Border6 Non-Stop Internet: a Commercial BGP-Based SDN
Several SDN solutions that coexist with the traditional control- and data planes instead of ripping them out and replacing them with the new awesomesauce use BGP to modify the network’s forwarding behavior.
Border6 decided to turn that concept into a commercial product that we dissected in Episode 12 of Software Gone Wild podcast.
Enjoy the show (this time in video format).
Automation – Is the cart before the horse?
Over the last year I’ve had the opportunity to hear about lots of new and exciting products in the network and virtualization world. The one clear takeaway from all of these meetings has been that the vendors are putting a lot of their focus into ensuring their product can be automated. While I agree that any new product on the market needs to have a robust interface, I’m also sort of shocked at the way many vendors are approaching this. Before I go further, let me clarify two points. First, when I say ‘interface’ I’m purposefully being generic. An interface can be a user interface, it could be a REST interface, a Python interface, etc. Basically, its any means in which I, or something else, can interact with the product. Secondly, I’ll be the first person to tell you that any new product I look at should have a usable REST API interface. Why do I want REST? Simple, because I know that’s something that most automation tools or orchestrators can consume.
So what’s driving this? Why are we all of a sudden consumed with the need to automate Continue reading
IPv6 to IPv4 basic setup
Lab goal
Configure Alteon to serve IPv6 clients. The servers should use IPv4.
The IPv6 VIP should be fc00:85::10.
The IPv6 VIP should be fc00:85::10.
Setup
The loadbalancer is Radware's Alteon VA version 29.5.1.0
The initial Alteon VA configuration can be found here.
Below is the IPv4 real servers configuration which we will use as a base config.
Below is the IPv4 real servers configuration which we will use as a base config.
1 | /c/slb/real 1 |
Alteon configuration
All we need to do is create a new virt/VIP and assign it with IPv6 address.
Notice that we need the pip which is Proxy IP, a.k.a SNAT. Since we translating from IPv6 to IPv4 we need Alteon to act as a proxy and for that it needs IPv4 address to communicate with the real servers.
1 | /c/slb/virt v6_85_10 |
Notice that we need the pip which is Proxy IP, a.k.a SNAT. Since we translating from IPv6 to IPv4 we need Alteon to act as a proxy and for that it needs IPv4 address to communicate with the real servers.
Test
Summary
That was really simple, wasn't it? Just change the virt/VIP to be IPv6 and we have IPv6 to IPv6 gateway.
Killer Apps in the Gigabit Age | Pew Research Center’s Internet & American Life Project
Very, very funny quote in the Pew Research Report: How could people benefit from a gigabit network? One expert in this study, David Weinberger, a senior researcher at Harvard’s Berkman Center for Internet & Society, predicted, “There will be full, always-on, 360-degree environmental awareness, a semantic overlay on the real world, and full-presence massive open […]
The post Killer Apps in the Gigabit Age | Pew Research Center’s Internet & American Life Project appeared first on EtherealMind.
ECDSA and DNSSEC
Yes, that's a cryptic topic, even for an article that addresses matters of the use of cryptographic algorithms, so congratulations for getting even this far! This is a report of a an experiment conducted in September and October 2014 by the authors to measure the extent to which deployed DNSSEC-validating resolvers fully support the use of the Elliptic Curve Digital Signature Algorithm (ECDSA) with curve P-256.AS-Path Filtering
Before we get into the how, let’s talk about the why. According to the CIDR Report, the global IPv4 routing table sits at about 525,000 routes, it has doubled in size since mid 2008 and continues to press upwards at an accelerated rate. This momentum, which in my estimate started around 2006, will most likely never slow down. As network engineers, what are we to do? Sure, memory is as plentiful as we could ask for, but what of TCAM? On certain platforms, like the 7600/6500 on the Sup720 and even some of the ASR1ks we have already surpassed the limits of what they can handle (~512k routes in the FIB). While it is possible to increase the TCAM available for routing information, there are other solutions that don’t include replacing hardware just yet.
As far as I know, adjusting TCAM partitioning on the ASR1000 is not possible at this time.
Before I get too deep into this, I should clarify as many of you (yes, I’m looking at you Fry) are asking yourselves why is an ISP running BGP on a 6500… Many of my customers are small ISPs or data centers that have little to no Continue reading
Why Network Automation Won’t Kill Your Job
I’ve been focusing lately on shortening the gap between traditional automation teams and network engineering. This week I was fortunate enough to attend the DevOps 4 Networks event, and though I’d like to save most of my thoughts for a post dedicated to the event, I will say I was super pleased to spend the time with the legends of this industry. There are a lot of bright people looking at this space right now, and I am really enjoying the community that is emerging.
I’ve heard plenty of excuses for NOT automating network tasks. These range from “the network is too crucial, automation too risky” to “automating the network means I, as a network engineer, will be put out of a job”.
To address the former, check out Ivan Pepelnjak’s podcast with Jeremy Schulman of Schprokits, where they discuss blast radius (regarding network automation).
I’d like to talk about that second excuse for a little bit, because I think there’s an important point to consider.
A Recent Example
A few years back, I was working for a small reseller helping small companies consolidate their old physical servers into a cheap cluster of virtual hosts. For every sizing discussion that Continue reading
When they throw a Cisco guy to do something with HP networking gear
How does the internet work - We know what is networking
…There’s a nice little pdf to get you through HP is aware that most of networking engineers start their learning process in Cisco Networking Academy. Is is a normal course of events if you want to learn networking. Cisco has the very best study materials and best, carefully developed syllabus that is both high quality […]
When they throw a Cisco guy to do something with HP networking gear
Certified Application to Network Isomorphism Engineer, anyone?
There has been a recurrent debate over the last few years on the future of CCIEs, or more broadly network engineers as we know (and love) them today. While certainly calls for the “death of the CCIE” are certain to grab eyeballs, as always the more probably truth is more nuanced and tricky to predict. Certainly change is coming, but it is important to understand the true value of the present network engineer and how that maps into the future we expect.
Why would network engineers die?
Apart from a deadly virus outbreak transmitted by TCPDump, or for the true preppers out there – the distant alien race whose network engineers have all died out and who are coming to claim ours – the vast disappearance of all network engineers is most likely hyperbole. Yet it is probably fair to say that specific skills that network engineers have long used to compare or present their own value, attributes like the CCIE certification, are diminishing in the value they present to the market. The reason is pretty simple – while a CCIE (or JNCIE, etc) certification implies a thorough knowledge of overall network engineering theories and concepts and a detailed understanding Continue reading
Networking Is Not as Special as We Think It Is
I was listening to the Packet Pushers show #203 – an interesting high-level discussion of policies (if you happen to be interested in those things) – and unavoidably someone had to mention how the networking is all broken because different devices implement the same functionality in different ways and use different CLI/API syntax.
Read more ...Why Network Automation Won’t Kill Your Job
I’ve been focusing lately on shortening the gap between traditional automation teams and network engineering. This week I was fortunate enough to attend the DevOps 4 Networks event, and though I’d like to save most of my thoughts for a post dedicated to the event, I will say I was super pleased to spend the time with the legends of this industry. There are a lot of bright people looking at this space right now, and I am really enjoying the community that is emerging.Why Network Automation Won’t Kill Your Job
I’ve been focusing lately on shortening the gap between traditional automation teams and network engineering. This week I was fortunate enough to attend the DevOps 4 Networks event, and though I’d like to save most of my thoughts for a post dedicated to the event, I will say I was super pleased to spend the time with the legends of this industry. There are a lot of bright people looking at this space right now, and I am really enjoying the community that is emerging.SSLv3 Support Disabled By Default Due to POODLE Vulnerability
For the last week we've been tracking rumors about a new vulnerability in SSL. This specific vulnerability, which was just announced, targets SSLv3. The vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows an attacker to compromise the encryption when using the SSLv3 protocol. Full details have been published by Google in a paper which dubs the bug POODLE (PDF).
Generally, modern browsers will default to a more modern encryption protocol (e.g., TLSv1.2). However, it's possible for an attacker to simulate conditions in many browsers that will cause them to fall back to SSLv3. The risk from this vulnerability is that if an attacker could force a downgrade to SSLv3 then any traffic exchanged over an encrypted connection using that protocol could be intercepted and read.
In response, CloudFlare has disabled SSLv3 across our network by default for all customers. This will have an impact on some older browsers, resulting in an SSL connection error. The biggest impact is Internet Explorer 6 running on Windows XP or older. To quantify this, we've been tracking SSLv3 usage.
SSLv3 Continue reading
vPC order of operations
Cisco Nexus can be very temperamental or capricious (pick the one you prefer ) and the vPC technology is not an isolated case. There is a certain way to configure vPC and we will see that in that blogpost. The following topology will be used: Enabling the feature Obviously we need to activate the […]Network Dictionary – Invariant
I use the term "invariant" quite regularly when designing networks. It sounds fancy.
The post Network Dictionary – Invariant appeared first on EtherealMind.
Don’t Be Afraid of Changing Jobs
Some people are corporate survivors, sticking with one company for decades. Some people move around when it suits, while others would like to move, but are fearful of change. Here’s a few things I’ve learnt about adapting to new work environments. It’s not that scary.
Corporate Survivors
We’ve all seen the people who seem to survive in a corporate environment. They seem to know everyone, and almost everything about the business. Return to a company after 10 years, and they’re still there. Somehow they survive, through mergers, acquisitions, and round after round of re-organisation. But often they seem to be doing more or less the same job for years, with little change.
Why Do People Stay?
There’s four possible reasons for staying at a job for a long time:
- You’re really happy with what you do, and you’re well looked after.
- You just don’t care. You come to work to eat your lunch and talk to your friends. You don’t care how you’re treated, or what work you do, as long as you get paid.
- This is the only possible job you can get, due to location/skills/whatever.
- You’re comfortable where you are, and you’re scared of moving, scared of what Continue reading
OpenStack and Cumulus Linux: Two Great Tastes that Taste Great Together
OpenStack is a very popular open source technology stack used to build private and public cloud computing platforms. It powers clouds for thousands of companies like Yahoo!, Dreamhost, Rackspace, eBay, and many more.
Why drives its popularity? Being open source, it puts cloud builders in charge of their own destiny, whether they choose to work with a partner, or deploy it themselves. Because it is Linux based, it is highly amenable to automation, whether you’re building out your network or are running it in production. At build time, it’s great for provisioning, installing and configuring the physical resources. In production, it’s just as effective, since provisioning tenants, users, VMs, virtual networks and storage is done via self-service Web interfaces or automatable APIs. Finally, it’s always been designed to run well on commodity servers, avoiding reliance on proprietary vendor features.
Cumulus Linux fits naturally into an OpenStack cloud, because it shares a similar design and philosophy. Built on open source, Cumulus Linux is Linux, allowing common management, monitoring and configuration on both servers and switches. The same automation and provisioning tools that you commonly use for OpenStack servers you can also use unmodified on Cumulus Linux switches, giving a single Continue reading
MindshaRE: Statically Extracting Malware C2s Using Capstone Engine
It’s been far too long since the last MindshaRE post, so I decided to share a technique I’ve been playing around with to pull C2 and other configuration information out of malware that does not store all of its configuration information in a set structure or in the resource section (for a nice set of publicly available decoders check out KevTheHermit’s RATDecoders repository on GitHub). Being able to statically extract this information becomes important in the event that the malware does not run properly in your sandbox, the C2s are down or you don’t have the time / sandbox bandwidth to manually run and extract the information from network indicators.
Intro
To find C2 info, one could always just extract all hostname-/IP-/URI-/URL-like elements via string regex matching, but it’s entirely possible to end up false positives or in some cases multiple hostname and URI combinations and potentially mismatch the information. In addition to that issue, there are known families of malware that will include benign or junk hostnames in their disassembly that may never get referenced or only referenced to make false phone-homes. Manually locating references and then disassembling using a disassembler (in my case, Capstone Engine) can help Continue reading
VMware Meets The Physical Network — What If?
With other acquisition rumors floating around, I figured I would add my own 2 cents and do some speculating.
It’s not uncommon to hear that VMware might acquire Cumulus. Like others, it’s one acquisition that I’ve speculated about for a while. There is already an interesting dynamic between Cisco and VMware, but as both companies continue to go to market with their Software Defined Networking (SDN), or controller based solutions, VMware still needs to run over a physical data center network. The physical network market is still largely dominated by Cisco though. Does VMware want or need to control the physical network?
It’s not uncommon to hear that VMware might acquire Cumulus. Like others, it’s one acquisition that I’ve speculated about for a while. There is already an interesting dynamic between Cisco and VMware, but as both companies continue to go to market with their Software Defined Networking (SDN), or controller based solutions, VMware still needs to run over a physical data center network. The physical network market is still largely dominated by Cisco though. Does VMware want or need to control the physical network?
Extending the SDDC
If VMware took their network strategy one step further and kept true to the Software Defined Data Center (SDDC), they would need a network operating system (NOS) that could run on approved hardware, e.g. hardware compatibility list (HCL). They need a bare metal (white box) switch company. Cumulus fits this build well because they are focused on creating open IP fabrics using tried and true protocols and already have their own HCL. They’ve also already partnered with VMware and support VXLAN termination on certain platforms. Continue reading
If VMware took their network strategy one step further and kept true to the Software Defined Data Center (SDDC), they would need a network operating system (NOS) that could run on approved hardware, e.g. hardware compatibility list (HCL). They need a bare metal (white box) switch company. Cumulus fits this build well because they are focused on creating open IP fabrics using tried and true protocols and already have their own HCL. They’ve also already partnered with VMware and support VXLAN termination on certain platforms. Continue reading
The Current State of SDN Protocols
The Current State of SDN Protocols
by Hariharan Ananthakrishnan, Distinguished Engineer - October 14, 2014
In last week’s blog post I started outlining the various standards needed to make SDN a reality. Here is more detail about the relevant protocols and the IETF’s progress on each one.
OpenFlow has emerged as a Layer 2 software defined networking (SDN) southbound protocol. Similarly, Path Computation Element Protocol (PCEP), BGP Link State Distribution (BGP-LS), and NetConf/YANG are becoming the de-facto SDN southbound protocols for Layer 3. The problem is that these protocols are stuck in various draft forms that are not interoperable, which limits the industry’s SDN progress.
Path Computation Element Protocol (PCEP)
PCEP is used for communicating Label Switched Paths (LSPs) between a Path Computation Client (PCC) and a Path Computation Element (PCE). PCEP has been in use since 2006. The stateful [draft-ietf-pce-stateful-pce] and PCE-initiated LSP [draft-ietf-pce-pce-initiated-lsp] extensions were added more recently and enable PCEP use for SDN deployments. The IETF drafts for both extensions have not yet advanced to “Proposed Standard” status after more than two years.
Because the drafts went through many significant revisions, vendors are struggling to keep up with the Continue reading