Archive

Category Archives for "Networking"

Reducing RPKI Single Point of Takedown Risk

The RPKI, for those who do not know, ties the origin AS to a prefix using a certificate (the Route Origin Authorization, or ROA) signed by a third party. The third party, in this case, is validating that the AS in the ROA is authorized to advertise the destination prefix in the ROA—if ROA’s were self-signed, the security would be no better than simply advertising the prefix in BGP. Who should be able to sign these ROAs? The assigning authority makes the most sense—the Regional Internet Registries (RIRs), since they (should) know which company owns which set of AS numbers and prefixes.

The general idea makes sense—you should not accept routes from “just anyone,” as they might be advertising the route for any number of reasons. An operator could advertise routes to source spam or phishing emails, or some government agency might advertise a route to redirect traffic, or block access to some web site. But … if you haven’t found the tradeoffs, you haven’t looked hard enough. Security, in particular, is replete with tradeoffs.

Every time you deploy some new security mechanism, you create some new attack surface—sometimes more than one. Deploy a stateful packet filter to protect a Continue reading

Network Break 302: Nvidia Bids Billions For Arm; VMware Melds Kubernetes With vSphere

It's a baker's dozen of tech news in today's Network Break episode. We analyze Nvidia's $40 billion bid for Arm, Broadcom's banishment of Cumulus, vSphere's Kubernetes injection via Tanzu, a new hardware strategy from Extreme, new products from Palo Alto and Juniper, and more!

The post Network Break 302: Nvidia Bids Billions For Arm; VMware Melds Kubernetes With vSphere appeared first on Packet Pushers.

The Week in Internet News: Trading Trash for WiFi

Turning plastic into access: Students in a Jakarta, Indonesia, neighborhood are collecting discarded plastic and trading it for access at a WiFi station that sells the plastic waste, the World Economic Forum website says. The owner of the WiFi station uses the profits from selling the plastic to purchase access for small groups of students who need Internet access during continuing COVID-19 lockdowns.

No access here: About 54 percent of households in rural Bangladesh lack Internet access, according to a new survey featured at The Daily Star. Nearly six in 10 don’t have access to a smart phone. The survey also found that about eight in 10 rural households have very limited digital skills.

Trump vs. TikTok: U.S. President Donald Trump’s administration has moved to ban Chinese apps TikTok and WeChat as of 20 September, Reuters reported. The U.S. Department of Commerce was planning to issue an order on Friday that would prohibit app stores available in the U.S. from offering the two apps. TikTok owner ByteDance was still exploring a sale of the video-sharing app to U.S. companies.

Rockets on boats: SpaceX is planning to test its proposed Starlink satellite Internet network by using a Continue reading

Should you upgrade tape drives to the latest standard?

With the recent release of the linear tape–open 9 (LTO-9) standard, tape drives with increased capacity and speed should be available soon, but that doesn’t mean users of tape drives should rush to buy them.Here are some of the pros and cons to weigh when considering whether an upgrade is in order.Tape drives are a very reliable way to write data to storage, and are very good at holding onto data for multiple decades. They make an excellent medium for long-term storage and for shipping large amounts of data across long distances (a FedEx truck has unlimited bandwidth).[Get regularly scheduled insights by signing up for Network World newsletters.] What tape is not good at is going slow. LTO-8 has a compressed transfer speed of 900MB/s, which is significantly faster than most any backup you're going to send to it. It's definitely faster than any incremental backup that will be sent to it, and that comprises most backups. That makes tapes as the initial target of backups problematic.To read this article in full, please click here

Should you upgrade tape drives to the latest standard?

With the recent release of the linear tape–open 9 (LTO-9) standard, tape drives with increased capacity and speed should be available soon, but that doesn’t mean users of tape drives should rush to buy them.Here are some of the pros and cons to weigh when considering whether an upgrade is in order.Tape drives are a very reliable way to write data to storage, and are very good at holding onto data for multiple decades. They make an excellent medium for long-term storage and for shipping large amounts of data across long distances (a FedEx truck has unlimited bandwidth).[Get regularly scheduled insights by signing up for Network World newsletters.] What tape is not good at is going slow. LTO-8 has a compressed transfer speed of 900MB/s, which is significantly faster than most any backup you're going to send to it. It's definitely faster than any incremental backup that will be sent to it, and that comprises most backups. That makes tapes as the initial target of backups problematic.To read this article in full, please click here

Interesting: PyEnv

If you’re like me, you’re probably sick-and-tired of Python versions, environments… Every time I update Python on my MacBook Pro with Homebrew, I lose all packages I installed for the previous version of Python (because I’m installing them system-wide and they’re stored in version-specific directory).

Jon Langemak found a potential solution to this problem: PyEnv. My first reaction was: Great, just what I need… but as he described how it really works, I realized that it’s always possible to add another layer of indirection. RFC1925 strikes again.

Keepalived and unicast over multiple interfaces

Keepalived is a Linux implementation of VRRP. The usual role of VRRP is to share a virtual IP across a set of routers. For each VRRP instance, a leader is elected and gets to serve the IP address, ensuring the high availability of the attached service. Keepalived can also be used for a generic leader election, thanks to its ability to use scripts for healthchecking and run commands on state change.

A simple configuration looks like this:

vrrp_instance gateway1 {
  state BACKUP          # ❶
  interface eth0        # ❷
  virtual_router_id 12  # ❸
  priority 101          # ❹
  virtual_ipaddress {
    2001:db8:ff/64
  }
}

The state keyword in ❶ instructs Keepalived to not take the leader role when starting. Otherwise, incoming nodes create a temporary disruption by taking over the IP address until the election settles. The interface keyword in ❷ defines the interface for sending and receiving VRRP packets. It is also the default interface to configure the virtual IP address. The virtual_router_id directive in ❸ is common to all nodes sharing the virtual IP. The priority keyword in ❹ helps choosing which router will be elected as leader. If you need more information around Keepalived, be sure to check Continue reading

Syncing NetBox with a custom Ansible module

The netbox.netbox collection from Ansible Galaxy provides several modules to update NetBox objects:

- name: create a device in NetBox
  netbox_device:
    netbox_url: http://netbox.local
    netbox_token: s3cret
    data:
      name: to3-p14.sfo1.example.com
      device_type: QFX5110-48S
      device_role: Compute Switch
      site: SFO1

However, if NetBox is not your source of truth, you may want to ensure it stays in sync with your configuration management database1 by removing outdated devices or IP addresses. While it should be possible to glue together a playbook with a query, a loop and some filtering to delete unwanted elements, it feels clunky, inefficient and an abuse of YAML as a programming language. A specific Ansible module solves this issue and is likely more flexible.

Notice

I recommend that you read “Writing a custom Ansible module” as an introduction, as well as “Syncing MySQL tables” for a first simpler example.

Code

The module has the following signature and it syncs NetBox with the content of the provided YAML file:

netbox_sync:
  source: netbox.yaml
  api: https://netbox.example.com
  token: s3cret

The synchronized objects are:

Solve the Simple Problems

One thing I’ve found out over the past decade of writing is that some problems are easy enough to solve that we sometimes forget about them. Maybe it’s something you encounter once in a great while. Perhaps it’s something that needed a little extra thought or a novel reconfiguration of an existing solution. Something so minor that you didn’t even think to write it down. Until you run into the problem again.

The truth behind most of these simple problems is that the solutions aren’t always apparent. Sure, you might be a genius when it comes to fixing the network or the storage array. Maybe you figured out how to install some new software to do a thing in a way that wasn’t intended. But did you write any of it down for later use? Did you make sure to record what you’ve done so someone else can use it for reference?

Part of the reason why I started blogging was to have those written solutions to problems I couldn’t find a quick answer to. What it became was way more than I had originally intended. But the posts that I write that still get the most attention aren’t my Continue reading

Weekend Reads 091820

As it turns out, the Power10 actually has 51-bit physical addressing and a cluster of its processors can indeed see an address space that is 2 PB in size – if enough nodes with enough DDR memory slots are lashed together in the right way. As far as we know, no other CPU out there can do that.

ViacomCBS has struck a deal to sell its CNET unit to Red Ventures for $500 million. The transaction, which is expected to close in the fourth quarter of 2020, is subject to regulatory approvals and customary closing conditions.

NTP (Network Time Protocol) messages are sometimes rate-limited or blocked entirely by Internet operators. This little-known “NTP filtering” was put into place several years ago in response to DDoS (Distributed Denial of Service) attacks. NTP filtering may drop NTP messages based on rate or message size.

In Europe and beyond we struggle with effective policing of online communications. As generations before, we want to be both: free and safe when we interact with others, go shopping or get our news. While this balance is difficult, it is possible to achieve: the rapid development of online communications, often proclaimed the wild west of modern society, Continue reading

MUST Read: Blockchain, the amazing solution for almost nothing

One of the weekend reads collected by Russ White contained a pointer to a hilarious description of blockchain - a solution in search of a problem. Here are a few quotes to get you started (and I had a really hard time selecting just a few):

I’ve never seen so much bloated bombast fall so flat on closer inspection.

At its core, blockchain is a glorified spreadsheet.

The only thing is that there’s a huge gap between promise and reality. It seems that blockchain sounds best in a PowerPoint slide.

Someone should use that article as a framework and replace blockchain with OpenFlow or SDN ;)

Enjoy
1 775 776 777 778 779 3,480