Everything You Need to Know about Network Time Security
This article was first published on NetNod’s Blog. It is reposted here with permission of the author.
A lot of the Internet’s most important security tools are dependent on accurate time. But until recently there was no way to ensure that the time you were getting came from a trusted source. The new Network Time Security (NTS) standard has been designed to fix that. In this post, we will summarise the most important NTS developments and link to a range of recent Netnod articles providing more information on the background, the NTS standard and the latest implementations.
What is NTS and why is it important?
NTS is an essential development of the Network Time Protocol (NTP). It has been developed within the Internet Engineering Task Force (IETF) and adds a much needed layer of security to a protocol that is more than 30 years old and is vulnerable to certain types of attack. Netnod has played an important role in the development of Network Time Security (NTS) from the standardization effort in the IETF to the development of several implementations and the launch of one of the first NTS-enabled NTP services in the world.
NTS consists of two protocols, Continue reading
BGP Convergence and ASn allocation design in Large Scale Networks
BGP Convergence and ASn allocation design in Large Scale Networks covered in this post and the video at the end of the post.
This content is explained in great detail in my BGP Zero to Hero course as well as CCIE Enterprise Training.
BGP is always known as slowly converged protocol. In fact this is wrong knowledge. If you just mention about BGP Control plane convergence, can be true but we always ignore BGP Data Plane Convergence which is commonly known as BGP PIC (Prefix Independent Convergence)
In this post, I will explain the BGP Path Hunting process which slows down the convergence process. Path Hunting is not only BGP but in general distance vector protocols convergence problem.
Effect of Path Hunting gets very problematic in densely meshed topologies such as CLOS or Fat Tree.
Many Leaf and Spine switches might be in the network and when EBGP is used (As it is recommended in RFC 7938) Path Hunting should be avoided by allocation the Autonomous System number to the networking devices wisely.
Otherwise, for the prefix which is not anymore advertised to network due to failure for example, BGP speaking routers try any Continue reading
IPv6 Buzz 057: Thinking Differently With IPv6
What do novice engineers need to know about IPv6? How can v6 help you rethink customer solutions? What will networking look like in 20 years? Today's IPv6 Buzz podcast explores these questions and more with guest Chris Grundemann, author and veteran IPv6 advocate.IPv6 Buzz 057: Thinking Differently With IPv6
What do novice engineers need to know about IPv6? How can v6 help you rethink customer solutions? What will networking look like in 20 years? Today's IPv6 Buzz podcast explores these questions and more with guest Chris Grundemann, author and veteran IPv6 advocate.
The post IPv6 Buzz 057: Thinking Differently With IPv6 appeared first on Packet Pushers.
Closing One Door and Opening Another | SIWDT
Bill Koss reflects on state of networking
The post Closing One Door and Opening Another | SIWDT appeared first on EtherealMind.
On Cyber Governance
APAN (Asia Pacific Advanced Network) brings together national research and education networks in the Asia Pacific region. APAN holds meetings twice a year to talk about current activities in the regional NREN sector. I was invited to be on a panel at APAN 50 on the subject of Cyber Governance, and I’d like to share my perspective on this topic here.The Hedge Episode 47: Scott Burleigh and the Bundle Protocol
In this episode of the Hedge, Scott Burleigh joins Alvaro Retana and Russ White to discuss the Bundle Protocol, which is designed to support delay tolerant data delivery over intermittently available or “stressed” networks. Examples include interstellar communication, email transmission over networks where access points move around (carrying data with them), etc. You can learn more about delay tolerant networking here, and read the most recent draft specification here.
Day Two Cloud 060: Charting Global Internet Performance With ThousandEyes (Sponsored)
What's really going on in the cloud? ThousandEyes, our sponsor for this episode, has just released its inaugural Internet Performance Report, which tracks the performance and availability of ISPs, public clouds, CDNs, and DNS across multiple geographical regions. The report measures performance over time and also looks at the current impact of COVID-19 on Internet usage. Angelique Medina, Director, Product Marketing at ThousandEyes, is our guide.
The post Day Two Cloud 060: Charting Global Internet Performance With ThousandEyes (Sponsored) appeared first on Packet Pushers.
Day Two Cloud 060: Charting Global Internet Performance With ThousandEyes (Sponsored)
What's really going on in the cloud? ThousandEyes, our sponsor for this episode, has just released its inaugural Internet Performance Report, which tracks the performance and availability of ISPs, public clouds, CDNs, and DNS across multiple geographical regions. The report measures performance over time and also looks at the current impact of COVID-19 on Internet usage. Angelique Medina, Director, Product Marketing at ThousandEyes, is our guide.Tier 1 Carriers Performance Report: July, 2020
The post Tier 1 Carriers Performance Report: July, 2020 appeared first on Noction.
Network-layer DDoS attack trends for Q2 2020
In the first quarter of 2020, within a matter of weeks, our way of life shifted. We’ve become reliant on online services more than ever. Employees that can are working from home, students of all ages and grades are taking classes online, and we’ve redefined what it means to stay connected. The more the public is dependent on staying connected, the larger the potential reward for attackers to cause chaos and disrupt our way of life. It is therefore no surprise that in Q1 2020 (January 1, 2020 to March 31, 2020) we reported an increase in the number of attacks—especially after various government authority mandates to stay indoors—shelter-in-place went into effect in the second half of March.
In Q2 2020 (April 1, 2020 to June 30, 2020), this trend of increasing DDoS attacks continued and even accelerated:
- The number of L3/4 DDoS attacks observed over our network doubled compared to that in the first three months of the year.
- The scale of the largest L3/4 DDoS attacks increased significantly. In fact, we observed some of the largest attacks ever recorded over our network.
- We observed more attack vectors being deployed and attacks were more geographically distributed.
The number Continue reading
Must Watch: How NOT to Measure Latency
A while ago someone pointed me to an interesting talk explaining why 99th percentile represents a pretty good approximation of user-experienced latency on a typical web page (way longer version: Understanding Latency and Application Responsiveness, also How I Learned to Stop Worrying and Love Misery)
If you prefer reading instead of watching videos, there’s also everything you know about latency is wrong.
The NSX-T Gateway Firewall Secures Physical Servers
To date, our blog series on securing physical servers with NSX Data Center has covered the use of bare metal agents installed in a physical server. In this scenario, NSX bare metal agents provide management and enforcement of security policy for the physical server. For a quick recap of how NSX Data Center secures physical server traffic, please review our first and second blogs in this multi-part series. In this article, we will discuss the use of one of the NSX-T Gateway services of an NSX Edge Node. Specifically, the NSX-T Gateway Firewall secures physical servers.
What’s The NSX-T Edge?
The NSX-T Edge is a feature-rich L3-L7 gateway. A brief review of some NSX-T Edge services:
- Via Tier-0 Gateway, routing between the logical and the physical using dynamic routing protocols (eBGP and iBGP) as well as static routing
- Via Tier-1 Gateway, routing between logical network segments, or from logical network segments to uplink to the Tier-0 Gateway
- Routing for IPv4 and IPv6 addresses
- Load Balancing via NSX-T Edge, which offers high-availability service for applications and distribution of network traffic load
- Network Address Translation (NAT), available on tier-0 and tier-1 gateways
- To manage IP addresses, the configuration of DNS (Domain Continue reading
The evolution of hardware telemetry and its software interfaces
Subscribe to Kernel of Truth on iTunes, Google Play, Spotify, Cast Box and Sticher!
Click here for our previous episode.
In this episode, Kernel of Truth host Roopa Prabhu is joined by Barak Gafni. The two of them chat about the evolution of hardware telemetry and its software interfaces as well as catch up some of the work on IOAM Barak’s been involved with. We hope you enjoy this episode and don’t forget to also check out the links below with resources referenced in the podcast.
Guest Bios
Roopa Prabhu: Roopa is a Linux Architect at NVIDIA, formally Cumulus Networks. She and her team work on all things kernel networking and Linux system infrastructure areas. Her primary focus areas in the Linux kernel are Linux bridge, Netlink, VxLAN, Lightweight tunnels. She is currently focused on building Linux kernel dataplane for E-VPN. She loves working with the Linux kernel networking and debian communities. Her past experience includes Linux clusters, ethernet drivers and Linux KVM virtualization platforms. She has a BS and MS in Computer Science. You can find her on Twitter at @__roopa.
Barak Gafni: Barak is a Staff Architect at NVIDIA, formally Mellanox Technologies, focusing on enabling Continue reading
History of Networking: Stan Hanks and GRE
GRE was the first tunneling protocol ever designed and deployed—and although it largely been overtaken by VXLAN and other tunnel protocols, it is still in widespread use today. For this episode of the History of Networking, Stan Hanks, the inventor of GRE—and hence the inventor of the concept of tunneling in packet switched networks—joins us to describe how and why GRE tunneling was invented.