Archive

Category Archives for "Networking"

How Calico Cloud’s runtime defense mitigates Kubernetes MITM vulnerability CVE-2020-8554

Since the release of CVE-2020-8554 on GitHub this past December, the vulnerability has received widespread attention from industry media and the cloud security community. This man-in-the-middle (MITM) vulnerability affects Kubernetes pods and underlying hosts, and all Kubernetes versions—including future releases—are vulnerable.

Despite this, there is currently no patch for the issue. While Kubernetes did suggest a fix, it only applies to external IPs using an admission webhook controller or an OPA gatekeeper integration, leaving the door open for attackers to exploit other attack vectors (e.g. internet, same VPC cluster, within the cluster). We previously outlined these in this post.

Suggested fixes currently on the market

Looking at the Kubernetes security market, there are currently a few security solutions that attempt to address CVE-2020-8554. Most of these solutions fall into one or two of three categories:

  1. Detection (using Kubernetes audit logs)
  2. Prevention (using admission webhook controller)
  3. Runtime defense (inline defense)

A few of the solutions rely on preventing vulnerable deployments using an OPA gatekeeper integration; these solutions alert users when externalIP (possibly loadBalancerIP) is deployed in their cluster configurations. Most solutions, however, present a dual strategy with a focus on prevention and detection. They use an admission controller for Continue reading

History of Internet 2: Dale Finkelsen

The Internet was originally designed as a research network, but eventually morphed into a primarily commercial system. While “Internet 2” sounds like it might be a replacement for the Internet, it was really started as a way to interconnect high speed computing systems for researchers—a goal the Internet doesn’t really provide any longer. Dale Finkelsen joins Donald Sharp and Russ White for this episode of the History of Networking to discuss the origins of Internet 2.

download

Nokia Lab | LAB 2 OSPF |


Introduction

Hello everyone!

It's my second Nokia lab. I've tried to cover the main scope of OSPF questions. Lets lab!
Please check my first lab for input information.

Topology example



Lab tasks and questions:
  • Basic OSPF (Backbone area)
  • configure OSPF area 0 (R1 and R2, use P2P interface type, add “system” interface to OSPF)
  • configure BFD and authentication on interfaces
  • examine BFD session
  • check neighbors state
    • examine the connection between OSPF adjacency and BFD session
    • How can you break adjacency? Try it. What factors can influence adjacency? 
  • examine LSDB
    • What LSA types do you see?
    • examine every LSA in detail
  • examine route table
    • What is the default preference of OSPF routes?
    • Multi-area OSPF(Area 0, Area 1 TNSSA, Area 2 Normal,  Area 3 Totally Stub)
    • configure area 1 as a Totally NSSA area
    • run debug OSPF hello packets between R1 and R3
    • examine hello packets
    • Does it contain special bits?
  • What is the difference between NSSA and Totally NSSA areas?
  • create additional loopback interface on R3
    • export it to OSPF by policy
    • What router type is R3?
    • examine LSDB on R3 - especially check NSSA external LSA
    • Does it contain special bits? Describe purpose of them
  • examine LSDB on Continue reading

    • Free Exercise: Build Network Automation Lab

    A while ago, someone made a remark on my suggestions that networking engineers should focus on getting fluent with cloud networking and automation:

    The running thing is, we can all learn this stuff, but not without having an opportunity.

    I tend to forcefully disagree with that assertion. What opportunity do you need to test open-source tools or create a free cloud account? My response was thus correspondingly gruff:

    Read more …

    Immersion cooling firm LiquidStack launches as a stand-alone company

    Ever since Bitcoin was introduced back in 2009, this cryptocurrency has had the distinction of being something you could mine with your computer—putting your hardware to use helping the blockchain technology Bitcoin is based on record and verify transactions by solving complex math problems.As a reward, you’d get Bitcoins. But it was a very slow process for a single PC, and the necessary component for success was a high-end GPU. One GPU brought to bear on Bitcoin could take years to find one coin, so miners started building massive farms akin to data centers but without enclosures. The result was that Bitcoin farms bought up all the GPUs, causing severe shortages and infuriating gamers.To read this article in full, please click here

    Immersion cooling firm LiquidStack launches as a stand-alone company

    Ever since Bitcoin was introduced back in 2009, this cryptocurrency has had the distinction of being something you could mine with your computer—putting your hardware to use helping the blockchain technology Bitcoin is based on record and verify transactions by solving complex math problems.As a reward, you’d get Bitcoins. But it was a very slow process for a single PC, and the necessary component for success was a high-end GPU. One GPU brought to bear on Bitcoin could take years to find one coin, so miners started building massive farms akin to data centers but without enclosures. The result was that Bitcoin farms bought up all the GPUs, causing severe shortages and infuriating gamers.To read this article in full, please click here

    Service Meshes in the Cloud Native World

    Microservices have taken center stage in the software industry. Transitioning from a monolith to a microservices-based architecture empowers companies to deploy their application more frequently, reliably, independently, and with scale without any hassle. This doesn’t mean everything is green in Microservice architecture; there are some problems that need to be addressed, just like while designing distributed systems. This is where the “Service Mesh” concept is getting pretty popular. We have been thinking about breaking big monolithic applications into smaller applications for quite some time to ease software development and deployment. This chart below, borrowed from Burr Sutter’s talk titled “Burr Sutter at Devoxx The introduction of the service mesh was mainly due to a perfect storm within the IT scene. When developers began developing distributed systems using a multi-language (polyglot) approach, they needed dynamic service discovery. Operations were required to handle the inevitable communication failures smoothly and enforce network policies. Platform teams started adopting container orchestration systems like Envoy. What Is a Service Mesh? Pavan Belagatti Pavan Belagatti is one Continue reading

    Tech Bytes: Prioritizing Identity And Zero Trust Across The Network With Aruba (Sponsored)

    On today's Tech Bytes, sponsored by Aruba Networks, we discuss the role of identity in security and why identity is a critical component of a zero-trust approach to network access. Our guest from Aruba is Jon Green, Chief Security Technologist.

    The post Tech Bytes: Prioritizing Identity And Zero Trust Across The Network With Aruba (Sponsored) appeared first on Packet Pushers.

    Time and Mind Savers: RSS Feeds

    I began writing this post just to remind readers this blog does have a number of RSS feeds—but then I thought … well, I probably need to explain why that piece of information is important.

    The amount of writing, video, and audio being thrown at the average person today is astounding—so much so that, according to a lot of research, most people in the digital world have resorted to relying on social media as their primary source of news. Why do most people get their news from social media? I’m pretty convinced this is largely a matter of “it saves time.” The resulting feed might not be “perfect,” but it’s “close enough,” and no-one wants to spend time seeking out a wide variety of news sources so they will be better informed.

    The problem, in this case, is that “close enough” is really a bad idea. We all tend to live in information bubbles of one form or another (although I’m fully convinced it’s much easier to live in a liberal/progressive bubble, being completely insulated from any news that doesn’t support your worldview, than it is to live in a conservative/traditional one). If you think about the role of Continue reading

    On the ‘net: From Stamps to the Stack

    I’ve started publishing in the Public Discourse on topics of technology and culture; the following is the first article they’ve accepted. Note the contents might be classified as a little controversial.

    The recent “takedown” of Parler by Amazon, Apple, and Google has spurred discussion in technological circles. Do the companies’ actions constitute an abuse of free speech? Or were the tech giants well within their rights, simply enforcing their own “terms of service”? Looking back at the history of free speech in the United States, especially the historical moment during which the right to free speech was codified, can offer guidance.

    Network Break 327: Cisco Embraces As-A-Service Procurement; Will Amazon Make Its Own ASICs?

    Today's Network Break sifts through the most interesting news from Cisco Live 2021 including an as-a-service procurement model, support for biometric-based authentication, integrating ThousandEyes and AppDynamics, and more. We also examine reports that Amazon is designing its own switch ASIC, and discuss new research on harvesting power from 5G electromagnetic waves.

    Network Break 327: Cisco Embraces As-A-Service Procurement; Will Amazon Make Its Own ASICs?

    Today's Network Break sifts through the most interesting news from Cisco Live 2021 including an as-a-service procurement model, support for biometric-based authentication, integrating ThousandEyes and AppDynamics, and more. We also examine reports that Amazon is designing its own switch ASIC, and discuss new research on harvesting power from 5G electromagnetic waves.

    The post Network Break 327: Cisco Embraces As-A-Service Procurement; Will Amazon Make Its Own ASICs? appeared first on Packet Pushers.

    CONTAINERlab

    CONTAINERlab is a Docker orchestration tool for creating virtual network topologies. This article describes how to build and monitor the leaf and spine topology shown above.

    Note: Docker testbed describes a simple testbed for experimenting with sFlow analytics using Docker Desktop, but it doesn't have the ability to construct complex topologies. 

    multipass launch --cpus 2 --mem 4G --name containerlab
    multipass shell containerlab

    The above commands use the multipass command line tool to create an Ubuntu virtual machine and open shell access.

    sudo apt update
    sudo apt -y install docker.io
    bash -c "$(curl -sL https://get-clab.srlinux.dev)"

    Type the above commands into the shell to install CONTAINERlab.

    Note: Multipass describes how to build a Mininet network emulator to experiment with software defined networking.

    name: test
    topology:
      nodes:
        leaf1:
          kind: linux
          image: sflow/frr
        leaf2:
          kind: linux
          image: sflow/frr
        spine1:
          kind: linux
          image: sflow/frr
        spine2:
          kind: linux
          image: sflow/frr
        h1:
          kind: linux
          image: alpine:latest
        h2:
          kind: linux
          image: alpine:latest
      links: 
        - endpoints: ["leaf1:eth1","spine1:eth1"]
        - endpoints: ["leaf1:eth2","spine2:eth1"]
        - endpoints: ["leaf2:eth1","spine1:eth2"]
        - endpoints: ["leaf2:eth2","spine2:eth2"]
        - endpoints: ["h1:eth1","leaf1:eth3"]
        - endpoints: ["h2:eth1","leaf2:eth3"]

    The test.yml file shown above specifies the topology. In this case we are using FRRouting (FRR) containers for the leaf Continue reading

    It’s Not What You Say. It’s How You’re Heard.

    In written communication, technical people can sometimes come across as impolite. I see this on Slack (talking down), Twitter (the angry tweeter), in emails (blunt and terse), in blog comments (bitter sarcasm or pedantry), Hacker News discussions (aggressive confrontation), and other places IT builders gather online.

    Perhaps you, as just such a technical person, don’t mean to be impolite. Maybe your focus is on efficiency. Get to the point. Say what needs saying, however it comes out. Click send. Job done. Go back to facepalming at the Swagger docs explaining this ill-considered API you need to use.

    Here’s the problem with your communications approach. To the person receiving your missive, you might sound like you’re upset. Or tone-deaf. Or maybe just a jerk. You’re presumably none of those things, at least not intentionally. We’re all nice folks who want to get along with our fellow humans, right?

    It’s not what you say. It’s how you’re heard.

    You need to communicate in such a way that you’re heard as you mean to be heard. If you’re not good at this and want to be, you can improve your messaging.

    Before hitting send, engage in role reversal. If you received a Continue reading

    The Week in Internet News: Biden Wants Broadband for All

    Filling the gaps: U.S. President Joe Biden has proposed spending $100 billion over eight years to bring broadband to all areas of the country, CNet reports. The broadband spending is part of a $2.25 trillion infrastructure proposal, which would also include repair of roads and bridges and improvements to the water supply and electrical grids. […]

    The post The Week in Internet News: Biden Wants Broadband for All appeared first on Internet Society.

    Tools 6. Where are my packets lost? MTR edition.

    Hello my friend,

    after show pause we continue our blog series about the most popular network troubleshooting tools, which humankind has ever created. Today we’ll take a look at one of the most useful tool to obtain the information about the path between two endpoints and possible packet drops over that path. Ladies and gentlemen, please, welcome MTR.

    

    1
    2
    3
    4
    5
    No part of this blogpost could be reproduced, stored in a 
    
retrieval system, or transmitted in any form or by any 
    
means, electronic, mechanical or photocopying, recording, 
    
or otherwise, for commercial purposes without the 
    
prior permission of the author.

    Can automation help with figuring what happened where?

    In case of the infrastructure problems (networks, servers, VMs, containers), the time matters a lot. The quicker we can find the issue and fix that, the better it will be for our applications and our customers. Automation without doubts one of the key components, which allows you to quickly find and fix your issues.

    In our trainings, the Live Network Automation Training (10 weeks) and Automation with Nornir (2 weeks), we explore a lot of real use cases, where the automation helps you to validate the state of you Continue reading

    Building Unnumbered Ethernet Lab with netsim-tools

    Last week I described the new features added to netsim-tools release 0.4, including support for unnumbered interfaces and OSPF routing. Now let’s see how I used them to build a multi-vendor lab to test which platforms could be made to interoperate when running OSPF over unnumbered Ethernet interfaces.

    I needed to define an unnumbered addressing pool first:

    addressing:
  core:
    unnumbered: true

    I wanted to run OSPF on all devices in the lab:

    module: [ ospf ]
    Read more …
    1 536 537 538 539 540 3,344