The Week in Internet News: Facebook Moves Forward with Encryption, Despite Concerns

Forging ahead: Facebook plans to move ahead with plans to expand encryption despite concerns from law enforcement agencies that it will be used by criminals, the New York Times reports. Facebook’s decision to expand encryption across its Messenger platform comes after complaints by top law enforcement officials in the United States, United Kingdom, and Australia that Facebook’s plan to encrypt messaging on all its platforms would make it more difficult to find child sex predators and pornographers.

Investigate the ISPs: Mozilla has asked Congress to investigate data collection by Internet service providers following reports that Comcast is lobbying against browser plans to implement the encryption scheme DNS-over-HTTPS, Vice reports. Mozilla’s rollout of DNS-over-HTTPS “has raised questions about how ISPs collect and use sensitive user data in their gatekeeper role over internet usage,” the browser maker wrote.

The next billion: The next billion Internet users will have significantly different goals and needs than the first billion, Quartz says. While many observers have talked about the Internet being a tool to deliver basic needs, many new users will be focused on using the Internet for leisure activities, the article predicts. And while many users in the West are focused on privacy, many Continue reading

AT&T Sounds Alarm on 5G Security

BGP Route Reflector in Plain English

BGP Route Reflector in Plain English, in this post, I will explain you the BGP Route Reflector basics, after you read this post, you will be able to answer many questions regarding BGP Route Reflectors.

I am explaining this topic in deep detail in my Onsite CCDE , Live/Webex CCDE , Self Paced CCDE and also my specialized “BGP Zero to Hero” course.

Outline of this post is as below.

• What is BGP Route Reflector ?
• Why BGP Route Reflector is used ?
• What is the alternate methods ?
• Different type of BGP Route Reflectors
• Benefits of BGP Route Reflector
• Problems with the BGP Route Reflector
• BGP Route Reflector Redundancy

To have a great understanding of SP Networks, you can check my new published “Service Provider Networks Design and Perspective” Book. It covers the SP network Technologies with also explaining in detail a factious SP network. Click here
What is BGP Route Reflector ?

A route reflector (RR) is a network routing component for BGP (RFC 4456). It offers an alternative to the logical full-mesh requirement of internal border gateway protocol (IBGP).

Above is the wikipedia definition of BGP Route Reflector. Let’s extend the definition a bit.

BGP Route Reflector Continue reading

Juniper Guns for Cisco, Aruba With Mist AI

What does PE-CE mean in MPLS?

What does PE-CE mean in the context of MPLS ? What is CE , P and PE device in MPLS and MPLS VPN ?

These are foundational terms and definition in MPLS.

MPLS is one of the most commonly used encapsulation mechanism in Service Provider networks and before studying more advanced mechanisms, this article is must read.

In order to understand PE-CE, we need to understand first what are PE and CE in MPLS.

I am explaining this topic in deep detail in my Instructor Led CCDE and Self Paced CCDE course.

Let’s take a look at below figure.

Note: If you are looking for a much more detailed resource on this topic, please click here.

MPLS VPN PE-CE

Figure -1 MPLS network PE, P and CE routers

In Figure-1 MPLS network is shown. This can be an Enterprise or Service Provider network. MPLS is not only a service provider technology. It can provide segmentation/multi tenancy for the enterprise environment as well.

Three different types of router are shown. CE , PE and P routers.

CE devices are located in the customer site. PE and P devices are located in the Service Provider site.

If it is Enterprise network, WAN Continue reading

BGP Route Reflector Clusters

BGP route reflectors, used as an alternate method to full mesh IBGP, help in scaling.

BGP route reflector clustering is used to provide redundancy in a BGP RR design. BGP Route reflectors and RR clients create a cluster. (Cluster = BGP RR + BGP RR Clients)

I am explaining this topic in deep detail in my Onsite CCDE , Live/Webex CCDE , Self Paced CCDE and also my specialized “Live/Webex BGP Zero to Hero” course.

In IBGP topologies, every BGP speaker has to be in a logical full mesh. So, every BGP router has to have a direct IBGP neighborship with each other. However, route reflector is an exception.

If you place a BGP Route Reflector , IBGP router sets up BGP neighborship with only the route reflectors.

In this article, I will specifically mention the route reflector clusters and its design.

For those who want to understand BGP Route Reflectors, I highly recommend my ‘ BGP Route Reflector in Plain English ‘ post.

If you want to learn Route Reflector Loop Problem , check this post

Also, I explained BGP Route Reflectors, Route Reflector Design Options and many other Service Provider Design topic in my Service Provider Design Workshop.

Continue reading

How Difficult is SD-WAN?

In a recent Packet Pushers Heavy Networking episode, Ethan and Greg discussed how difficult SD-WAN is, and why you shouldn’t outsource your SD-WAN to a MSP. So, how difficult is really SD-WAN?

Now, this is of course going to depend on your organization’s level of skill, as well as what vendor you go with, but there are still some conclusions that we can come to.

Most of the SD-WAN solutions are operated by cloud-hosted SDN controllers, where the vendor has setup the virtual machines running the software for you. This greatly simplifies a lot of things that have been painful in the past. From a Cisco perspective, this is some of the pain that has been removed from you:

• Controllers – Controllers are installed for you and backed up by Cisco
• Software – Software is managed centrally, don’t need to login to each device to update it
• Traffic engineering – Can modify routing behavior without being an expert in say BGP
• Certificates – Only devices with a valid certificate can join the overlay, you don’t need your own Public Key Infrastructure (PKI)
• Pre Shared Keys (PSK) – Keys used for IPSec are rotated automatically without manual intervention

This means Continue reading

Junos – Loading Configs – 5 of 5 – Set

This is the fifth post in the Loading Configs series. In this post, we will cover the load set command. …

Continue reading →

The post Junos – Loading Configs – 5 of 5 – Set appeared first on Fryguy's Blog.

Stretched Layer-2 Subnets in Azure

Last Thursday morning I found this gem in my Twitter feed (courtesy of Stefan de Kooter)

Greg Cusanza in #BRK3192 just announced #Azure Extended Network, for stretching Layer 2 subnets into Azure!

As I know a little bit about how networking works within Azure, and I’ve seen something very similar a few times in the past, I was able to figure out what’s really going on behind the scenes in a few seconds… and got reminded of an old Russian joke I found somewhere on Quora:

Snap: a microkernel approach to host networking

Snap: a microkernel approach to host networking Marty et al., SOSP’19

This paper describes the networking stack, Snap, that has been running in production at Google for the last three years+. It’s been clear for a while that software designed explicitly for the data center environment will increasingly want/need to make different design trade-offs to e.g. general-purpose systems software that you might install on your own machines. But wow, I didn’t think we’d be at the point yet where we’d be abandoning TCP/IP! You need a lot of software engineers and the willingness to rewrite a lot of software to entertain that idea. Enter Google!

I’m jumping ahead a bit here, but the component of Snap which provides the transport and communications stack is called Pony Express. Here are the bombshell paragraphs:

Our datacenter applications seek ever more CPU-efficient and lower-latency communication, which Pony Express delivers. It implements reliability, congestion control, optional ordering, flow control, and execution of remote data access operations. Rather than reimplement TCP/IP or refactor an existing transport, we started Pony Express from scratch to innovate on more efficient interfaces, architecture, and protocol. (Emphasis mine).

and later on “we are seeking to grow Continue reading

Headcount: Firings, Hirings, and Retirings — October 2019

CVE 2019-14866: GNU cpio

I found a security bug in GNU cpio and thought I’d write down the story of that. It’s not the most interesting bug in the world, but it may still be an interesting story to some.

An odd limit

The whole thing started with me looking at the manpage

-H, --format=FORMAT
  Use given archive FORMAT. Valid formats are (the number in
  parentheses gives maximum size for individual archive member):
  bin    The obsolete binary format. (2147483647 bytes)
  odc    The old (POSIX.1) portable format. (8589934591 bytes)
  newc   The new (SVR4) portable format, which supports file
         systems having more than 65536 i-nodes. (4294967295 bytes)
  crc    The new (SVR4) portable format with a checksum added.
  tar    The old tar format. (8589934591 bytes)
  ustar  The POSIX.1 tar format. Also recognizes GNU tar archives, which are
         similar but not identical. (8589934591 bytes)
  hpbin  The obsolete binary format used by HPUX's cpio (which stores device
         files differently).
  hpodc  The portable format used by HPUX's cpio (which stores device files
         differently).

What’s wrong with this picture? Those are some very odd size limits. 2GiB and 4GiB I understand, as it’s 32bit signed and unsigned int. But tar having a max size of 8GiB? 33 bits? That Continue reading

Analysts Debate SASE’s Merits as Vendors Board Hype Train

Heavy Networking 484: Cloud And SD-WAN Are New Opportunities To Rethink Your Network (Sponsored)

Today on Heavy Networking, sponsor Open Systems comes on the podcast to discuss the new opportunities--and challenges--for networking in a time when more applications and services are running in the cloud. We explore how cloud services affect WAN design, how organizations can use SD-WAN to enhance networking and security, and much more. Our guest is Silvan Tschopp, head of solutions architecture at Open Systems.

The post Heavy Networking 484: Cloud And SD-WAN Are New Opportunities To Rethink Your Network (Sponsored) appeared first on Packet Pushers.

Why is everybody talking about 6G?

We're not even using 5G yet, and already 6G is in the news. What is 6G? Is it real? When do we all get it? (Spoiler alert: Nonexistent, no and a long time from now.)

Google Killed Chronicle, Report Claims

Rakuten: We Have More Edge Locations Than Amazon

Weekly Wrap: Fortinet Fortifies Firewall, SD-WAN Capabilities

Kasten K10 v2.0 Targets Security and Simplicity

The Future of Hidden Features

You may have noticed last week that Ubiquiti added a new “feature” to their devices in a firmware updated. According to this YouTube video from @TomLawrenceTech, Ubiquiti built an new service that contacts a URL to “phone home” and check in with their servers. It got some heavy discussion going, especially on Reddit.

The consensus is that Ubiquiti screwed up here by not informing people they were adding the feature up front and also not allowing users to opt-out initially. The support people at Ubiquiti even posted a quick workaround of blocking the URL at a perimeter firewall to prevent the communications until they could patch in the option to opt-out. If this was an isolated incident I could see some manner of outcry about it, but the fact of the matter is that companies are adding these hidden features more and more every day.

The first issue comes from the fact that most release notes for apps any more are nothing aside from platitudes. “Hey, we fixed some bugs and stuff so turn on automatic updates so you get the best version of our stuff!” is somewhat common now when it comes to a list of Continue reading