A Reappraisal of Validation in the RPKI
I’ve often heard that security is hard. And good security is very hard. Despite the best of intentions, and the investment of considerable care and attention in the design of a secure system, sometimes it takes the critical gaze of experience to sharpen the focus and understand what’s working and what’s not. We saw this with the evolution of the security framework in the DNS, where it took multiple iterations over 10 or more years to come up with a DNSSEC framework that was able to gather a critical mass of acceptance. So before we hear cries that the deployed volume of RPKI technology means that its too late to change anything, let’s take a deep breath and see what we've learned so far from this initial experience, and see if we can figure out what's working and what's not, and what we may want to reconsider.Packet Life Turns Six
Today marks Packet Life's sixth birthday, and I'm celebrating by launching the new site format I talked about in January. The relaunched site is hosted on an entirely new server from Linode, which means you can (finally) access packetlife.net via native IPv6! The entire code base has been rewritten on Django 1.6, and should feel lighter and more responsive. The layout has been rewritten as well using the Bootstrap CSS framework.
You might have noticed that some components of the old site are now gone: The discussion forums and wiki have been axed in favor of focusing more on the site's core content. The tools armory, which was initially in jeopardy, has been maintained in response to community interest (although I do intend to spend a good amount of time cleaning it up).
There are no doubt bits of code here and there that need a tweak or three, but generally speaking the site is up and running. If you do encounter an error, rest assured that I've been alerted and should have it fixed in little time. If you feel that something is terribly amiss, give me a shout on Twitter and I'll look into Continue reading
Get Another Network Cert Or Learn More About DevOps?
You can’t listen to an interview or podcast, an industry panel, or read a Q&A about the future of networking that doesn't involve skill sets. The biggest question of them all – what skills should network engineers focus on so they don’t become irrelevant? If you really want to know what skills make sense, why ask, when you can do an easy search to see what skills companies are looking for these days in a variety of roles. Combine SDN with DevOps into your search criteria and the results may surprise you. They sure surprised me.
I don’t usually peruse the job boards, but I’m on LinkedIn daily, so I figured I’d put their job site to the test and see what skills are in demand by searching for specific products and tools. This is the best way to search, right? I did numerous searches using the following keywords: SDN, Puppet, Chef, Ansible, Python, Cisco, network, and CCIE.
Here are the results:
Here are the results:
- There were only five (5) jobs available when searching for SDN, CCIE, and Python. Reminder, I only searched LinkedIn.
- The first was for a vendor as a “SDN Cloud Architect.” Continue reading
Quick Thoughts on the Micro Data Center
Here's something that's been on my radar lately: while all the talk in the networking world seems to be about the so-called "massively scalable" data center, almost all of the people I talk to in my world are dealing with the fact that data centers are rapidly getting smaller due to virtualization efficiencies. This seems to be the rule rather than the exception for small-to-medium sized enterprises.In the micro data center that sits down the hall from me, for example, we've gone from 26 physical servers to 18 in the last few months, and we're scheduled to lose several more as older hypervisor hosts get replaced with newer, denser models. I suspect we'll eventually stabilize at around a dozen physical servers hosting in the low hundreds of VMs. We could get much denser, but things like political boundaries inevitably step in to keep the count higher than it might be otherwise. The case is similar in our other main facility.
From a networking perspective, this is interesting: I've heard vendor and VAR account managers remark lately that virtualization is cutting into their hardware sales. I'm most familiar with Cisco's offerings, and at least right now they don't seem to Continue reading
Quick Thoughts on the Micro Data Center
Here's something that's been on my radar lately: while all the talk in the networking world seems to be about the so-called "massively scalable" data center, almost all of the people I talk to in my world are dealing with the fact that data centers are rapidly getting smaller due to virtualization efficiencies. This seems to be the rule rather than the exception for small-to-medium sized enterprises.In the micro data center that sits down the hall from me, for example, we've gone from 26 physical servers to 18 in the last few months, and we're scheduled to lose several more as older hypervisor hosts get replaced with newer, denser models. I suspect we'll eventually stabilize at around a dozen physical servers hosting in the low hundreds of VMs. We could get much denser, but things like political boundaries inevitably step in to keep the count higher than it might be otherwise. The case is similar in our other main facility.
From a networking perspective, this is interesting: I've heard vendor and VAR account managers remark lately that virtualization is cutting into their hardware sales. I'm most familiar with Cisco's offerings, and at least right now they don't seem to Continue reading
Secret CEF Attributes Part 6, The BGP Connection
In the first five parts of this series we covered all the steps necessary to distribute QoS and monitoring to a large backbone. I guess at this point I should mention that this technology has a name (and acronym, of course.) Cisco calls it QoS Policy Propagation through BGP (QPPB.) I hope these blog posts […]
Author information
The post Secret CEF Attributes Part 6, The BGP Connection appeared first on Packet Pushers Podcast and was written by Dan Massameno.
Mind the Gap
One of my pleasures of traveling is listening to the way people speak both with their dialects and their phrases. For those of you that have been to London and ridden “The Tube,” you know that familiar recording, “Mind the Gap.” After talking with several people at this year’s Open Networking Summit (ONS) this past week, I heard that same phrase in my head.
Why?
In this case, the “gap” is the chasm that early software defined networking (SDN) adopters have to cross to get started. Because SDN is a new idea, crossing the gap represents being prepared to challenge old ideas about networking and even your own experiences.
If you really think about it, you don’t want to just mind the gap—you want to be careful not to fall into the old ways of thinking—but you want to cross that gap and keep moving forward. To do that from an open networking perspective, you have to create an opportunity and dig in, grab a controller and an SDN-ready switch and start hacking.
I had a fantastic discussion with a customer at the ONS week who had safely crossed the gap. Let’s call him Joe. Joe is Continue reading
TCP/IP over VXLAN Bandwidth Overheads
A recent ‘conversation’ around VXLAN encapsulation and MTU with Matt Oswalt got me thinking about this subject recently. My calculations were mostly wrong (Matt’s were not) and I also found a shocking amount of incorrect information on the subject out on the ‘net too. So, let’s let the maths do the talking. TL;DR – As […]
Author information
The post TCP/IP over VXLAN Bandwidth Overheads appeared first on Packet Pushers Podcast and was written by Steven Iveson.
Cyber Spring Cleaning! Don’t Forget Your Wireless Router!
As the weather warms up articles to remind us about cleaning up our devices, online accounts, making backups, and changing passwords are sure to show up, but don’t forget to add your wireless router to this list. Over time the wireless environment may have changed and the number of devices connecting to the network has increased and you have noticed a decrease in the performance. I have listed some items to check to either improve the performance or security of your wireless network.
Upgrade the Router
Electronics age fast and if you’re still running an 802.11g router it is time to upgrade. Look for an 802.11n protocol wireless router or get the latest and greatest 802.11ac router and be ready for the next wave of wireless devices. Either way you’ll notice a performance boost and the router won’t create a bottleneck in the network.
Check for the Latest Firmware
While not as often as Windows or Apple software updates a routers software called firmware does get the occasional update. Firmware could add functionality, patch bugs, or add security features. When you log into the routers management interface look for the firmware section to verify the current version and download Continue reading
Hey, Remember vTax?
Hey, remember vTax/vRAM? It’s dead and gone, but with 6 Terabyte of RAM servers now available, imagine what could have been (your insanely high licensing costs).
Set the wayback machine to 2011, when VMware introduced vSphere version 5. It had some really great enhancements over version 4, but no one was talking about the new features. Instead, they talked about the new licensing scheme and how much it sucked.
While some defended VMware’s position, most were critical, and my own opinion… let’s just say I’ve likely ensured I’ll never be employed by VMware. Fortunately, VMware came to their senses and realized what a bone-headed, dumbass move that vRAM/vTax was, and repealed the vRAM licensing one year later in 2012. So while I don’t want to beat a dead horse (which, seriously, disturbing idiom), I do think it’s worth looking back for just a moment to see how monumentally stupid that licensing scheme was for customers, and serve as a lesson in the economies of scaling for the x86 platform, and as a reminder about the ramifications of CapEx versus OpEx-oriented licensing.
Why am I thinking about this almost 2 years after they got rid of vRAM/vTax? I’ve been Continue reading
CCIE: You need to recertify in twelve months
This means two things: I’m CCIE for over one year now I need to prepare again the written exam The last day to test the v4 edition is June 3, 2014, I’ve passed that exam twice so I expect a…“Fun” with RFC4620 Section 6.4 and discovering IPv4 information over IPv6
As part of a request at work to figure out IPv4 addresses of devices on a network where broadcast pings don’t work, and no administrative access to the switches/routers, I took a look at solving this with IPv6. We know that you can ping6 the all-nodes multicast address, and get DUP! replies from IPv6 enabled hosts on that LAN segment. These will typically be link-local addresses, from which you can determine a MAC address. How to resolve that MAC address on a client host and not the router/switch, I was thinking reverse ARP or something, but support for that wasn’t present in my Ubuntu 13.10 kernel on the main machine I was working with. I started looking around for other options using IPv6 and found RFC4620, Section 6.4.
The gist of it is that you send an ICMPv6 Type 139 packet to an IPv6 address, asking if it has any IPv4 addresses configured either on that interface the target address is on, or any interfaces on the machine itself. And this is why this is disabled by default on hosts, and *IF* you insist on filtering ICMP6 Types, definitely make certain this is one of them. It works Continue reading
Show 183 – Storage Network Design
This week, the Packet Pushers talk about storage network design mostly in the context of converged infrastructure. Guests J Metz, Chris Wahl, and Russ White do all the heavy lifting of those storage-related packets from one end of the data center to the other. Show Outline When traditional network engineers think about designing for storage, […]
Author information
The post Show 183 – Storage Network Design appeared first on Packet Pushers Podcast and was written by Ethan Banks.
Quick look at Trio ddos-protection with flow-detection
Some things are easy to protect with iACL and lo0 ACL but others are really hard, like BGP, you need to allow BGP from customers and from core, and it's not convenient or practical to handle them separately in lo0 ACL + policer. Luckily JunOS has feature called flow-detection, you turn it on with set system ddos-protection global flow-detection
I'm sending DoS from single source to lo0, my iBGP goes immediately down. After I turn on flow-detection iBGP connectivity is restored. Looking at PFE, we can see what is happening:
MX104-ABB-0(test13nqa1-re0.dk vty)# show ddos scfd asic-flows pfe idx rindex prot aggr IIF/IFD pkts bytes source-info --- ---- ------ ---- ---- ------- ------- -------- ---------- 0 0 721 1400 sub 338 21 79161 c158ef22 c158ef1f 53571 179 0 1 2679 1400 sub 356 11159404 2187242988 64640102 c158ef1f 179 179 0 2 2015 1400 sub 338 29 112468 c158ef23 c158ef1f 179 65020
Pretty nice and clear, 64.64.01.02 => c1.58.ef.1f is our attack traffic and it's getting its own policer, iBGP is stable, attack traffic is policed separately. Let's check those policers more closely:
MX104-ABB-0(test13nqa1-re0.dk vty)# show ddos scfd asic-flow-rindex 0 2679 PFE: 0 Flow Continue reading
Passed the CCIE SP Lab exam.
Well, a short update. I managed to pass the CCIE Service Provider lab exam on March 14th.
I am quite exhausted from the experience, but very happy 
Packet Design CTO at MPLS SDN World Congress
This item has no description. Follow link to view item.City of Lights Hosts First Global MPLS/SDN Event
City of Lights Hosts the First Global MPLS/SDN Event
by Brian Boyko, Technology Commentator - March 18, 2014
Packet Design will be attending the 2014 MPLS SDN World Congress this week in Paris. This is the 16th edition of the event, but this year it becomes the MPLS SDN World Congress (formerly known as the MPLS & Ethernet World Congress). According to the event producer Upperside Conferences, this is the first worldwide event in MPLS and SDN. Attendees will come from more than 65 countries, and more than 50 percent of this audience works for service providers.
Considering that we have customers on five continents, the majority of those customers are service providers, and that we are working on an SDN management prototype, this is an exciting event for us. Our CTO Cengiz Alaettinoglu, who is attending the event for the seventh time, is particularly excited to share our SDN vision and meet with service providers, customers and peers. He will be speaking about “Real-Time Analytics and Policy Management for Software Defined Networking.” Here’s a quick summary of his presentation:
North-bound SDN APIs allow creation of network-aware applications. Cloud and data center applications have successfully taken Continue reading
Packet Design CTO to speak at SDN/MPLS 2015 in Washington, DC.
Packet Design CTO, Cengiz Alaettinoglu, to speak at SDN/MPLS 2015 in Washington, DC.
View the full technical session track here:
SSH for Python – In search of API perfection
My mission is simple: Establish an SSH connection to a device and run some commands in as few lines as possible. The contenders? Paramiko, Spur and Fabric.
The Scenario
I have a network device, 192.168.1.254.
I want to log in via SSH with a username of dave and password of p@ssword123.
Once logged in, I want to execute the command display version and print the result.
Now to the code...
The Code
Paramiko
Paramiko is the go to SSH library in Python. Let's see how it shapes up in the simple scenario:
import paramiko
client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.WarningPolicy())
client.connect("192.168.1.254", username="dave", password="p@ssword123")
stdin, stdout, stderr = client.exec_command('display version')
for line in stdout:
print line.strip('n')
client.close()
8 lines of code. The API here is very powerful, but requires me to put up some scaffolding code (Key Management) before I actually get around to connecting an executing my command. That said, it gets the job done.
Spur
Spur is a wrapper around Continue reading
SSH for Python – In search of API perfection
My mission is simple: Establish an SSH connection to a device and run some commands in as few lines as possible. The contenders? Paramiko, Spur and Fabric.