Query name minimization

One new thing you need to add your DNS security policies is "query name minimizations" (RFC 7816). I thought I'd mention it since many haven't heard about it.

Right now, when DNS resolvers lookup a name like "www.example.com.", they send the entire name to the root server (like a.root-servers.net.). When it gets back the answer to the .com DNS server a.gtld-servers.net), it then resends the full "www.example.com" query to that server.

This is obviously unnecessary. The first query should be just .com. to the root server, then example.com. to the next server -- the minimal amount needed for each query, not the full query.

The reason this is important is that everyone is listening in on root name server queries. Universities and independent researchers do this to maintain the DNS system, and to track malware. Security companies do this also to track malware, bots, command-and-control channels, and so forth. The world's biggest spy agencies do this in order just to spy on people. Minimizing your queries prevents them from spying on you.

An example where this is important is that story of lookups from AlfaBank in Continue reading

Configuring BGP Route Maps

Today I am going to talk about the next step in the BGP. As we discussed on BGP Synchronisation and BGP multihop concept in my earlier articles. If you would like to have a look on that topics please check with the below links for your references.

BGP Synchronization Rule
BGP Load balancing ebgp-multihop

Some of the other articles on the BGP where we have BGP basics , BGP configurations on HP Routers and other articles are

BGP Basics Overview
Cisco Routers Sample BGP Configurations : Quick and Easy
Juniper Routers Sample BGP Configurations : Quick and Easy

In this article, I will take through the concept of the route maps and the configuration of the route maps in the BGP environment. All these configurations showing below will be on Cisco router.

Why we are using the BGP route maps, well route maps are used to control BGP routing information. Route maps are to define the condition by which routes are redistributed between routing domains.

Note : Route maps cannot be used to filter incoming BGP updates based on IP address. You can, however, use route maps to filter outgoing BGP updates based on IP address.

With the use of Continue reading

EVPN-VXLAN lab – IRB functionality

Firstly, QFX5100 series doesn’t support EVPN-VXLAN inter-VXLAN routing, so I practice all IRB related topics on vMX devices. vQFXs acts as a simple L2 EVPN gateways.
This post continues the EVPN-VXLAN lab from the previous ones.

Full vMX IRB interfaces configuration:

alex@vMX1# show interfaces irb
unit 100 {
    proxy-macip-advertisement;
    family inet {
        address 172.16.0.251/24 {
            virtual-gateway-address 172.16.0.254;
        }
    }
    family inet6 {
        address 2001:dead:beef:100::1/64 {
            virtual-gateway-address 2001:dead:beef:100::a;
        }
    }
}
unit 200 {
    proxy-macip-advertisement;
    family inet {
        address 172.16.1.251/24 {
            virtual-gateway-address 172.16.1.254;
        }
    }
    family inet6 {
        address 2001:dead:beef:200::1/64 {
            virtual-gateway-address 2001:dead:beef: Continue reading

Docker Networking Tip – Macvlan driver

Last few months, I have been looking at Docker forums(https://forums.docker.com/, https://stackoverflow.com/questions/tagged/docker) and trying to understand some of the common questions/issues faced in the Docker Networking area. This prompted me to do 2 presentations: Docker Networking overview Docker Networking – Common issues and troubleshooting techniques I received positive feedback to these 2 presentations. As a next step, … Continue reading Docker Networking Tip – Macvlan driver

BGP Synchronization Rule

Today I am going to talk about one of the basic feature of the BGP named as BGP Synchronization. Your first question : what is BGP Synchronization ? 

BGP Synchronization means that the BGP should not advertise a route until all of the routers within the AS have learned about the route via an IGP. Hope it clears the concept. Let me explain you in another way. It means if you got a ebgp route from the external neighbor via router A (as a assumption) and you want to send it to router B which is connected to another ebgp neighbour, the routes can only be learned to router B once learned by internal routers via IGP protocol.

Let me take an topology and explanation to it and further we can go with the configuration where we will disable the Synchronization as we don't want the traffic to be known to the IGP protocol.


Fig 1.1- BGP Synchronization
As shown in the above topology, if Router C sends updates about network 170.10.0.0 and received by  Router A. Now Routers A and B are running IBGP as shown in the diagram so Router B receives updates about network 170.10. Continue reading

BGP Load balancing ebgp-multihop

Today I am going to talk about the BGP configuration where i will tell you about the load balancing between the two links connecting two service providers via BGP protocol. We have two different methods to achieve this one is use of ebgp multihop command or the other way is to use the ttl security command and both these methods are applicable on the BGP neighbor command.

In this article, We are going to take through the ebgp multihop command on to the neighbours between two service providers. I knew many of you already knew the load balancing concept in the BGP.

In my example, I am taking two serial links between two routers which shares the e-BGP information between them which means each router belongs to the specific AS number. Below is the topology for your reference.

Fig 1.1- use of ebgp multihop
In the above topology, Router A is in AS100 have two serial links connected to Router B which is in AS 200 and for both the links, e-bgp is sharing information.

Below is the configuration on Router A and Router B for your reference. All the IPs and the topology uses here has no relevance Continue reading

Hyper-converged infrastructure – Part 2 : Planning an Cisco HyperFlex deployment

I recently got the chance to deploy a Cisco HyperFlex solution that is composed of 3 Cisco HX nodes in my home lab. As a result, I wanted to share my experience with that new technology (for me). If you do not really know what all this “Hyperconverged Infrastructure hype” is all about, you can […]

The post Hyper-converged infrastructure – Part 2 : Planning an Cisco HyperFlex deployment appeared first on VPackets.net.

Drilling Down Into The Xeon Skylake Architecture

The “Skylake” Xeon SP processors from Intel have been in the market for nearly a month now, and we thought it would be a good time to drill down into the architecture of the new processor. We also want to see what the new Xeon SP has to offer for HPC, AI, and enterprise customers as well as compare the new X86 server motor to prior generations of Xeons and alternative processors in the market that are vying for a piece of the datacenter action.

That’s a lot, and we relish it. So let’s get started with a deep dive

Drilling Down Into The Xeon Skylake Architecture was written by Timothy Prickett Morgan at The Next Platform.

Worth Watching: The big four

Worth more than $2.3 trillion combined, the Big Four (Apple, Amazon, Facebook, and Google) continue to grab share from media companies, brands, and retailers. Scott Galloway, Professor of Marketing at the NYU Stern School of Business and Founder of L2, will showcase how the traditional rules of business don’t apply to the Big Four and identify ways that brands and companies can fight back. —Scott Galloway @ YouTube

The post Worth Watching: The big four appeared first on rule 11 reader.

SHA 2017 – bringing 100 gigabit to the tent

Every 4 years since its start back in 1989, a hacker/security conference takes place in the Netherlands. This summer, the eighth version of this conference, called Still Hacking Anyway 2017 (sha2017.org), will run between the 4th and 8th of August. The conference is not-for-profit and run by volunteers, and this year we’re expecting about 4000 visitors.

For an event like SHA, all the visitors need to connect to a network to access the Internet. A large part of the network is built on Cumulus Linux. In this article, we’ll dive into what the event is and how the network, with equipment sponsored by Cumulus, is being built.

What makes SHA 2017 especially exciting is that it is an outdoor event. All the talks are held in large tents, and they can be watched online through live streams. At the event site, visitors will organize “villages” (a group of tents) where they will work on several projects ranging from security research to developing electronics and building 3D printers.

Attendees will camp on a 40 acre field, but they won’t be off the grid, as wired and wireless networks will keep them connected. The network is designed Continue reading

Women Share Knowledge and Experience in Network Operator Groups in Africa

The Internet Society African Regional Bureau has worked with Network Operator Groups (NOGs) in Africa, providing financial and technical support to organize trainings and events at the local level. We recently shared many of their stories. There are also a number of NOGs that seek to attract women engineers to share knowledge and experience as well as to encourage young women to take up technology-related fields – which are largely perceived in the African region as “men only.” Here are their stories.

AfCHIX

Betel Hailu
Kevin Chege
1 1,959 1,960 1,961 1,962 1,963 3,844