Weekend Reads 090420
Running a bit late this week … 
That said, Intel over the past couple of years has expanded its Continue reading
VXLAN Fabric with BGP EVPN Control-Plane: Design Considerations – Book Description and ToC
About this book
The intent of this book is to explain various design models for Overlay Network and Underlay Network used in VXLAN Fabric with BGP EVPN Control-Plane. The first two chapters are focusing on the Underlay Network solution. The OSPF is introduced first. Among other things, the book explains how OSPF flooding can be minimized with area design. After OSPF there is a chapter about BGP in the Underlay network. Both OSPF and BGP are covered deeply and things like convergence are discussed. After the Underlay Network part, the book focuses on BGP design. It explains the following models: (a) BGP Multi-AS with OSPF Underlay, this chapter discusses two design models – Shared Spine ASN and Unique Spien ASN, (b) BGP-Only Multi-ASN where both direct and loopback overlay BGP peering models are explained, (c) Single-ASN with OSPF Underlay, (d) Hybrid-ASN with OSPF Underlay – Pod-specific shared ASN connected via Super-Spine layer using eBGP peering, (e) Dual-ASN model where leafs share the same ASN, and spines share their ASN. Each of the design model chapters includes a “Complexity Map” that should help readers to understand the complexity of each solution. This book also explains BGP ECMP and related to Continue reading
MUST READ: Lessons from load balancers and multicast
Justin Pietsch published another must-read article, this time dealing with operational complexity of load balancers and IP multicast. Here are just a few choice quotes to get you started:
- A critical lesson I learned is that running out of capacity is the worst thing you can do in networking
- You can prevent a lot of problems if you can deep dive into an architecture and understand it’s tradeoffs and limitations
- Magic infrastructure is often extremely hard to troubleshoot and debug
You might find what he learned useful the next time you’re facing a unicorn-colored slide deck from your favorite software-defined or intent-based vendor ;))
Fast Friday- Labor Day Eve Edition
It’s a long weekend in the US thanks to Labor Day. Which is basically signaling the end of the summer months. Or maybe the end of March depending on how you look at it. The rest of the year is packed full of more virtual Zoom calls, conferences, Tech Field Day events, and all the fun you can have looking at virtual leaves turning colors.
It’s been an interesting news week for some things. And if you take out all the speculation about who is going to end up watching TikTok you are left with not much else. So I’ve been wondering out loud about a few things that I thought I would share.
- You need a backup video conferencing platform. If Zoom isn’t crashing on you then someone is deleting WebEx VMs. Or maybe your callers can’t get the hang of the interface. Treat it like a failing demo during a presentation: if it doesn’t work in five minutes, go to plan B. Don’t leave your people waiting for something that may not happen.
- If you work in the backbone service provider market, you need to do two things next week. First, you need to make sure all your Continue reading
Evolution of Excel 4.0 (XL4) Macro Weaponization Presentation
What is Virus Bulletin?
Virus Bulletin (often abbreviated as “VB”) is a magazine devoted to the discussion of malware and spam and has been around over 30 years. It is the forum in which security researchers and professionals discuss and share new directions in both the development of and protection against malware and spam. VB’s annual conference is almost as old as the magazine and has traditionally takes place in late September or early October each year.
Why Attend VB2020?
As always, this year’s VB conference covers a broad spectrum of topics by some of the most talented security researchers in the world. Included in the agenda is a paper published by three members of our VMware Threat Analysis Unit discussing how the weaponization of XL4 macros in Excel has evolved.
Excel 4.0 (XL4) macros have become increasingly popular for attackers, as many security vendors struggle to play catchup and detect them properly. This technique provides attackers with a simple and reliable method to get a foothold on a target network, as it simply represents an abuse of a legitimate 30-year-old feature of Excel and does not rely on any vulnerability or exploit to be successful.
Register to attend Continue reading
Video: Define the Problem Before Searching for a Solution
In December 2019 I finally turned my focus on business challenges first presentation into a short webinar session (part of Business Aspects of Networking Technologies webinar) starting with defining the problem before searching for a solution including three simple questions:
- What BUSINESS problem are you trying to solve?
- Are there good-enough alternatives or should you really invest into new technology and/or equipment?
- Is the problem worth solving?
You need Free ipSpace.net Subscription to watch the video.
The New Model for Network Security: Zero Trust
The old security model, which followed the “trust but verify” method, is broken. That model granted excessive implicit trust that attackers abused, putting the organization at risk from malicious internal actors and allowing unauthorized outsiders wide-reaching access once inside. The new model, Zero Trust networking, presents an approach where the default posture is to deny access. Access is granted based on the identity of workloads, plus other attributes and context (like time/date, source, destination), and the appropriate trust required is offered at the time.
Calico Enterprise Zero Trust Network Security is one of the most effective ways for organizations to control access to their Kubernetes networks, applications, and data. It combines a wide range of preventative techniques including identity verification, least privilege controls, layered defense-in-depth, and encryption of data-in-transit to deter threats and limit access in the event of a breach. Kubernetes is particularly vulnerable to the spread of malware as a result of the open nature of cluster networking. By default, any pod can connect to any other pod, even across namespaces. Without a strong security framework, it’s very difficult to detect malware or its spread within a Kubernetes cluster.
Zero Trust policies rely on real-time visibility into workloads, Continue reading
IPv6 Buzz 059: More Listener Questions Asked And Answered
The IPv6 Buzz crew answers listener questions on today's episode, including use cases for Network Prefix Translation v6, challenges of asymmetric routing in IPv6, why Cisco supports LDPv6 on IOS-XR but not XE, and more.
The post IPv6 Buzz 059: More Listener Questions Asked And Answered appeared first on Packet Pushers.
IPv6 Buzz 059: More Listener Questions Asked And Answered
The IPv6 Buzz crew answers listener questions on today's episode, including use cases for Network Prefix Translation v6, challenges of asymmetric routing in IPv6, why Cisco supports LDPv6 on IOS-XR but not XE, and more.How to try open networking for free.
Want to try open networking for free? Try NVIDIA® Cumulus VX – a free virtual appliance that provides all the features of NVIDIA Cumulus Linux. You can preview and test NVIDIA Cumulus Linux in your own environment, at your own pace, without organizational and economic barriers. You can also produce sandbox environments for prototype assessment, pre-production rollouts, and script development.
NVIDIA Cumulus VX runs on all popular hypervisors, such VirtualBox and VMware VSphere, and orchestrators, such as Vagrant and GNS3.
Our website has the images needed to run NVIDIA Cumulus VX on your preferred hypervisor—download is simple. What’s more, we provide a detailed guide on how to install and set up NVIDIA Cumulus VX to create this simple two leaf, one spine topology:
With these three switches up and running, you are all set to try out NVIDIA Cumulus Linux features, such as traditional networking protocols (BGP and MLAG), and NVIDIA, formally Cumulus Networks-specific technologies, such as ONIE and Prescriptive Topology Manager (PTM). And, not to worry, the NVIDIA Cumulus Linux user guide is always close at hand to help you out, as well as the community Slack channel, where you can submit questions and engage with the wider Continue reading
How Remote Networking Events Actually Work
When working from home or from a remote place, there is an added pressure of trying to figure out how you can network with other co-workers or professionals from the same field. This is why remote networking is a new phenomenon that is the talk of the town. Even when you are working remotely, you need to be able to network with other people so that you can think outside the box, make decisions, and make professional connections with others in your field.
How it Works
Networking events can be a bit tricky. Knowing who to talk to and how to communicate in person and keep it interesting is hard but useful. Remote networking, on the other hand, is a whole different ballpark. This means that you are not physically present at the event but you still have to figure out a way to be in touch with most people and talk to them professionally. Here are a few ways and tips with which you can actually make remote networking easier.
1. Be a Part of Online Networking Groups
By being a part of a networking group online, you can easily be in connection with people from different professions Continue reading
Rendering React on the Edge with Flareact and Cloudflare Workers
The following is a guest post from Josh Larson, Engineer at Vox Media.
Imagine you’re the maintainer of a high-traffic media website, and your DNS is already hosted on Cloudflare.
Page speed is critical. You need to get content to your audience as quickly as possible on every device. You also need to render ads in a speedy way to maintain a good user experience and make money to support your journalism.
One solution would be to render your site statically and cache it at the edge. This would help ensure you have top-notch delivery speed because you don’t need a server to return a response. However, your site has decades worth of content. If you wanted to make even a small change to the site design, you would need to regenerate every single page during your next deploy. This would take ages.
Another issue is that your site would be static — and future updates to content or new articles would not be available until you deploy again.
That’s not going to work.
Another solution would be to render each page dynamically on your server. This ensures you can return a dynamic response for new or updated articles.
Chapter Leaders Worldwide Make the Case for Strong Encryption
What makes a great leader? Earlier this year, 473 Chapter Members participated in the 2020 Chapters Training Program. The Internet Society kicked off the program with a lot of hope and excitement. This was an opportunity to harness the power of us – our global community – to incubate innovative ideas and tomorrow’s Internet leaders.
The program aimed to develop new community leaders to work with their Chapters, create local awareness of the Internet Society’s mission-driven work, and become involved in Action Plan projects, including Encryption.
Each time we share information on the Internet, we assume that only our selected recipients – and no one else – will receive and read it. But how can we be sure? Ursula Wyss of the Switzerland Chapter says, this is “where end-to-end encryption comes in, since it ensures that only you and those people who are intentionally included in the conversation can read the messages that are being exchanged. This is done by scrambling the message in a way that it can only be read by those who have the right encryption key to unscramble it. For everyone else, the messages remain scrambled.”
The Encryption Chapters Training Program was developed Continue reading
Considerations for Host-based Firewalls (Part 1)
This is a guest blog post by Matthias Luft, Principal Platform Security Engineer @ Salesforce, and a regular ipSpace.net guest speaker.
Having spent my career in various roles in IT security, Ivan and I always bounced thoughts on the overlap between networking and security (and, more recently, Cloud/Container) around. One of the hot challenges on that boundary that regularly comes up in network/security discussions is the topic of this blog post: microsegmentation and host-based firewalls (HBFs).
The Hedge Podcast #49: Karen O’Donoghue and Network Time Security
Time is critical for many of the systems that make the Internet and other operational networks “go,” but we often just assume the time is there and it’s right. In this episode of the Hedge, Karen O’Donoghue joins Alvaro and Russ to talk about some of the many attacks and failures that can be caused by an incorrect time, and current and ongoing work in securing network time in the IETF.
Syncing MySQL tables with a custom Ansible module
The community.mysql collection from Ansible Galaxy
provides a mysql_query module to run arbitrary MySQL queries.
Unfortunately, it does not support check mode nor the --diff flag.
It is also unable to tell if there was a change. Let’s write a
specific Ansible module to workaround these issues.
Notice
I recommend that you read “Writing a custom Ansible module” as an introduction.
Code
The module has the following signature and it executes the provided SQL statements in a single transaction. It needs a list of the affected tables to be able to detect and show the changes.
mysql_sync: sql: | DELETE FROM rules WHERE name LIKE 'CMDB:%'; INSERT INTO rules (name, rule) VALUES ('CMDB: check for cats', ':is(object, "CAT")'), ('CMDB: check for dogs', ':is(object, "DOG")'); REPLACE INTO webhooks (name, url) VALUES ('OpsGenie', 'https://opsgenie/something/token'), ('Slack', 'https://slack/something/token'); user: monitoring password: Yooghah5 database: monitoring tables: - rules - webhooks
Prerequisites
The module does not enforce idempotency, but it is expected you
provide appropriate SQL queries. In the above example, idempotency is
achieved because the content of the rules table is deleted and
recreated from scratch while the rows in the webhooks table are
Continue reading
Syncing SSH keys on Cisco IOS-XR with a custom Ansible module
The cisco.iosxr collection from Ansible Galaxy
provides an iosxr_user module to manage local users,
along with their SSH keys. However, the module is quite slow, do not
display a diff for changed SSH keys, never signal change when a key is
modified, and does not delete obsolete keys. Let’s write a custom
Ansible module managing only the SSH keys while fixing these issues.
Notice
I recommend that you read “Writing a custom Ansible module” as an introduction.
How to add an SSH key to a user
Adding SSH keys to users in Cisco IOS-XR is quite undocumented. First, you need to encode the key with the “ssh-rsa” key ASN.1 format, like an OpenSSH public key, but without the base64-encoding:
$ awk '{print $2}' id_rsa.pub \ | base64 -d \ > publickey_vincent.raw
Then, you upload the key with SCP to harddisk:/publickey_vincent.raw
and import it for the current user with the following IOS command:
crypto key import authentication rsa harddisk:/publickey_vincent.b64
However, if you want to import a key for another user, you need to be
part of the root-system group:
username vincent group root-lr group root-system
With the following admin command, you Continue reading