Securing BGP: A Case Study (10)

The next proposed (and actually already partially operational) system on our list is the Router Public Key Infrastructure (RPKI) system, which is described in RFC7115 (and a host of additional drafts and RFCs). The RPKI systems is focused on solving a single solution: validating that the originating AS is authorized to originate a particular prefix. An example will be helpful; we’ll use the network below.

(this is a graphic pulled from a presentation, rather than one of my usual line drawings)

Assume, for a moment, that AS65002 and AS65003 both advertise the same route, 2001:db8:0:1::/64, towards AS65000. How can the receiver determine if both of these two advertisers can actually reach the destination, or only one can? And, if only one can, how can AS65000 determine which one is the “real thing?” This is where the RPKI system comes into play. A very simplified version of the process looks something like this (assuming AS650002 is the true owner of 2001:db8:0:1::/64):

• AS65002 obtains, from the Regional Internet Registry (labeled the RIR in the diagram), a certificate showing AS65002 has been issued 2001:db8:0:1::/64.
• AS65002 places this certificate into a local database that is synchronized with all the other operators participating in Continue reading

Worth Reading: How Big Data Creates False Confidence

It’s tempting to think that with such an incredible volume of data behind them, studies relying on big data couldn’t be wrong. But the bigness of the data can imbue the results with a false sense of certainty. Many of them are probably bogus—and the reasons why should give us pause about any research that blindly trusts big data. -via Nautilus

The post Worth Reading: How Big Data Creates False Confidence appeared first on 'net work.

Worth Reading: Linux Underlays

Linux is the vodka of operating systems. It can run in a stripped down manner on a variety of systems and leave very little trace behind. BSD is similar in this regard but doesn’t have the driver support from manufacturers or the ability to strip out pieces down to the core kernel and few modifications. Linux gives vendors and operators the flexibility to create a software environment that boots and gets basic hardware working. The rest is up to the creativity of the people writing the applications on top. -via the Networking Nerd

The post Worth Reading: Linux Underlays appeared first on 'net work.

Frogs and Other Frogs…

The post Frogs and Other Frogs… appeared first on 'net work.

Worth Reading: Broadband Speed Tests

Everyone is familiar with broadband ‘speed test’ applications. When you have an ISP service quality problem, it is common to grab one of these tools to see if you are getting the service you feel you are entitled to get. Whenever you upgrade your broadband, the first thing you might do is to run a speed test. Then you can show off to your mates how superior your blazing fast service is compared to their pitiful product. -via Circle ID

The post Worth Reading: Broadband Speed Tests appeared first on 'net work.

Worth Reading: Data Tiering and NVM

In short, much higher capacity, at one fifth of the cost of DRAM – but this is paid for with increased read latency (4x) and reduced write bandwidth (8x). The higher capacity and lower cost characteristics are very attractive for in-memory workloads when using NVM as a DRAM replacement/complement. -via the morning paper

The post Worth Reading: Data Tiering and NVM appeared first on 'net work.

Book Signing at Interop

I’ll be signing books at the Interop book store at around 1’ish this afternoon, until I need to run off to present this afternoon. Come by and grab a copy to be signed, or just bring a copy you already own.

The post Book Signing at Interop appeared first on 'net work.

Worth Reading: Moving towards a better Internet

Those of us who have been working on IPv6 for over 15 years know what it means to be an advocate for an infrastructure technology that cannot be easily tied to new revenue or short-term risks. It is a battle on an icy uphill slope with head winds and a gallery of skeptics who call themselves realists and cheer your every bruise. -via APNIC

The post Worth Reading: Moving towards a better Internet appeared first on 'net work.

Worth Reading: Container Orchestration and Scheduling

Forgive the analogy, but we are increasingly being asked to think of our infrastructure and applications as cattle. We care about cattle, but perhaps a little less than we would in comparison to our pets. We try not to be reckless with our cattle, and we want them to be grazing on the best land, we want to move them periodically away from crowded or dangerous pasture, and if they do get ill, we want someone to tend them back to full health. -via the New Stack

The post Worth Reading: Container Orchestration and Scheduling appeared first on 'net work.

Basic Skills: Half Split Troubleshooting

Maybe my excuse should be that it was somewhere around two in the morning. Or maybe it was just unclear thinking, and that was that. Sgt P. and I were called out to fix the AN/FPS-77 RADAR system just at the end of our day so we’d been fighting this problem for some seven or eight hours already. For some reason, a particular fuse down in the high voltage power supply kept blowing. Given this is the circuit that fed the magnetron with 250,000 volts at around 10 amps, it made for some interesting discussion with the folks in base weather, who were thus dependent on surrounding weather RADAR systems to continue flight operations.

If this sounds familiar, I’ve told this story before in a different context, but bear with me…

So how did we miss the problem that actually caused the blown fuse, and hence the loss of our site’s weather RADAR system for more than a day? The reason is that it was, in fact, two in the morning, and we’d run out of ideas. If you want a sense of the complexity of the system we were working on, here is the troubleshooting guide, and here is Continue reading

Worth Reading: Silicon Photonics

Although photons of light dominate the long-distance information superhighways of the Internet, electrons remain the workhorses that move and process information at the local level. Visionaries have imagined for decades that power-efficient light-based communication would migrate to ever-shorter distances and eventually move onto silicon chips alongside transistors at the centimeter scale. -via the ACM

The post Worth Reading: Silicon Photonics appeared first on 'net work.

Worth Reading: NOMA

We are interested in undertaking and supporting activities that help maintain a healthy Internet. To that end, we are pleased to announce a new partnership. The Internet Society is working with Thinking Cat Enterprises on the Techark Network Operator Measurement Activity (NOMA) project to unlock more operator-based measurements that tell us something about the health of the Internet. The first target of NOMA is to develop an access network’s perspective on IPv6 performance as one indicator of the Internet’s health. -via the ISOC

The post Worth Reading: NOMA appeared first on 'net work.

Security ‘net: Privacy and Cybercrime Edition

DDoS blackmail is an increasingly common form of cybercrime, it appears. The general pattern is something like this: the administrator of a large corporate site receives an email, threatening a large scale DDoS attack unless the company deposits some amount of bitcoin in an untraceable account. Sometimes, if the company doesn’t comply, the blackmail is followed up with a small “sample attack,” and a second contact or email asking for more bitcoin than the first time.

The best reaction to these types of things is either to work with your service provider to hunker down and block the attack, or to simply ignore the threat. For instance, there has been a spate of threats from someone called Armada Collective over the last several weeks that appear to be completely empty; while threats have been reported, no action appears to have been taken.

We heard from more than 100 existing and prospective CloudFlare customers who had received the Armada Collective’s emailed threats. We’ve also compared notes with other DDoS mitigation vendors with customers that had received similar threats. -via Cloudflare

The bottom line is this: you should never pay against these threats. It’s always better to contact your provider and work Continue reading

Worth Reading: Trusting Robots in an Emergency

In emergencies, people may trust robots too much for their own safety, a new study suggests. In a mock building fire, test subjects followed instructions from an “Emergency Guide Robot” even after the machine had proven itself unreliable – and after some participants were told that robot had broken down.

The post Worth Reading: Trusting Robots in an Emergency appeared first on 'net work.

Worth Reading: Neutron Networking

Neutron server, residing in a control node, is responsible for orchestrating and provisioning of all virtual networks within an OpenStack environment. Its goal is to enable end-to-end reachability among the VMs and between the VMs and external subnets. To do that, Neutron uses concepts that should be very familiar to every network engineer like subnet, router, firewall, DHCP and NAT.

The post Worth Reading: Neutron Networking appeared first on 'net work.

Securing BGP: A Case Study (9)

There are a number of systems that have been proposed to validate (or secure) the path in BGP. To finish off this series on BGP as a case study, I only want to look at three of them. At some point in the future, I will probably write a couple of posts on what actually seems to be making it to some sort of deployment stage, but for now I just want to compare various proposals against the requirements outlined in the last post on this topic (you can find that post here).

The first of these systems is BGPSEC—or as it was known before it was called BGPSEC, S-BGP. I’m not going to spend a lot of time explaining how S-BGP works, as I’ve written a series of posts over at Packet Pushers on this very topic:

Part 1: Basic Operation
Part 2: Protections Offered
Part 3: Replays, Timers, and Performance
Part 4: Signatures and Performance
Part 5: Leaks

Considering S-BGP against the requirements:

• Centralized versus decentralized balance:S-BGP distributes path validation information throughout the internetwork, as this information is actually contained in a new attribute carried with route advertisements. Authorization and authentication are implicitly centralized, however, with the Continue reading

Worth Reading: Cisco Unified Code Base

Cisco had an interesting and very promising presentation at Network Field Day 11 about an effort to unify their codebase for a part of their product line. Jagbir Kang, product manager for enterprise switching, provided an overview of the IOS XE Denali (16.1.1) release which will unify the development trains for the Cat 3850 and 3650 switches with the ASR1000 routing platform. -via Netcraftsmen

The post Worth Reading: Cisco Unified Code Base appeared first on 'net work.

Worth Reading: A Systematic Analysis of the Juniper Dual EC Incident

In December 2015, Juniper Networks announced that unknown attackers had added unauthorized code to ScreenOS, the operating system for their NetScreen VPN routers. This code created two vulnerabilities: an authentication bypass that enabled remote administrative access, and a second vulnerability that allowed passive decryption of VPN traffic. Reverse engineering of ScreenOS binaries revealed that the first of these vulnerabilities was a conventional back door in the SSH password checker.

The post Worth Reading: A Systematic Analysis of the Juniper Dual EC Incident appeared first on 'net work.

Worth Reading: A Systematic Analysis of the Juniper Dual EC Incident

In December 2015, Juniper Networks announced that unknown attackers had added unauthorized code to ScreenOS, the operating system for their NetScreen VPN routers. This code created two vulnerabilities: an authentication bypass that enabled remote administrative access, and a second vulnerability that allowed passive decryption of VPN traffic. Reverse engineering of ScreenOS binaries revealed that the first of these vulnerabilities was a conventional back door in the SSH password checker.

The post Worth Reading: A Systematic Analysis of the Juniper Dual EC Incident appeared first on 'net work.

Worth Reading: Chromatic Dispersion

Chromatic dispersion of short optical pulses traversing optical fibers is a fundamental problem when it comes to optical transport. Signal distortion, if not properly compensated, will lead to inter-symbol interference that may result in data loss or traffic interruption. This paper describes the technologies used to compensate for chromatic dispersion and how to implement reliable optical connections between equipment nodes that could extend more than 100km apart. -Data Center Journal

The post Worth Reading: Chromatic Dispersion appeared first on 'net work.