Scary Poodle: Quickly Checking Websites for SSLv3
Weird looking poodle, right? *coughs* With the recent SSLv3 Poodle vulnerability being disclosed, there has been a rush to disable SSLv3. But if you manage quite a few web sites, how can you quickly check whether or not you are vulnerable? Better still, if you know you have vulnerable sites, wouldn’t it be nice to be able to check before and after your mitigation attempts in order to confirm that SSLv3 has indeed been disabled?
The consequences of disabling SSLv3 is another discussion entirely; let’s assume that I’ve decided it’s worth disabling.
So that was my problem, so here’s what I did about it.
Poodle Poop
What I did was to write a script. In Python.
Regular readers will recall that my “go to” language is Perl, so the fact that I chose to write the tool in Python says, well I don’t know exactly what, but I’m sure it says something. I am not by any means a Python programmer, but I believe I have the tool working, and it’s pleasantly fast. I suspect that the code it won’t look right to a Python programmer, and will look comfortingly uncomfortable to perl programmers. It’s pretty much my first “proper” program Continue reading
Just Published: VXLAN 2.0 Videos
Last week I ran the second part of the updated (4-hour) VXLAN webinar. The raw videos are already online and cover these topics:
- VXLAN-related technologies, including encapsulation, IP multicast use, unicast VXLAN, and VXLAN-over-EVPN;
- VXLAN implementations, including Cisco Nexus 1000v, VMware vCNS, VMware NSX, Nuage VSP and Juniper Contrail;
- VXLAN gateways, including Arista, Brocade, Cisco and Juniper;
- Hardware VTEP integration with OVSDB and EVPN;
- VXLAN-based data center fabrics, including Cisco’s ACI.
Network Technology Shifts towards IT’s Third Platform
The requirements for next generation applications in the Third Platform era have a profound impact on the network. No longer can we treat the network as a piece of infrastructure that just needs to be present. It has to drastically change to become a fundamental component of the next generation application. Mike went through some of the network implications of the new era application properties in his post yesterday:
- Horizontally Scaled
- Agile
- Integrated
- Resilient
- Secure
The change towards Third Platform IT infrastructures is more than evolutionary. The compute, storage and application frameworks and infrastructures started their transformation a while ago. These types of shifts take time, but networking has not run at the same pace of change to keep up. Up to recently, networking’s great contribution to the changing IT world was a move from a multi tier network into a two tier network with a new name. Hardly transformational to say the least.
Migration and Crossover Technologies
A move towards a new platform does not happen overnight. It takes time and more importantly, it takes several technology iterations to get there. A migration from the current platform requires migration technologies: pieces and parts of what we will ultimately Continue reading
Home Lab Server
Currently I’m doing a lot of testing at home on Network Virtualization solutions, like VMware NSX, Juniper Contrail, etc. Therefore I was stressing my current single home server quite a lot. Which is a custom build Xeon E3-1230 quad core with 32GB of RAM and 128GB SSD. I built this server according to the specifications found at: http://packetpushers.net/vmware-vcdx-lab-the-hardware/ . This has been a great investment as I’m running nested virtualization for both KVM and ESXi hypervisors and run the testing in there. Due to the fact that for a decent Network Virtualization (NV) set-up you need quite some memory, especially if you look at the memory utilisation of the NV Controller VMs, I had to expand my lab. I chose to extend it with an additional server so I would be physically redundant as well, making it easier to run upgrades on the physical machines.
Requirements
My requirements aren’t difficult as I mainly perform feature testing in my lab I don’t need a lot of CPU performance. There are no “Production” VMs running, everything is there to play around, so downtime is not a problem if necessary.
Other requirements:
- Average CPU performance
- Nested virtualization support
- At least 32GB of Continue reading
Accelerating Open vSwitch to “Ludicrous Speed”
[This post was written by OVS core contributors Justin Pettit, Ben Pfaff, and Ethan Jackson.]
The overhead associated with vSwitches has been a hotly debated topic in the networking community. In this blog post, we show how recent changes to OVS have elevated its performance to be on par with the native Linux bridge. Furthermore, CPU utilization of OVS in realistic scenarios can be up to 8x below that of the Linux bridge. This is the first of a two-part series. In the next post, we take a peek at the design and performance of the forthcoming port to DPDK, which bypasses the kernel entirely to gain impressive performance.
Open vSwitch is the most popular network back-end for OpenStack deployments and widely accepted as the de facto standard OpenFlow implementation. Open vSwitch development initially had a narrow focus — supporting novel features necessary for advanced applications such as network virtualization. However, as we gained experience with production deployments, it became clear these initial goals were not sufficient. For Open vSwitch to be successful, it not only must be highly programmable and general, it must also be blazingly fast. For the past several years, our development efforts have focused on Continue reading
Accurate Dependency Mapping – One Day?
Recently I’ve been thinking about Root Cause Analysis (RCA), and how it’s not perfect, but there may be hope for the future.
The challenge is that Automated RCA needs an accurate, complete picture of how everything connects together to work well. You need to know all the dependencies between networks, storage, servers, applications, etc. If you have a full dependency mapping, you can start to figure out what the underlying cause of a fault is, or you can start doing ‘What If?’ scenario planning.
But once your network gets past a moderate size, it’s hard to maintain this sort of dependency mapping. Manual methods break down, and we look for automated means instead – but they have gaps and limitations.
Automated Mapping – Approaches & Limitations
Tools such as HP’s CMS suite attempt to discover all objects and dependencies using a combination of network scanning and agents. They’ll use things like ping, SNMP, WMI, nmap to identify systems and running services. Agents can then report more data about installed applications, configurations, etc.
Network sniffing can also be used to identify traffic flows. Most tools will also connect to common orchestration points, such as vCenter, or the AWS console, to Continue reading
Does the Internet need “Governance”?
Dave Reed just published concerning network neutrality. Everyone interested in the topic should carefully read and understand Does the Internet need “Governance”?
One additional example of “light touch” help for the Internet where government may play a role is transparency: the recent MLAB’s report and the fact that Cogent’s actions caused retail ISP’s to look very badly is a case in point. You can follow up on that topic on the MLabs’s mailing list, if you are so inclined. If a carrier can arbitrarily delay/deprioritize traffic in secret, then the market (as there are usually alternatives in transit providers) cannot function well. And if that provider is an effective monopoly for many paths, that becomes a huge problem.
Show 211 – Should IT Engineers Get Fired For Production-Impacting Mistakes?
First off, apologies for the serialization error. We know, the last show was #212 in the title but #211 on the filename, when it should have been #211 through and through. We get it, and we’re very sorry, especially to you OCD folks who are twitching uncontrollably right now. Don’t fire us. Why didn’t we […]
Author information
The post Show 211 – Should IT Engineers Get Fired For Production-Impacting Mistakes? appeared first on Packet Pushers Podcast and was written by Ethan Banks.
“On the fly” IPsec VPN with iproute2
Only for emergencies.Vagrant – Overview and Opendaylight Vagrant Image
Recently, I came across this tool called Vagrant that eases the creation and sharing of VM work environment. I played with it and found it very useful. Vagrant integrates with VM hosting providers like Virtualbox, Vmware and AWS. Different devops tools like Chef, Puppet, Ansible are integrated with Vagrant. In this blog, I will cover … Continue reading Vagrant – Overview and Opendaylight Vagrant Image
How Marketers Use Social Media Evilly
In my role as co-founder of Packet Pushers, I do some amount of sales and marketing of the show to sponsors. Our philosophy of sponsorship is very simple. The audience knows when content is sponsored. Period. We don’t hide it. We don’t disguise sponsored content as non-sponsored content in the hope that the […]Load balanced ESXi cluster with Host memory usage alarm
Sometimes a DRS enabled cluster could be in the following situation: The cluster is balanced even if three hosts triggered the host memory usage alarm: There is no recommendation, so the DRS is working. How can be three host with high memory usage? The answer is simple: the graph is showing consumed memory, […](Visited 12 times since 2013-06-04, 12 visits today)
Using Schprokits to Automate Big Switch’s Big Cloud Fabric
I gave a presentation at Interop last month and tried to make two major points about network automation. One, network automation is so much more than just “pushing configs” and two, network automation is still relevant in Software Defined Network environments that have a controller deployed as part of the overall solution. And I’m referring to controllers from ANY vendor including, but definitely not limited to Cisco’s APIC, NSX Controllers, Nuage Controller/Director, Juniper Contrail, Plexxi Control, OpenDaylight, and Big Switch’s Big Cloud Fabric.
A few months ago, I was at Network Field Day 8 and got to see a live demo of Big Switch’s newly released Big Cloud Fabric solution. It seemed slick, but I was curious on automating the fabric using the northbound APIs exposed from their controller. As it turns out, I was able to get access to a small fabric (2 leafs / 2 spines) to get familiar with Big Cloud Fabric. In parallel to that, I started testing Schprokits as I mentioned in my previous post.
So, sure enough I spent some time putting together a demo to show what can be done with network automation tools and how they Continue reading
So, sure enough I spent some time putting together a demo to show what can be done with network automation tools and how they Continue reading
Goodbye Lync, Hello “Skype for Business”
Microsoft Lync, perhaps the most well known business communication and collaboration tools, is getting a new name in 2015. The next version of Microsoft Lync, according to the Lync Team on Microsoft’s Office Blog will be called “Skype for Business.” … Continue reading
If you liked this post, please do click through to the source at Goodbye Lync, Hello “Skype for Business” and give me a share/like. Thank you!
Goodbye Lync, Hello “Skype for Business”
Microsoft Lync, perhaps the most well known business communication and collaboration tools, is getting a new name in 2015. The next version of Microsoft Lync, according to the Lync Team on Microsoft’s Office Blog will be called “Skype for Business.”
In other news, the next version of iTunes will be called “Napster for People With Credit Cards” and we’ll also hear from Cisco about the now-defunct plans they made five years ago to rebrand themselves as “Linksys Plus for Data Center.”
First, and most importantly, Microsoft’s Marketing Department is ahead of the game and producing videos that explain all you need to know about this new product.
Insert Emotive but Factually Lacking Video
So here it is; all you need to know:
I feel all warm and fuzzy about this new electronic communication paradigm optimizing and synergizing all the information flows in my business! Let’s check out those key changesimprovements:
“We’re really excited about how Skype for Business takes advantage of the strengths of both Skype and Lync. For example, as you can see in the screenshots, we’re adopting the familiar Skype icons for calling, adding video and ending a call.”
Icons. Icons are one of Skype’s Continue reading
Use Protection if Peering Promiscuously
Last week, I wrote a blog post discussing the dangers of BGP routing leaks between peers, illustrating the problem using examples of recent snafus between China Telecom and Russia’s Vimpelcom. This follow-up blog post provides three additional examples of misbehaving peers and further demonstrates the impact unmonitored routes can have on Internet performance and security. Without monitoring, you are essentially trusting everyone on the Internet to route your traffic appropriately.
In the first two cases, an ISP globally announced routes from one of its peers, effectively inserting itself into the path of the peer’s international communications (i.e., becoming a transit provider rather than remaining a peer) for days on end. The third example looks back at the China Telecom routing leak of April 2010 to see how a US academic backbone network prioritized bogus routes from one of its peers, China Telecom, to (briefly) redirect traffic from many US universities through China.
Recap: How this works
To recap the explanation from the previous blog (and to reuse the neat animations our graphics folks made), we first note that ISPs form settlement-free direct connections (peering) in order to save on the cost of sending Continue reading
The requirements for IT’s Third Platform
With the blurring of technology lines, the rise of competitive companies, and a shift in buying models all before us, it would appear we are at the cusp of ushering in the next era in IT—the Third Platform Era. But as with the other transitions, it is not the technology or the vendors that trigger a change in buying patterns. There must be fundamental shifts in buying behavior driven by business objectives.
The IT industry at large is in the midst of a massive rewrite of key business applications in response to two technology trends: the proliferation of data (read: Big Data) and the need for additional performance and scale. In many regards, the first begets the second. As data becomes more available—via traditional datacenters, and both public and private cloud environments—applications look to use that data, which means the applications themselves have to go through an evolution to account for the scale and performance required.
Scale up or scale out?
When the industry talks about scale, people typically trot out Moore’s Law to explain how capacity doubles every 18 months. Strictly speaking, Moore’s Law is more principle than law, and it was initially applied to the number of transistors Continue reading
Network Design Concepts Part-3
In the first article of the series, reliability and resiliency are covered. We should know that whatever device, link type or software you choose eventually they will fail. Thus designing resilient system is one of the most critical aspects of IT. I mentioned that one way of providing resiliency is redundancy. If we have redundant […]
Author information
The post Network Design Concepts Part-3 appeared first on Packet Pushers Podcast and was written by Orhan Ergun.
Scaling the Cloud Security Groups
Most overlay virtual networking and cloud orchestration products support security groups – more-or-less-statefulish ACLs inserted between VM NIC and virtual switch.
The lure of security groups is obvious: if you’re willing to change your network security paradigm, you can stop thinking in subnets and focus on specifying who can exchange what traffic (usually specified as TCP/UDP port#) with whom.
Read more ...