Broadcom Tomahawk 101

Juniper recently launched their Tomahawk-based switch (QFX5200) and included a lot of information on the switching hardware in one of their public presentations (similar to what Cisco did with Nexus 9300), so I got a non-NDA glimpse into the latest Broadcom chipset.

You’ll get more information on QFX5200 as well as other Tomahawk-based switches in the Data Center Fabrics Update webinar in spring 2016.

Here’s what I understood the presentation said:

Read more ...

How to not present to the Swiss

Being English and being constantly exposed to bad language practice (not the curse word type), during a recent trip to Switzerland, I totally failed in keeping my English plain and vanilla. Their English was better than my own and in this sense I totally failed. Here is my top five of innocently said statements that just do not translate. If nothing else, it might help you to not make the same mistake when presenting to others not of your own tongue.

1) Shooting fish in a barrel
2) Stuck under a rock
3) Lots of ways to skin a cat, including with a machine gun
4) Everything including the kitchen sink
5) More features than you can shake a stick at

Speaking English is really hard to do when you’re English!!!

The post How to not present to the Swiss appeared first on ipengineer.net.

No, you can’t shut down parts of the Internet

In tonight's Republican debate, Donald Trump claimed we should shutdown parts of the Internet in order to disable ISIS. This would not work. I thought I'd create some quick notes why.

This post claims it would be easy, just forge a BGP announcement. Doing so would then redirect all Syrian traffic to the United States instead of Syria. This is too simplistic of a view.

Technically, the BGP attack described in the above post wouldn't even work. BGP announcements in the United States would only disrupt traffic to/from the United States. Traffic between Turkey and ISIS would remain unaffected. The Internet is based on trust -- abusing trust this way could only work temporarily, before everyone else would untrust the United States. Legally, this couldn't work, as the United States has no sufficient legal authority to cause such an action. Congress would have to pass a law, which it wouldn't do.

But "routing" is just a logical layer built on top of telecommunications links. Since Syria and Iraq own their respective IP address space, I'm not even sure ISIS is allowed to use it. Instead, ISIS has to pay for telecommunications links to route traffic through other countries. This causes Continue reading

DNS Terminology

The DNS is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has sometimes changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. I saw this RFC

Risky Business #394 — Matthew Green talks “crypto bans”

On this week's show we're chatting with Johns Hopkins University cryptographer Matthew Green about rumblings emanating out of DC with regard to "stopping encryption", whatever the hell that means.

In this week's sponsor interview we're chatting with Oliver Fay from Context about a paper they did in conjunction with UK's CERT about exploit kits. How much do they cost? Are there any that stick out as being particularly good? Or bad, depending on your point of view...

Links to everything are in this week's show notes.

read more

       

Three men arrested in alleged wide-ranging spam operation

Three men have been charged over a hacking scheme that allegedly collected tens of millions of personal records for use in spam campaigns.U.S. prosecutors say the trio broke into the networks of three companies and improperly accessed the network of a fourth one where one of the men was employed.Their primary goals revolved around obtaining email addresses for consumers in order to advertise insurance companies or online sites that sold narcotics without prescriptions, according to a news release.They also used used the email systems of some hacked companies to send spam in an attempt to avoid antispam security filters.To read this article in full or to leave a comment, please click here

Modifying OpenStack Security Groups with Terraform

In this post I’d like to discuss a potential (minor) issue with modifying OpenStack security groups with Terraform. I call this a “potential minor” issue because there is an easy workaround, which I’ll detail in this post. I wanted to bring it to my readers’ attention, though, because as of this blog post this matter had not yet been documented.

As you probably already know if you read my recent introduction to Terraform blog post, Terraform is a way to create configurations that automate the creation or configuration of infrastructure components, possibly across a number of different providers and/or platforms. In the introductory blog post, I showed you how to write a Terraform configuration that would create an OpenStack logical network and subnet, create a logical router and attach it to the logical network, and then create an OpenStack instance and associate a floating IP. In that example, I used a key part of Terraform, known as interpolation.

Broadly speaking, interpolation allows Terraform to reference variables or attributes of other objects created by Terraform. For example, how does one refer to a network that he or she has just created? Here’s an example taken from the introductory blog post:

 Continue reading

Google researchers find remote execution bug in FireEye appliances

Google researchers found a software flaw in several models of FireEye's security appliances that they say could give a cyberattacker full access to a company's network.It's not unheard of to find security flaws in security software, but the latest discovery highlights once again how no technology is immune to such problems.FireEye issued a statement on Tuesday saying it had issued a patch for the flaw, which affects its NX, EX, FX and AX Series appliances. The appliances passively monitor network traffic and pluck out suspicious files for study away from the live network.To read this article in full or to leave a comment, please click here

Quick tips and reference on tcpdump tool



Linux bridges are powerful virtual switches that come with the networking stack of core Linux. Bridging is loaded as part of the bridge kernel module. Linux bridges amongst others have made it possible to network virtual machines and containers on a KVM based linux node.

Very so often I have had to go in and figure out where the packets either egressing the VM or ingress traffic to the VM magically vanishes and tcpdump has been one of the most valuable tools for me. Debugging in the networking world pretty much has a standard algorithm to it: Start from the source and check for packets along the route to the destination at every hop. Once you figure out where the packet disappears, where the black hole is, it is half the problem solved.

To do exactly this we have a variety of debugging tools ranging from Wireshark that captures packets to tcpdump and sniffers. All of these have one thing in common - they are user processes that hook onto specific kernel parameters to capture the packets. For example, although you do not explicitly set an interface in promiscuous mode this interface is moved to promiscuous mode when the packet Continue reading

ProPublica shines harsh light on AT&T-ization of American Red Cross

Former AT&T executive Gail McGovern gets credit for longevity at the American Red Cross -- she walked into a messy situation in 2008 and has served as CEO since -- but she and her pack of AT&T cronies mainly get taken to task throughout a thorough new ProPublica article on the charity's struggles. Not only has McGovern failed to turn around the financial fortunes of Red Cross, but her management organization's style has hurt morale and limited the charity's effectiveness in aiding Americans, according to the report.(ProPublica, if you don't know, is a nonprofit investigative journalism newsroom, and has been examining the travails of Red Cross over the past couple of years in conjunction with NPR.)To read this article in full or to leave a comment, please click here

Running devstack older than Kilo release

The famous network topology diagram as seen in Juno - Openstack (My preference over the one in Kilo/Liberty)
With the Liberty release already out, Openstack has EOL'ed other older releases. The only supported releases now are - Kilo, Liberty and the upcoming Mitaka. By supported I mean active branches with patches going into them.

Juno and older code is now represented as tags and may or may not be supported by the individual project teams. However thanks to subversioning and git, you can check out code of juno or older releases by using tags now.

 #git tag -l  --> Lists the tags present in the repository.  
 #git checkout tags/ -b    --> Checkout code from a tag.

All stable older releases have now been named following the convention "-eol" in all of the openstack projects on github. With these changes, if you'd like to run an older component of any of openstack projects especially on devstack you now have to make some changes. Now you might ask as to why would anyone run something old. I personally like the stick diagram representation of neutron network topology over the newer elastic movable/flash cloud diagram and so preferred to runt the Continue reading

Why the FAA’s new drone rules fall short

The Federal Aviation Administration (FAA) released rules governing the registration of drones yesterday that left me slack-jawed – first with disbelief, then with fear. The rules show that the FAA is oblivious to either the risks of drones or the technological measures that could mitigate the risks, or both.The rules are simple and apply to drones that weigh between 0.55 pounds (250 grams) and less than 56 pounds (approximately 25 kilograms) including payloads. Beginning on December 21, drone owners must voluntarily register their drones with the FAA and pay a $5 fee, which will be waived for the first 30 days. Drone owners who fail to register face stiff penalties: a fine of up to $27,500 for civil violations, and a fine of up to $250,000 and up to three years in prison for a criminal violation.To read this article in full or to leave a comment, please click here

What security research shows for 2015

The year in security researchImage by CSOSecurity researchers were busy in 2015 — almost as busy as the criminals whose work they studied.Among the notable numbers this year: Low tech 'visual hacking' proves to be successful nine times out of ten, most websites had at least one serious vulnerability for 150 or more days, click fraud costs businesses $6.3 billion a year in wasted ad money, and oh so much more!To read this article in full or to leave a comment, please click here

1 3,126 3,127 3,128 3,129 3,130 3,755