Set Up PKI Service on a Cisco Router
This is how I tend to create a PKI service on a Cisco router. Some of the details here were non-obvious to me after reading the documentation several times. Maybe I can save somebody else a headache or two.First, create a directory for the PKI server to work in. This step may be optional if the router is going to be using some network-based storage for all of its elements, but I find it handy to have, and it's easy to move things around afterward. I like using removable media when keeping things on routers, so that it's easy to snag the critical data if there's a hardware failure.
mkdir usbflash:/MY_ROOT_CA
Next, generate an RSA keypair. It needs to be exportable, which is the reason I'm doing it manually, rather than let the router generate it automatically at CA startup. Name it the same as the CA will be named in the crypto pki server <whatever> configuration section.
crypto key generate rsa label MY_ROOT_CA modulus 2048 exportable storage nvram:
Now export the keys. Having a copy of them squirreled away somewhere will be absolutely critical if you ever need to replace the CA. Replacing the CA will be Continue reading
NFV and SDN: What’s the Difference Two Years Later?
Two years later it's time for an update.
Edgewater Networks Featured White Paper: SaaS Model Gives an Enterprise Feel to SMB Security
In this featured white paper from Edgewater Networks, we learn how an SaaS model gives an enterprise feel to SMB security. Download the white paper now to read more.
Telefónica Releases OpenMANO Code for NFV
Now you can have a Telefónica NFV MANO stack of your very own.
Wireshark tid-bit: Using profiles & Coloring rules
Well, my first draft got lost in the cloud so let’s try this again! The more you use Wireshark and the more familiar you get with protocols / packet analysis the quicker you realize what you may need to for. Luckily for us, if we know what we are looking for we can configure Wireshark […]
[SDN Protocols] Part 5 – NETCONF
For those that followed my SDN Protocols series last summer, you might have noticed a missing entry: NETCONF. This protocol has actually existed for some time (the original now-outdated specification was published in 2006), but is appearing more often, especially in discussions pertaining to network automation. The current, updated specification – RFC6241 - covers a fairly large amount of material, so I will attempt to condense here.
NETCONF operates at the management layer of the network, and therefore plays a role similar to that of OVSDB. This is in contrast to protocols like OpenFlow which operate at the control plane.
A key difference between NETCONF and other management protocols (including SNMP) is that NETCONF is built around the idea of a transaction-based configuration model. The NETCONF specification provides for some optional device capabilities aimed at assisting operators with the lifecycle of configuring a network device, such as rolling back a configuration upon an error. Unfortunately, not all network devices support such capabilities, but the protocol was built to make it easier to discover what kind of capabilities a network device can support.
Configuration Datastores
Before getting into the semantics Continue reading
[SDN Protocols] Part 5 – NETCONF
For those that followed my SDN Protocols series last summer, you might have noticed a missing entry: NETCONF. This protocol has actually existed for some time (the original now-outdated specification was published in 2006), but is appearing more often, especially in discussions pertaining to network automation. The current, updated specification - RFC6241 - covers a fairly large amount of material, so I will attempt to condense here.
NETCONF operates at the management layer of the network, and therefore plays a role similar to that of OVSDB. This is in contrast to protocols like OpenFlow which operate at the control plane.
A key difference between NETCONF and other management protocols (including SNMP) is that NETCONF is built around the idea of a transaction-based configuration model. The NETCONF specification provides for some optional device capabilities aimed at assisting operators with the lifecycle of configuring a network device, such as rolling back a configuration upon an error. Unfortunately, not all network devices support such capabilities, but the protocol was built to make it easier to discover what kind of capabilities a network device can support.
Configuration Datastores
Before getting into the semantics of the NETCONF protocol itself, it’s worth briefly jumping ahead to address the Continue reading
Talk to the Dummy
You’ve hit brain freeze. It seemed like such a great idea at the time, but now that it’s 2am, the application is down, and you can’t find the problem, maybe it wasn’t after all. Or maybe it’s 4pm, and you’re sitting at your desk trying to figure out how to resolve a problem, or build a system. You’re completely stuck, and you’ve no idea what to do next.
In either case, it feels like you’ve researched every avenue, you’ve thought of every angle, you’ve gone over the problem time and time again, and your brain just can’t wrap around the problem any longer. You go back over the same material again and again, just trying to make sense of it.
You’ve hit brain freeze. What’s the solution?
Talk to the dummy.
No, I don’t mean your boss. And I don’t mean that person down the hall you think just doesn’t “get it.” We’ll cover that topic later. I mean, literally, the dummy. In the “old days,” there were software shops that would literally set aside an office for a dummy. There was a white board, a desk, and a dummy sitting behind the desk. Your job, as an engineer, Continue reading
Network Complexity
Network complexity plays a very important role during network design. Every network designer tries to find the simplest design. Although there is no standard definition for the network complexity yet, there are many subjective definitions. In today network designs decisions are taken based on an estimation of network complexity rather than absolute, solid answer. If… Read More »
The post Network Complexity appeared first on Network Design and Architecture.
Improving compression with a preset DEFLATE dictionary
A few years ago Google made a proposal for a new HTTP compression method, called SDCH (SanDwiCH). The idea behind the method is to create a dictionary of long strings that appear throughout many pages of the same domain (or popular search results). The compression is then simply searching for the appearance of the long strings in a dictionary and replacing them with references to the aforementioned dictionary. Afterwards the output is further compressed with DEFLATE.
CC BY SA 2.0 image by Quinn Dombrowski
With the right dictionary for the right page the savings can be spectacular, even 70% smaller than gzip alone. In theory, a whole file can be replaced by a single token.
The drawbacks of the method are twofold: first - the dictionary that is created is fairly large and must be distributed as a separate file, in fact the dictionary is often larger than the individual pages it compresses; second - the dictionary is usually absolutely useless for another set of pages.
For large domains that are visited repeatedly the advantage is huge: at a cost of single dictionary download, all the following page views can be compressed with much higher efficiency. Currently we aware Continue reading