Archive

Category Archives for "Networking"

Protocol Spotlight: DLEP

Dynamic Link Exchange Protocol is a mechanism by which link layer devices (probably radio modems) can communicate neighbor reachability information to IP routers using those radios.

Radio interfaces are frequently variable sub-rate interfaces. Path selection is a huge challenge with this sort of handoff, because not only is the available bandwidth less than the speed of the handoff interface, it's a moving target based on RF conditions from moment-to-moment. DLEP provides a flexible framework for communicating link performance and other parameters to the router so that it can make good path selection decisions.

It's obviously handy for point-to-point links, but that's not where it gets really interesting.

Consider the following network topology:


We have four routers sharing a broadcast network (10.0.0.0/24), each with a satellite backup link. Simple stuff, right?

But what if that 10.0.0.0/24 network isn't an Ethernet segment, but was really an ad-hoc mesh of microwave radio modems, and the routers were scattered among various vehicles, drones and robots?

The radios know the topology of the mesh in real time, but the routers plugged into those radios do not.

Wasting microwave bandwidth with BFD packets would be silly because it won't tell Continue reading

No more security fixes for older OpenSSL branches

The OpenSSL Software Foundation has released new patches for the popular open-source cryptographic library, but for two of its older branches they will likely be the last security updates.This could spell trouble for some enterprise applications that bundle the 0.9.8 or 1.0.0 versions of OpenSSL and for older systems -- embedded devices in particular -- where updates are rare.OpenSSL 1.0.0t and 0.9.8zh, which were released Thursday, are expected to be the last updates because support for these these two branches will end on Dec. 31, as listed in the organization's release strategy document.To read this article in full or to leave a comment, please click here

Worth Reading: Omnipath

Omni-Path, known internally by the generic code name “Storm Lake,” is a vital ingredient in Intel’s Scalable Systems Framework, which was announced earlier this year as a collection of hardware and systems software components to build parallel systems for running simulation and modeling workloads and increasingly other kinds of data analytics jobs that benefit from running on clusters with low latency and high bandwidth interconnects. via nextplatform

The post Worth Reading: Omnipath appeared first on 'net work.

New attack campaign against SMBs uses a botnet to deliver PoS malware

A group of sophisticated attackers are repurposing penetration testing tools to break into the networks of small and medium-size businesses worldwide with the goal of infecting point-of-sale systems with malware.The new attack campaign started in September and has been dubbed operation Black Atlas by researchers from antivirus vendor Trend Micro. The attackers use a wide set of tools to scan the Internet and identify potential weak spots in the networks of various organizations, the researchers said.Their toolset includes port scanners, brute-force password guessing tools, SMTP (Simple Mail Transfer Protocol) scanners, remote desktop viewers and other attack applications that are easy to find on the Internet.To read this article in full or to leave a comment, please click here

Enterprises Need to Improve IT Vendor Risk Management

I had the pleasure of attending a presentation given by Dr. Ron Ross, a fellow at the National Institute of Standards and Technology (NIST). Ron’s areas of specialization include information security, risk management, and systems security engineering.In his presentation, Dr. Ross delivered a bit of a counterintuitive message on cybersecurity by stating, "We have to stop obsessing about threats and start focusing on asset protection." To drive home this point, Dr. Ross added, "If 90% of our bridges were failing, we’d mobilize teams of engineers right away. Yet when 90% of our IT systems are insecure, we focus a good part of our attention on external threats."To read this article in full or to leave a comment, please click here

Encryption backdoors will make us all more vulnerable

The author has written 29 technical books and is Managing Partner of Ascent Solutions, which provides marketing services to tech sector companies In the aftermath of the Paris attacks, one of the memes being perpetuated by “security professionals” is that the terrorists used encrypted communications, enabling them to plan and coordinate their activities without raising suspicion among the intelligence community.Now there is a knee-jerk reaction among politicians in Washington to force encryption providers to build “backdoors” into their software that would allow government agencies to easily decode communications in their effort to identify potential terrorists. They say this is essential to keeping us all safe and that we must stop crying about the loss of personal privacy.To read this article in full or to leave a comment, please click here

HTTP/2 is here! Goodbye SPDY? Not quite yet

Why choose, if you can have both? Today CloudFlare is introducing HTTP/2 support for all customers using SSL/TLS connections, while still supporting SPDY. There is no need to make a decision between SPDY or HTTP/2. Both are automatically there for you and your customers.

Enabling HTTP/2

If you are a customer on the Free or Pro plan, there is no need to do anything at all. Both SPDY and HTTP/2 are already enabled for you. With this improvement, your website’s audience will always use the fastest protocol version when accessing your site over TLS/SSL.

Customers on Business and Enterprise plans may enable HTTP/2 within the "Network" application of the CloudFlare Dashboard.

Enabling HTTP/2 in the CloudFlare dashboard

HTTP/2 is here!

In February of 2015, the IETF’s steering group for publication as standards-track RFCs approved the HTTP/2 and associated HPACK specifications.

After more than 15 years, the Hypertext Transfer Protocol (HTTP) received a long-overdue upgrade. HTTP/2 is largely based on Google's experimental SPDY protocol, which was first announced in November 2009 as an internal project to increase the speed of the web.

Benefits of HTTP/2 and SPDY

The main focus of both SPDY and HTTP/2 is on performance, especially latency as perceived by the end-user while using Continue reading

New legislation aims at stalling NSA reform

A new bill introduced in the Senate aims to let the U.S. National Security Agency hold on for five years to phone records collected by the agency, while also making permanent some anti-terrorist provisions that have been criticized by civil rights groups.Senator Tom Cotton, a Republican from Arkansas, said Wednesday he would introduce the "Liberty Through Strength Act II" to require the federal government to hold on to the legacy phone metadata of Americans for five years and authorize its use for queries.INSIDER: Traditional anti-virus is dead: Long live the new and improved AV The Senator introduced last month legislation, also called the Liberty Through Strength Act, that would delay the end of the bulk collection of phone metadata of Americans by the NSA to Jan. 31, 2017, in the wake of security concerns after the terror attacks in Paris. The bill was introduced a little before the Thanksgiving break.To read this article in full or to leave a comment, please click here

DDoS attacks are more than disruptions to service

Distributed denial-of-service attacks have increased in complexity so that they are no longer just an annoyance causing a disruption in service. Criminals are using these attacks as a distraction while targeting sensitive data, leaving enterprises to pay for lost business and breach recovery.Any conversation that involved breaches this year included the statement, “It’s not if but when.” The expectation has become, as IDC’s Christina Richmond, program director, security services, said, “Breach is a foregone conclusion.”For many companies, the attacks are frequent and more advanced. Richmond said, "Distributed-denial-of-service attacks are no longer an isolated event. Sophisticated attacks hit companies of all sizes, in all industries.”To read this article in full or to leave a comment, please click here

Why Electronic Health Records aren’t more usable

Federal government incentives worth about $30 billion have persuaded the majority of physicians and hospitals to adopt electronic health record (EHR) systems over the past few years. However, most physicians do not find EHRs easy to use. Physicians often have difficulty entering structured data in EHRs, especially during patient encounters. The records are hard to read because they're full of irrelevant boilerplates generated by the software and lack individualized information about the patient. Alerts frequently fire for inconsequential reasons, leading to alert fatigue. EHRs from different vendors are not interoperable with each other, making it impossible to exchange information without expensive interfaces or the use of secure messaging systems. To read this article in full or to leave a comment, please click here

Searching for routes with non-IP address next-hops

I am searching in a series of large Redback config files for certain things, and I’m beginning to find Regex and Atom really powerful for this.  The files are sometimes 20,000 lines long, and there are over 100 of them.

Of course I should script this, and someone more script savvy than me would do that in a trice, but I’ve come up with a part manual solution.  Perhaps I will build it into a script later.

What I need to do is search each file for any ‘ip route’ commands that have a named interface as a next-hop rather than an IP address.   So to do this, I am doing inverse-matching on four sets of numbers separated by dots.

I also need to exclude the keyword ‘context’ and the interface ‘null0’. This took me a while to figure out.

Here’s my pattern match:

ip route [0-9]+.[0-9]+.[0-9]+.[0-9]+/[0-9]+ (?![0-9]+.[0-9]+.[0-9]+.[0-9]+|context|null0)

This matches the string:

 ip route 172.21.0.0/16 MADEUPINTERFACE

But not:

 ip route 172.16.4.0/24 10.0.0.1

The expression is not very accurate, since it could match IP addresses like 999.999.999.999, but that does not matter in Continue reading

Hosted bare metal emerges as alternative to IaaS cloud

AppLovin is a 4-year old marketing platform that places advertisements in mobile apps. And it’s a data-intensive business to say the least.When AppLovin learns of an advertising opportunity in an app, the company has 100 milliseconds to decide if it will bid on the spot in a real-time auction. If it wins the bid, it consults a database storing billions of user preferences to serve an ad personalized to that user. AppLovin processes about 30 billion to 50 billion actions per day, all of which need to happen in millisecond timeframes and on a global basis.The company started as a customer of Amazon Web Services' IaaS public cloud. But in the past few years CTO John Krystynak – an early VMware employee - has moved AppLovin’s operations to another platform: Hosted bare metal infrastructure.To read this article in full or to leave a comment, please click here

Sometimes It’s Not the Network

Marek Majkowski published an awesome real-life story on CloudFlare blog: users experienced occasional short-term sluggish performance and while everything pointed to a network problem, it turned out to be a garbage collection problem in Linux kernel.

Takeaway: It might not be the network's fault.

Also: How many people would be able to troubleshoot that problem and fix it? Technology is becoming way too complex, and I don’t think software-defined-whatever is the answer.

1 2,885 2,886 2,887 2,888 2,889 3,465