Routing, and Water, Are All about Trust: Introducing “Routing Security for Policymakers”

Introducing the new Internet Society white paper, “Routing Security for Policymakers

The global routing system is a lot like a water system in a city. It’s vitally important to the Internet and we tend to overlook it until something goes wrong.

Routing determines how packets (data sent over a network or networks) containing information, like email messages, website data, and voice-over-IP (VoIP) calls, move from one place to another on the Internet. However, despite its importance, many people only think about the Internet routing when they hear about a major routing incident in the news or can’t reach their favorite websites.

Both the water system and the routing system are, at their core, built on trust. 

A water system relies on hundreds of workers, its water suppliers, local farmers and companies, and countless others to deliver its service. The system is based on chains of trust, with each person or entity relying on the other to act appropriately.

Similarly, the global routing system is a complex, decentralized system made up of tens of thousands of individual networks. Independent business decisions and trusted relationships between individual network operators that are implementing the Border Gateway Protocol (BGP) determine how Continue reading

Worth Reading: Paying for the bleeding edge

It is a good thing they still want to offload responsibility to IBM, Intel, and a few others, because it is only through such vendors that there is any hope that technologies will be advanced for the bleeding edge and eventually become the leading edge for enterprises. Which is, after all, the real point of having the technology in the first place. It is for everyone to advance, not just for the upper echelon of computing in each country. —Timothy Prickett Morgan @The Next Platform

Docker Certified Containers from Monitoring Partners

 

The Docker Certified Technology Program is designed for ecosystem partners and customers to recognize Containers and Plugins that excel in quality, collaborative support and compliance. Docker Certification gives organizations enterprises an easy way to run trusted software and components in containers on the Docker Enterprise container platform with support from both Docker and the publisher.

In this review, we’re looking at solutions to monitor Docker containers. Docker enables developers to iterate faster with software architectures consisting of many microservices. This poses a challenge to traditional monitoring solutions as the target processes are no longer statically allocated or tied to particular hosts. Monitoring solutions are now expected to track ephemeral and rapidly scaling sets of containers. The Docker Engine exposes APIs for container metadata, lifecycle events, and key performance metrics. Partner Monitoring solutions  collect both system and Docker container events and metrics in real time to monitor the health and performance of the customers entire infrastructure, applications and services. These solutions are validated by both Docker and the partner company and integrated into a seamless support pipeline that provide customers the world class support they have become accustomed to when working with Docker.

Check out the latest certified Docker Monitoring Continue reading

History Of Networking – Yuval Bachar – Backpack And The History Of Whitebox Routers

In this History of Networking episode, Yuval Bachar shares his insight about the genesis of Facebook’s Backpack open switch and the history of whitebox routing.
Yuval Bachar
Guest
Russ White
Host
Donald Sharp
Host

Outro Music:
Danger Storm Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/

The post History Of Networking – Yuval Bachar – Backpack And The History Of Whitebox Routers appeared first on Network Collective.

New Internet Draft: Considerations on Internet Consolidation and the Internet Architecture

Swirling vortex of stars

Are there assumptions about the Internet architecture that no longer hold in a world where larger, more centralized entities provide big parts of the Internet service? If the world changes, the Internet and its technology/architecture may have to match those changes. It appears that level[ing] the playing field for new entrants or small players brings potential benefits. Are there technical solutions that are missing today?

These questions were one of many asked in a new Internet Draft published yesterday by former IETF Chair Jari Arkko on behalf of several Internet Architecture Board (IAB) members with the title “Considerations on Internet Consolidation and the Internet Architecture”:

https://tools.ietf.org/html/draft-arkko-iab-internet-consolidation-00

The draft text is based on the IAB “Consolidation” blog post back in March 2018as well as a new post Jari and Brian Trammell have written for the APNIC and RIPE sites.

The abstract of the Internet Draft is:

Many of us have held a vision of the Internet as the ultimate distributed platform that allows communication, the provision of services, and competition from any corner of the world. But as the Internet has matured, it seems to also feed the creation of large, centralised entities in many areas. This Continue reading

VMware NSX: The Good, the Bad and the Ugly

After four live sessions we finished the VMware NSX Technical Deep Dive webinar yesterday. Still have to edit the materials, but right now the whole thing is already over 6 hours long, and there are two more guest speaker sessions to come.

Anyways, in the previous sessions we covered all the good parts of NSX and a few of the bad ones. Everything that was left for yesterday were the ugly parts.

Read more ...

Maelstrom: mitigating datacenter-level disasters by draining interdependent traffic safely and efficiently

Maelstrom: mitigating datacenter-level disasters by draining interdependent traffic safely and efficiently Veeraraghavan et al., OSDI’18

Here’s a really valuable paper detailing four plus years of experience dealing with datacenter outages at Facebook. Maelstrom is the system Facebook use in production to mitigate and recover from datacenter-level disasters. The high level idea is simple: drain traffic away from the failed datacenter and move it to other datacenters. Doing that safely, reliably, and repeatedly, not so simple!

Modern Internet services are composed of hundreds of interdependent systems spanning dozens of geo-distributed datacenters. At this scale, seemingly rare natural disasters, such as hurricanes blowing down power lines and flooding, occur regularly.

How regularly? Well, we’re told that Maelstrom has been in production at Facebook for over four years, and in that time has helped Facebook to recover from over 100 disasters. I make that about one disaster every two weeks!! Not all of these are total loss of a datacenter, but they’re all serious datacenter-wide incidents. One example was fibrecuts leading to a loss of 85% of the backbone network capability connecting a datacenter to the FB infrastructure. Maelstrom had most user-facing traffic drained in about 17 minutes, and the all traffic Continue reading

Masscan as a lesson in TCP/IP

When learning TCP/IP it may be helpful to look at the masscan port scanning program, because it contains its own network stack. This concept, "contains its own network stack", is so unusual that it'll help resolve some confusion you might have about networking. It'll help challenge some (incorrect) assumptions you may have developed about how networks work.
For example, here is a screenshot of running masscan to scan a single target from my laptop computer. My machine has an IP address of 10.255.28.209, but masscan runs with an address of 10.255.28.250. This works fine, with the program contacting the target computer and downloading information -- even though it has the 'wrong' IP address. That's because it isn't using the network stack of the notebook computer, and hence, not using the notebook's IP address. Instead, it has its own network stack and its own IP address.

At this point, it might be useful to describe what masscan is doing here. It's a "port scanner", a tool that connects to many computers and many ports to figure out which ones are open. In some cases, it can probe further: once it connects to Continue reading

NetQ agent on a host

We all know and love NetQ – it works hand-in-hand with Linux to accelerate data center operations. Customers love how easy it is to install and operate which makes their lives easier. Also, it can prevent and find issues in a data center by viewing the entire data center as a whole and providing three different types of services:

  • Preventative: NetQ allows an engineer to check all data center configurations and state in a few steps from any location in the network. The validation can be done on a virtual network using vagrant with Cumulus VX or if a virtual environment is not available, it can also be used during an change outage window. Since NetQ has built in analyzers of the network as a whole, no scripting is required and the validation is done from one location, rather than hop by hop. It can also shorten outage windows needed for network changes allowing shorter outage windows virtually or during outage windows.
  • Proactive: NetQ supplies notifications if something goes wrong in the network by either logging it to a file or integrating with third party applications like Slack, PagerDuty, or Splunk. It can also be filtered to ensure the right Continue reading

Watch Live – DNSSEC Workshop on October 24 at ICANN 63 in Barcelona

ICANN 63 banner image

What can we learn from recent success of the Root KSK Rollover? What is the status of DNSSEC deployment in parts of Europe – and what lessons have been learned? How can we increase the automation of the DNSSEC “chain of trust”? And what new things are people doing with DANE?

All these topics and more will be discussed at the DNSSEC Workshop at the ICANN 63 meeting in Barcelona, Spain, on Wednesday, October 24, 2018. The session will begin at 9:00 and conclude at 15:00 CEST (UTC+2).

The agenda includes:

  • DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
  • Panel: DNSSEC Activities
    • Includes presenters from these TLDs: .DK, .DE, .CH, .UK, .SE, .IT, .ES, .CZ
  • Report on the Execution of the .BR Algorithm Rollover
  • Panel: Automating Update of DS records
  • Panel: Post KSK Roll? Plan for the Next KSK Roll?
  • DANE usage and use cases
  • DNSSEC – How Can I Help?

It should be an outstanding session!  For those onsite, the workshop will be room 113.

 

  • More info and slides are available from these URLs (ICANN’s online schedule system breaks it up into sections based on breaks and lunch):

IDG Contributor Network: Self-healing SD-WAN removes the drama of high-availability planning

My humble beginnings Back in the early 2000s, I was the sole network engineer at a startup. By morning, my role included managing four floors and 22 European locations packed with different vendors and servers between three companies. In the evenings, I administered the largest enterprise streaming networking in Europe with a group of highly skilled staff.Since we were an early startup, combined roles were the norm. I’m sure that most of you who joined as young engineers in such situations could understand how I felt back then. However, it was a good experience, so I battled through it. To keep my evening’s stress-free and without any IT calls, I had to design in as much high-availability (HA) as I possibly could. After all, all the interesting technological learning was in the second part of my day working with content delivery mechanisms and complex routing.To read this article in full, please click here

IDG Contributor Network: Self-healing SD-WAN removes the drama of high-availability planning

My humble beginnings Back in the early 2000s, I was the sole network engineer at a startup. By morning, my role included managing four floors and 22 European locations packed with different vendors and servers between three companies. In the evenings, I administered the largest enterprise streaming networking in Europe with a group of highly skilled staff.Since we were an early startup, combined roles were the norm. I’m sure that most of you who joined as young engineers in such situations could understand how I felt back then. However, it was a good experience, so I battled through it. To keep my evening’s stress-free and without any IT calls, I had to design in as much high-availability (HA) as I possibly could. After all, all the interesting technological learning was in the second part of my day working with content delivery mechanisms and complex routing.To read this article in full, please click here

Worth Reading: BGP DFZ Security

If a certificate is published with an incorrect set of number resources then there is the possibility that its subordinate certificates cannot be validated, which, as we’ve noted has implications for the reachability of services on the Internet through the connection to the routing system. Thus, certificate issuance is not without its potential legal liabilities, and it is not unusual for certificate authorities to limit their liabilities. —Geoff Huston @CircleID

1 1,439 1,440 1,441 1,442 1,443 3,858