Route-based IPsec VPN on Linux with strongSwan

A common way to establish an IPsec tunnel on Linux is to use an IKE daemon, like the one from the strongSwan project, with a minimal configuration¹:

conn V2-1
  left        = 2001:db8:1::1
  leftsubnet  = 2001:db8:a1::/64
  right       = 2001:db8:2::1
  rightsubnet = 2001:db8:a2::/64
  authby      = psk
  auto        = start

The same configuration can be used on both sides. Each side will figure out if it is “left” or “right”. The IPsec site-to-site tunnel endpoints are 2001:db8:­1::1 and 2001:db8:­2::1. The protected subnets are 2001:db8:­a1::/64 and 2001:db8:­a2::/64. As a result, strongSwan configures the following policies in the kernel:

$ ip xfrm policy
src 2001:db8:a1::/64 dst 2001:db8:a2::/64
        dir out priority 399999 ptype main
        tmpl src 2001:db8:1::1 dst 2001:db8:2::1
                proto esp reqid 4 mode tunnel
src 2001:db8:a2::/64 dst 2001:db8:a1::/64
        dir fwd priority 399999 ptype main
        tmpl src 2001:db8:2::1 dst 2001:db8:1::1
                proto esp reqid 4 mode tunnel
src 2001:db8:a2::/64 dst 2001:db8:a1::/64
        dir in priority 399999 ptype main
        tmpl src 2001:db8:2::1 dst 2001:db8:1::1
                proto esp reqid 4 mode tunnel
[…]

This kind of IPsec tunnel is a policy-based VPN: encapsulation and decapsulation are governed by these policies. Each of them contains the following elements:

• a direction (out, in or fwd²),
• a Continue reading

Open-Source Networking Textbook

A month ago I told you how dr. Olivier Bonaventure starts his networking course with IPv6. But there’s more: the full textbook for the undergraduate course (Computer Networking: Principles, Protocols and Practice) is open-sourced and available (in source form) on GitHub.

You might wonder why I’m so enthusiastic, so let me tell you another story…

Amdocs Brings an NFV Software Package Based on ONAP

Amdocs created a partner ecosystem that provide more than 80 VNFs.

Domo BYOK Generates New Data Encryption Keys Every Hour  

The SaaS includes a built-in kill switch.

Join Global Celebrations to Inspire the World

BrandPost: SD-WAN Delivers Real Business Outcomes to Cloud-first Enterprises

Analysts agree that SD-WAN is the way forward for enterprises supporting cloud-first initiatives. Everywhere you turn it seems someone is writing about SD-WAN, the trends and how to select the right solution. For example, Andrew Lerner from Gartner recently wrote a blog about SD-WAN going mainstream. I’ve also spent time talking about lessons we’re learning from our customers. In fact, earlier this summer I authored an article that ran on Network World that highlighted key SD-WAN solution evaluation criteria.To read this article in full or to leave a comment, please click here

Automating network troubleshooting with NetQ + Ansible

Network Automation is so hot right now! Joking aside, DevOps tools like Ansible, Puppet, Chef and Salt as well as proprietary tools like Apstra are becoming all the rage in computer networks everywhere. There are python courses, network automation classes and even automation focused events for the first time in the history of computer networks (or at least it feels like it).

For this blog post I want to focus on automating network troubleshooting, the forgotten stepchild of network automation tasks. I think most automation tools focus on provisioning (or first time configuring) because so many network engineers are new to network automation in general. While I think that is great (and I want to encourage everyone to automate!) I think there is so much more potential for network automation. I am introducing Sean’s third category of automation use-cases — OPS!

I want to combine Cumulus NetQ, a fabric validation system, with Ansible to:

• Figure out IF there is a problem (solved by NetQ)
• Figure out WHAT the problem is (solved by NetQ)
• FIX the problem (solved by Ansible)
• AUTOMATE the above 3 tasks (solved by Ansible)

Because I think looking at terminal windows is super boring (no Continue reading

Worth Reading: Common issue detection for CPU profiling

Profiling of services is a useful method to find optimizations to improve service performance; the ODP (“On-Demand Profiling”) framework has helped identify many performance problems at LinkedIn. However, as these analyses and subsequent optimizations are done for individual services, common performance problems (patterns) are often rediscovered. This results in wasted effort for teams and doesn’t help with the global uptake of important fixes. —John Nicol, Chen Li, Peinan Chen, Tao Feng, and Hari Ramachandran @ LinkedIn

The post Worth Reading: Common issue detection for CPU profiling appeared first on rule 11 reader.

VMware-IBM Cloud Covers Vodafone, Dell EMC, and SAP

VMware NSX network virtualization is the bridge between the Vodafone and IBM clouds.

Silver Peak Updates EdgeConnect to Increase Availability

Customers can group and manage transport links from a single entity.

On the ‘web: The Future of Data Center Fabrics

Recorded live at IETF 99, this Priority Queue episode is a roundtable conversation on new and emerging ideas for data center fabrics. Greg Ferro is joined by Jeff Tantsura, a chair of the routing working group at IETF; Russ White, a network architect at LinkedIn; and Tony Przygienda, who works for a vendor and claims to be the only grownup in this conversation. (You be the judge!)

The post On the ‘web: The Future of Data Center Fabrics appeared first on rule 11 reader.

Understanding the prevalence of web traffic interception

This is a guest post by Elie Bursztein who writes about security and anti-abuse research. It was first published on his blog and has been lightly edited.

This post summarizes how prevalent encrypted web traffic interception is and how it negatively affects online security according to a study published at NDSS 2017 authored by several researchers including the author of this post and Nick Sullivan of Cloudflare. We found that between 4% and 10% of the web’s encrypted traffic (HTTPS) is intercepted. Analyzing these intercepted connections further reveals that, while not always malicious, interception products most often weaken the encryption used to secure communication and puts users at risk.

This blog post presents a short summary of our study’s key findings by answering the following questions:

1. How is encrypted web traffic intercepted? This section offers a short recap of how man-in-the-middle (MITM) interception is performed.
2. How prevalent is HTTPS interception? This section explains how we measured the prevalence of HTTPS interception in the 8 billion connections we analyzed. Next, it summarizes the key trends observed when grouping these interceptions by OS (operating system), browser, and network.
3. Who is intercepting secure web communication and why? This section provides an overview of Continue reading

IBM LinuxONE Gains Proprietary Container Focus

IBM views commodity solutions as put together with "tape and bailing wire."

Worth Reading: Gen-Z

It has been almost a year now since Gen-Z launched, and the consortium is growing and the specifications are being cooked up by the techies. The core Gen-Z spec was published in December 2016 and updated in July to a 0.9 level; it is expected to be at the 1.0 level before the end of the year. The related The PHY spec is at about a 0.5 release level, and it should be at the 1.0 release level by the end of the year. And interestingly, the Gen-Z folks are showing off a new connector spec developed in conjunction with Tyco Electronics that uses 112 GT/sec signaling that delivers more bandwidth than PCI-Express or DDR4 slots in a much smaller form factor. (More on this in a second.) —Timothy Prickett Morgan @ The Next Platform

The post Worth Reading: Gen-Z appeared first on rule 11 reader.

Today’s property rules don’t work in our IoT world

Property and ownership are among the most basic concepts of a modern society. Our ability to clarify who owns what separates us from savages because property and ownership help us maintain our independence and identity.The rules of property and ownership have evolved over centuries. There are clear transfer procedures for all types of property, including real estate, cars and even books. The problem is these age-old concepts are not holding up in our connected and digital world. Cambridge University Press “Property ownership as we know it is under attack and fading fast,” writes Joshua Fairfield in his book Owned: Property, Privacy, and the New Digital Serfdom. “The Internet of Things and digital property ownership systems are being built on the old feudal model.”To read this article in full or to leave a comment, please click here

Today’s property rules don’t work in our IoT world

Property and ownership are among the most basic concepts of a modern society. Our ability to clarify who owns what separates us from savages because property and ownership help us maintain our independence and identity.The rules of property and ownership have evolved over centuries. There are clear transfer procedures for all types of property, including real estate, cars and even books. The problem is these age-old concepts are not holding up in our connected and digital world. Cambridge University Press “Property ownership as we know it is under attack and fading fast,” writes Joshua Fairfield in his book Owned: Property, Privacy, and the New Digital Serfdom. “The Internet of Things and digital property ownership systems are being built on the old feudal model.”To read this article in full or to leave a comment, please click here

61% off this 3-foot Anker Powerline+ USB C to USB 3.0 Cable – Deal Alert

This USB C to USB 3.0 cable from Anker merges seamless connectivity, premium materials and market benchmark production techniques. Features a double-braided nylon exterior, toughened aramid fiber core and laser-welded connectors for with superior toughness end-to-end, and super fast 5Gbps data transfer speeds. Right now you can pick up the 3-foot version for 61% off, or just $10.19. See it on Amazon.To read this article in full or to leave a comment, please click here

61% off this 3-foot Anker Powerline+ USB C to USB 3.0 Cable – Deal Alert

This USB C to USB 3.0 cable from Anker merges seamless connectivity, premium materials and market benchmark production techniques. Features a double-braided nylon exterior, toughened aramid fiber core and laser-welded connectors for with superior toughness end-to-end, and super fast 5Gbps data transfer speeds. Right now you can pick up the 3-foot version for 61% off, or just $10.19. See it on Amazon.To read this article in full or to leave a comment, please click here

Email delivery is stuck on IPv4

Email delivery is stuck on IPv4

Generally speaking there is nothing that people want to talk about less than email delivery and for good reason, Email is continuously seen as one of those archaic protocols that everyone wants to improve but unfortu

Lifting the Hood on Cisco Software Defined Access

If you’re an IT professional and you have at least a minimal awareness of what Cisco is doing in the market and you don’t live under a rock, you would’ve heard about the major launch that took place in June: “The network. Intuitive.” The anchor solution to this launch is Cisco’s Software Defined Access (SDA) in which the campus network becomes automated, highly secure, and highly scalable.

The launch of SDA is what’s called a “Tier 1” launch where Cisco’s corporate marketing muscle is fully exercised in order to generate as much attention and interest as possible. As a result, there’s a lot of good high-level material floating around right now around SDA. What I’m going to do in this post is lift the hood on the solution and explain what makes the SDA network fabric actually work.

SDA’s (Technical) Benefits

Let’s examine the benefits of SDA through a technical lens (putting aside the business benefits we’ve been hearing about since the launch).

• Eliminates STP (!!). How many years have we been hearing about this in the data center?? Now the same is true in the campus network as well. STP can finally be left in the Continue reading