Archive

Category Archives for "Networking"

Building a SQL-like language to filter flows

Akvorado collects network flows using IPFIX or sFlow. It stores them in a ClickHouse database. A web console allows a user to query the data and plot some graphs. A nice aspect of this console is how we can filter flows with a SQL-like language:

Filter editor in Akvorado console

Often, web interfaces expose a query builder to build such filters. I think combining a SQL-like language with an editor supporting completion, syntax highlighting, and linting is a better approach.1

The language parser is built with pigeon (Go) from a parsing expression grammar—or PEG. The editor component is CodeMirror (TypeScript).

Language parser

PEG grammars are relatively recent2 and are an alternative to context-free grammars. They are easier to write and they can generate better error messages. Python switched from an LL(1)-based parser to a PEG-based parser in Python 3.9.

pigeon generates a parser for Go. A grammar is a set of rules. Each rule is an identifier, with an optional user-friendly label for error messages, an expression, and an action in Go to be executed on match. You can find the complete grammar in parser.peg. Here is Continue reading

Start Large netlab Topologies in Smaller Batches

It’s incredible how little CPU resources some network devices consume in a steady state – a netlab user managed to run almost 100 Mikrotik routers on a 24-core server. Starting them simultaneously (like vagrant up tries to do when used with the vagrant-libvirt plugin) is a different story. The router virtual machines are configured with two CPU cores for a good reason, and if they don’t get enough CPU cycles during the boot time, they get sluggish, Vagrant gives up, and the lab start procedure fails.

One could use a nasty workaround:

Start Large netlab Topologies in Smaller Batches

It’s incredible how little CPU resources some network devices consume in a steady state – a netlab user managed to run almost 100 Mikrotik routers on a 24-core server. Starting them simultaneously (like vagrant up tries to do when used with the vagrant-libvirt plugin) is a different story. The router virtual machines are configured with two CPU cores for a good reason, and if they don’t get enough CPU cycles during the boot time, they get sluggish, Vagrant gives up, and the lab start procedure fails.

One could use a nasty workaround:

DDoS Protection 1. Collecting and Visualizing NetFlow Data from Nokia SR OS using FastNetMon (FNM).

Dear friend,

It wouldn’t be an overestimation to say that in the modern world the availability of service online plays one of the key role for success of any business: we buy, sell and use goods and services via Internet from various private and public companies as well as governmental bodies. As such, if services are not unavailable online, we, as consumers, cannot get what we need and suppliers cannot provide use the service (and, therefore, cannot make some money). That’s why the information security in general, and protection of service online becomes the hot topic these days.

Can Network Security Be Automated?

Absolutely it can be. Ensuring that configuration of network devices and online services are in-line with the security hardening blueprints is one of the most straightforward automation use cases, which provides significant value by ensuring that the amount of attack vectors is reduced and is limited to the set of services, which are really needed. Besides that, we have the whole range of vulnerability scanning, software upgrade, etc.

And for all these, and other network security automation activities, we are using the same set of tools as for “ordinary network automation”. Therefore, come and learn with us:

Continue reading

Review: Compulab Fitlet2

Fitlet

A while ago, in June 2021, we were discussing home routers that can keep up with 1G+ internet connections in the CommunityRack telegram channel. Of course at IPng Networks we are fond of the Supermicro Xeon D1518 [ref], which has a bunch of 10Gbit X522 and 1Gbit i350 and i210 intel NICs, but it does come at a certain price.

For smaller applications, PC Engines APU6 [ref] is kind of cool and definitely more affordable. But, in this chat, Patrick offered an alternative, the [Fitlet2] which is a small, passively cooled, and expandable IoT-esque machine.

Fast forward 18 months, and Patrick decided to sell off his units, so I bought one off of him, and decided to loadtest it. Considering the pricetag (the unit I will be testing will ship for around $400), and has the ability to use (1G/SFP) fiber optics, it may be a pretty cool one!

Executive Summary

TL/DR: Definitely a cool VPP router, 3x 1Gbit line rate, A- would buy again

With some care on the VPP configuration (notably RX/TX descriptors), this unit can handle L2XC at (almost) line rate in both directions (2.94Mpps out a theoretical 2.97Mpps), Continue reading

Hacking the Geberit Sigma 70 flush plate

My toilet is equipped with a Geberit Sigma 70 flush plate. The sales pitch for this hydraulic-assisted device praises the “ingenious mount that acts like a rocker switch.” In practice, the flush is very capricious and has a very high failure rate. Avoid this type of mechanism! Prefer a fully mechanical version like the Geberit Sigma 20.

After several plumbers, exchanges with Geberit’s technical department, and the expensive replacement of the entire mechanism, I was still getting a failure rate of over 50% for the small flush. I finally managed to decrease this rate to 5% by applying two 8 mm silicone bumpers on the back of the plate. Their locations are indicated by red circles on the picture below:

Geberit Sigma 70 flush plate. Top: the mechanism that converts the mechanical
press into a hydraulic impulse. Bottom: the back of the plate with the two
places where to apply the bumpers.
Geberit Sigma 70 flush plate. Above: the mechanism installed on the wall. Below, the back of the glass plate. In red, the two places where to apply the silicone bumpers.

Expect to pay about 5 € and as many minutes for this operation.

Heavy Networking 665: Augtera Network AI Automates NetOps And Works To Prevent Incidents (Sponsored)

The Packet Pushers' Heavy Networking podcast dives into sponsor Augtera and how its AI platform, purpose-built for networking, improves network operations and enables automation. We'll examine how Augtera works, how it aims to move beyond the automation of configurations to automate operations and fault management, the kinds of data it collects and how, and how customers are using Augtera in production networks

The post Heavy Networking 665: Augtera Network AI Automates NetOps And Works To Prevent Incidents (Sponsored) appeared first on Packet Pushers.

Heavy Networking 665: Augtera Network AI Automates NetOps And Works To Prevent Incidents (Sponsored)

The Packet Pushers' Heavy Networking podcast dives into sponsor Augtera and how its AI platform, purpose-built for networking, improves network operations and enables automation. We'll examine how Augtera works, how it aims to move beyond the automation of configurations to automate operations and fault management, the kinds of data it collects and how, and how customers are using Augtera in production networks

Video: Kubernetes SDN Architecture

Stuart Charlton started the Kubernetes Networking Deep Dive webinar with an overview of basic concepts including the networking model and services. After covering the fundamentals, it was time for The Real Stuff: Container Networking Interface, starting with an overview of Kubernetes SDN architecture.

Parts of Kubernetes Networking Deep Dive webinar (including this video) are available with Free ipSpace.net Subscription.

Video: Kubernetes SDN Architecture

Stuart Charlton started the Kubernetes Networking Deep Dive webinar with an overview of basic concepts including the networking model and services. After covering the fundamentals, it was time for The Real Stuff: Container Networking Interface, starting with an overview of Kubernetes SDN architecture.

Parts of Kubernetes Networking Deep Dive webinar (including this video) are available with Free ipSpace.net Subscription.

Migrating Cisco FabricPath and Classic Ethernet Environments to VXLAN BGP/EVPN over a 400Gb-based Clos Topology, part 1 – the why

During the past three years, I have spent a good portion of my time testing, planning, designing, and then migrating our DC network from Cisco FabricPath and Classic Ethernet environments to VXLAN BGP/EVPN. And simultaneously, from a hierarchical classic two-tier architecture to a more modern Clos 400Gb-based topology. The migration is not yet 100% completed, but it is well underway. And I have gained significant experience on the subject, so I think it’s time to share my knowledge and experiments with our community. This is my first post on this…

The post Migrating Cisco FabricPath and Classic Ethernet Environments to VXLAN BGP/EVPN over a 400Gb-based Clos Topology, part 1 – the why appeared first on AboutNetworks.net.

5G hits the streets of New York

With 56% of New York City households lacking both home and mobile broadband connections, a consortium is taking steps to supply at least mobile access via sidewalk kiosks, the latest of which include 5G.Called Link5G, these kiosks also provide free Wi-Fi access, a built-in tablet to access maps and other resources including phone connections, a USB-port to charge mobile devices, a jack for headsets, and a button to make 911 calls. Some also include two 55-inch screens for digital signage that can provide the city with ad revenue to help pay for the kiosks. Perhaps the most interesting feature, though, are the 5G cellular antennas near the top of the 32-foot structures.To read this article in full, please click here

The MITRE ATT&CK framework explained: Discerning a threat actor’s mindset

This is part 2 of the blog series on the MITRE ATT&CK framework for container security, where I explain and discuss the MITRE ATT&CK framework. For those who are not familiar with what the MITRE framework is, I encourage you to read part 1.

In my previous blog post, I explained the first four stages of the MITRE ATT&CK framework and the tactics used by adversaries to gain a foothold in the network or the environment within a containerized application. What happens next?

Imagine a military battalion trying to invade its enemy’s territory. What would a soldier do once they’ve infiltrated the opposition? They would take cover and wait for the right opportunity to attack. Similarly, in cyber crime, an attacker will take time to make sure they evade any type of defense that has been put in place. This is the fifth stage in the MITRE ATT&CK framework. In this article, I will explore this fifth stage, along with stages six through nine, and look at how Calico can help mitigate the attack techniques used in these stages.

Fig 1: MITRE ATT&CK framework for containers. Source: Mitre Corporation

Delivery and exploitation tactics

Defense evasion

Many security solutions offer Continue reading

How Digital Transformation Is Eroding NetOps Visibility And Control

The following post is by Jeremy Rossbach, Chief Technical Evangelist, Broadcom. We thank Broadcom for being a sponsor. When it comes to cloud adoption, hybrid approaches are the reality for the vast majority of large organizations today. While some may solely be running workloads in a legacy on-premises data center and others may run 100% […]

The post How Digital Transformation Is Eroding NetOps Visibility And Control appeared first on Packet Pushers.

Joining lines of text on Linux

There are number of ways to join multiple lines of text and change delimiters if needed. This article shows two of the easier ways to do this and explains the commands.Using the tr command The tr command is quite versatile. It’s used to make many types of changes to text files, but it can also flatten multiple lines into one by replacing newline characters with blanks. It does, however, remove the final newline as well. Note the $ prompt at the end of the second line. That's a clue!$ tr '\n' ' ' < testfile This is a file that I can use for testing. $ $ tr '\n' ' ' < testfile > newfile To fix this problem, you can add a newline to the end of the file with an echo command like this:To read this article in full, please click here