Data Plane Quirks in Virtual Network Devices

Have you noticed an interesting twist in the ICMP Redirects saga: operating systems of some network devices might install redirect entries and use them for control plane traffic – an interesting implementation side effect of the architecture of most modern network devices.

A large majority of network devices run on some variant of Linux or *BSD operating system, the only true exception being ancient operating systems like Cisco IOS¹. The network daemons populate various routing protocol tables and compute the best routes that somehow get merged into a single routing table that might still be just a data structure in some user-mode process.

5G connections to hit 1 billion this year, and will double by 2025

5G connections will represent one-fifth of all worldwide mobile connections as of this year, putting those connections above the 1 billion mark for the first time, and that number will double by 2025, according to the GSMA (GSM Association).The GSMA’s Mobile Economy Report, published Wednesday, also said that 5G penetration is moving faster than either of the two previous major generations of mobile networking technology — while neither 3G nor 4G topped 2.2% of mobile connections until more than a year and a half after their introduction, 5G has already accounted for 5.5% in that time frame.There are currently almost 200 live 5G networks in 70 different countries, according to the GSMA report, which credits high demand for the rapid pace of the rollout.To read this article in full, please click here

Migrating Open-Source Databases to Azure

Day Two Cloud 136: The Role And Responsibilities Of A Kubernetes Operator (Sponsored)

iCloud Private Relay: information for Cloudflare customers

iCloud Private Relay is a new Internet privacy service from Apple that allows users with iOS 15, iPadOS 15, or macOS Monterey on their devices and an iCloud+ subscription, to connect to the Internet and browse with Safari in a more secure and private way. Cloudflare is proud to work with Apple to operate portions of Private Relay infrastructure.

In this post, we’ll explain how website operators can ensure the best possible experience for end users using iCloud Private Relay. Additional material is available from Apple, including “Set up iCloud Private Relay on all your devices”, and “Prepare Your Network or Web Server for iCloud Private Relay” which covers network operator scenarios in detail.

How browsing works using iCloud Private Relay

The design of the iCloud Private Relay system ensures that no single party handling user data has complete information on both who the user is and what they are trying to access.

To do this, Private Relay uses modern encryption and transport mechanisms to relay traffic from user devices through Apple and partner infrastructure before sending traffic to the destination website.

Here’s a diagram depicting what connection metadata is available to who when not using Private Relay Continue reading

Multifactor Authentication Is Being Targeted by Hackers

It was only a matter of time. While multifactor authentication (MFA) makes logging into systems safer, it doesn’t make it “safe.” As well-known hacker KnownBe4, showed in 2018 it’s easy to Proofpoint has found transparent reverse proxy. Typically transparent reverse proxies, such as the open source man-in-the-middle (MitM) attacks to steal credentials and session cookies. Why go to this trouble? Because, as an MFA company 78% of users now use MFA, compared to just 28% in 2017. That’s good news, but it’s also given cybercrooks the incentive they needed to target MFA. A Range of Kits To make it easy for wannabe hackers. Proofpoint found today’s phishing kits range from “simple open-source kits with human-readable code and no-frills functionality Continue reading

How to inventory server software with PowerShell

Being able to quickly identify what software is installed on your servers has value for a host of reasons. Managing software licensing costs and entitlements, planning upgrade budgets, identifying candidates for server consolidation, or even responding to security incidents are all common reasons for performing a software inventory.There are of course enterprise tools for tracking software inventory. But these tools can be expensive and complex, or could have access limited to specific groups or individuals in your organization. Fortunately PowerShell can help with some of the leg work in analyzing the software on your systems in order to help drive your planning and incident response.To read this article in full, please click here

Gartner: 5 ways to deal with network equipment shortages

How bad is the chip supply shortage? Gartner reports that clients are complaining about lead times as long as 400 days to get networking equipment, plus pricing increases and missed ship dates.“We expect lead times to remain high through early 2023, at which point we expect slow incremental improvement over the course of months,” Gartner wrote in a report titled, "What Are My Options for Dealing With Long Lead Times on Network Equipment?" Read more: Chip shortage has networking vendors scramblingTo read this article in full, please click here

How to inventory server software with PowerShell

Being able to quickly identify what software is installed on your servers has value for a host of reasons. Managing software licensing costs and entitlements, planning upgrade budgets, identifying candidates for server consolidation, or even responding to security incidents are all common reasons for performing a software inventory.There are of course enterprise tools for tracking software inventory. But these tools can be expensive and complex, or could have access limited to specific groups or individuals in your organization. Fortunately PowerShell can help with some of the leg work in analyzing the software on your systems in order to help drive your planning and incident response.To read this article in full, please click here

Contribute to netsim-tools: OSPFv3

Every other blue moon I get a question along the lines of “how could I contribute to netsim-tools”. The process is pretty streamlined and reasonably (I hope) documented in Contributor Guidelines; if you want to get started with an easy task, try implementing OSPFv3 for one of almost a dozen devices (vSRX implementation by Stefano Sasso is a picture-perfect example):

Contribute to netlab: OSPFv3

Every other blue moon I get a question along the lines of “how could I contribute to netlab”. The process is pretty streamlined and reasonably (I hope) documented in Contributor Guidelines; if you want to get started with an easy task, try implementing OSPFv3 for one of almost a dozen devices (vSRX implementation by Stefano Sasso is a picture-perfect example):

Pynetbox API calls using variables

Recently whilst using pynetbox to create NetBox environment objects I had a need to use variables in the URL of the API calls to allow for reusable functions to perform API calls based on the URL and data fed in as arguments. The reason the URL needs to be fed in as an argument when calling the function is because each NetBox element uses a different API URL.

FCC looks into BGP vulnerabilities, in light of Russian hacking threat

The FCC is launching an inquiry into security issues surrounding the Border Gateway Protocol (BGP), a widely used standard used to manage interconnectivity between large portions of the Internet.The move, announced Monday, was issued in response to "Russia's escalating actions inside of Ukraine," according to the commission's notice of inquiry.BGP is, in essence, a method of ensuring that independently managed networks that make up the global internet are able to communicate with one another. Its initial design, which the FCC said is still in widespread use today, does not contain important security features, meaning that, simply by misconfiguring its own BGP information, a bad actor could potentially redirect Internet traffic wherever it sees fit. This could let that attacker send incorrect information to its targets, read and compromise login credentials, or simply shut down whichever kinds of traffic it wishes.To read this article in full, please click here

FCC looks into BGP vulnerabilities, in light of Russian hacking threat

The FCC is launching an inquiry into security issues surrounding the Border Gateway Protocol (BGP), a widely used standard used to manage interconnectivity between large portions of the Internet.The move, announced Monday, was issued in response to "Russia's escalating actions inside of Ukraine," according to the commission's notice of inquiry.BGP is, in essence, a method of ensuring that independently managed networks that make up the global internet are able to communicate with one another. Its initial design, which the FCC said is still in widespread use today, does not contain important security features, meaning that, simply by misconfiguring its own BGP information, a bad actor could potentially redirect Internet traffic wherever it sees fit. This could let that attacker send incorrect information to its targets, read and compromise login credentials, or simply shut down whichever kinds of traffic it wishes.To read this article in full, please click here

Mikrotik RouterOS Upgrade from Version 6 to 7

Mikrotik RouterOS Upgrade from Version 6 to 7

The purpose of this guide is to provide a procedure that you can use to […]

The post Mikrotik RouterOS Upgrade from Version 6 to 7 first appeared on Brezular's Blog.

Cisco details delivery of its private 5G services

Cisco will use system integrators, service providers, and channel partners to deliver its subscription-based private-5G managed service supported by its hardware and software, the company announced at Mobile World Congress (MWC).Those partners include JMA, Airspan, Dish Networks, and Logicalis to support the cloud-based service that will integrate with Wi-Fi networks, reduce up-front costs, and provide deployment when and where needed, Cisco says.Cisco will provide its mobile-core technology and IoT portfolio such as Cisco IoT Control Center and Cisco P5G Packet Core as well as IoT sensors and gateways. It will provide device-management software, and monitoring tools via a single portal, the comapy says.To read this article in full, please click here

FCC announces new 5G spectrum auction in 2.5GHz band

FCC Chairwoman Jessica Rosenworcel announced Tuesday at Mobile World Congress in Barcelona that the US government agency will auction off spectrum in the 2.5GHz band in July for use in 5G networks, paving the way for telecom companies to further expand their midband holdings.The 2.5GHz auction represents the pending sale of what Rosenworcel called “the biggest swath of contiguous midband spectrum we have available below 3GHz,” and will be followed by a further auction of midband spectrum in the 3.1GHz-3.45GHz range.The FCC has had plans for this auction in the works for more than a year, having first sought public comment in January of 2021. The auction will cover roughly 200MHz of spectrum, and will be sold on a per-county basis, according to the earlier request for comment.To read this article in full, please click here

DDoS Mitigation with Cisco, sFlow, and BGP Flowspec

DDoS protection quickstart guide shows how sFlow streaming telemetry and BGP RTBH/Flowspec are combined by the DDoS Protect application running on the sFlow-RT real-time analytics engine to automatically detect and block DDoS attacks.

This article discusses how to deploy the solution in a Cisco environment. Cisco has a long history of supporting BGP Flowspec on their routing platforms and has recently added support for sFlow, see Cisco 8000 Series routers, Cisco ASR 9000 Series Routers, and Cisco NCS 5500 Series Routers.

First, IOS-XR doesn't provide a way to connect to the non-standard BGP port (1179) that sFlow-RT uses by default. Allowing sFlow-RT to open the standard BGP port (179) requires that the service be given additional Linux capabilities.

docker run --rm --net=host --sysctl net.ipv4.ip_unprivileged_port_start=0 \
sflow/ddos-protect -Dbgp.port=179

The above command launches the prebuilt sflow/ddos-protect Docker image. Alternatively, if sFlow-RT has been installed as a deb / rpm package, then the required permissions can be added to the service.

sudo systemctl edit sflow-rt.service

Type the above command to edit the service configuration and add the following lines:

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE

Next, edit the sFlow-RT configuration file for the DDoS Protect application:

sudo vi /usr/local/sflow-rt/conf.d/ddos-protect.conf

Continue reading

How To Blackhole (Null Route) An IPv6 Block On Linux Using ‘ip -6 route’

If there’s an IPv6 netblock you’d like your host to stop responding to, one tactic is to blackhole the traffic. That is, send any traffic from your host destined to the troublesome IPv6 netblock into a blackhole. Blackholes are also called null routes.

A Simple Example

Let’s say I’m getting repeated SQL injection attacks from various hosts in IPv6 block 2a09:8700:1::/48. Just a totally random example with no basis in reality whatsoever, whoever you are in Belize. There are various ways I can defend against this, but one (sorta ugly) option (I don’t actually recommend, read to the bottom to see my logic) is to create a blackhole aka a null route.

On many flavors of Linux, including Ubuntu 18.04, 20.04, and 22.04, I can accomplish this task with the ip route utility. Let’s take a look at our existing host routing table.

user@host:~$ ip route
default via 123.94.146.1 dev enp1s0 proto dhcp src 123.94.146.227 metric 100
169.254.169.254 via 123.94.146.1 dev enp1s0 proto dhcp src 123.94.146.227 metric 100
123.94.146.0/23 dev enp1s0 proto kernel scope link src 123.94.146. Continue reading