link fails:
- B will learn about the link failure
- B will send an updated router LSP or LSA towards D, with the A->B link removed
- At about the same time, B will recalculate its best path to 100::/64, so its routing and forwarding tables now point towards D as the best path
- D, in the meantime, receives the updated information, runs SPF, and installs the new routing information into its forwarding table, with the new path pointing towards E
Between the third and fourth steps, B will be using D as its best path, while D is using B as its best path. Hence the microloop. The first question about microloops was—
Would BFD help prevent the microloop (or Continue reading
Cisco’s Tetration Extends Security Analytics, Policy to Multi-Cloud Apps
The updates also support containerized workloads.
Treasury Department Throws Fuel on Qualcomm and Broadcom Fire
The U.S. government postponed Qualcomm's annual meeting and board elections to investigate.
NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us
Last week, after Akamai confirmed a 1.3Tbps DDoS attack against Github. I published a blog that looked at the last five years of reflection/amplification attack innovation. I hope that it provides a helpful backgrounder on how we got here, to the terabit attack era, because […]NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us
Last week, after Akamai confirmed a 1.3Tbps DDoS attack against Github. I published a blog that looked at the last five years of reflection/amplification attack innovation. I hope that it provides a helpful backgrounder on how we got here, to the terabit attack era, because […]How Many Bandwidths Does An SD-WAN Need? – Video
Comparing the complexity of a private and public WANNetwork Break 174: Cisco Securifies Tetration; GitHub Beats Back DDoS
Cisco positions Tetration for workload protection, GitHub weathers a massive DDoS storm, Canada cans IBM and more tech news on this week's Network Break. The post Network Break 174: Cisco Securifies Tetration; GitHub Beats Back DDoS appeared first on Packet Pushers.
Squeezing the firehose: getting the most from Kafka compression
We at Cloudflare are long time Kafka users, first mentions of it date back to beginning of 2014 when the most recent version was 0.8.0. We use Kafka as a log to power analytics (both HTTP and DNS), DDOS mitigation, logging and metrics.
Firehose CC BY 2.0 image by RSLab
While the idea of unifying abstraction of the log remained the same since then (read this classic blog post from Jay Kreps if you haven't), Kafka evolved in other areas since then. One of these improved areas was compression support. Back in the old days we've tried enabling it a few times and ultimately gave up on the idea because of unresolved issues in the protocol.
Kafka compression overview
Just last year Kafka 0.11.0 came out with the new improved protocol and log format.
The naive approach to compression would be to compress messages in the log individually:
Edit: originally we said this is how Kafka worked before 0.11.0, but that appears to be false.
Compression algorithms work best if they have more data, so in the new log format messages (now called records) are packed back to back and compressed in Continue reading