RIPE 71 Meeting Report

The RIPE 71 meeting took place in Bucharest, Romania in November. Here are my impressions from a number of the sessions I attended that I thought were of interest. It was a relatively packed meeting held over 5 days so this is by no means all that was presented through the week.

IWAN: Why EIGRP or BGP Over the DMVPN Tunnel?

IWAN (Intelligent Wide Area Network) and Why EIGRP or BGP over the DMVPN Tunnel.

In this YouTube “playing in the lab” IWAN fun we are going to drill down between 2 sites – Branch 3 and the Hub site.   Branch 3 will be in “hybrid” mode (1 MPLS link and 1 Internet Link) – in the past using the MPLS link as a primary and the internet link as backup only.  Now, however, taking advantage of IWAN’s Intelligent Path Control.

We will design the implementation such that should we need to fall back from Intelligent Path Control to normal routing…  we fallback to what is (for many customers’) today’s norm in this situation – MPLS as the Primary and Internet as the backup.  For this to happen….there will only be 1 entry in the RIB (via the MPLS)  How, then you ask, would you ever send any traffic at all out of the Internet link (tunnel 20) if that path is not in the routing table?  :)

PfRv3 can read the EIGRP topo table and the BGP table…. we can still do intelligent decision making at the WAN edge and only send out the Internet path Continue reading

Bootstrapping Cloud Instances into Ansible

A while ago, I wrote an article about bootstrapping servers into Ansible—in other words, how to prepare servers to be managed via Ansible. In order for a server to be managed via Ansible, you usually must first create a user account for Ansible, populate the appropriate SSH keys, and grant the new Ansible user sudo permissions. The process I described in my earlier blog post works great for manually-built servers (physical or virtual), but I recently needed to revisit this process for cloud instances. Was it possible to use the process I’d found to bootstrap cloud instances into Ansible?

Cloud instances are a slightly different beast than manually-built servers primarily because password authentication isn’t an option—generally speaking, you’re required to use SSH keys when working with cloud instances. Ansible is SSH-based, as you probably already know, so this shouldn’t be an issue, but it was still something I hadn’t tested or verified. After a bit of testing, I found the bootstrap process I described in my earlier post can be easily adapted for cloud instances.

For reference, here’s the command I use when bootstrapping manually-built servers into Ansible:

ansible-playbook bootstrap.yml -k -K --extra-vars 
"hosts=newhost.domain.com user=admin"

Continue reading

IPv6 Performance

Every so often I hear the claim that some service or other does not support IPv6 not because of some technical issue, or some cost or business issue, but simply because the service operator is of the view that IPv6 offers an inferior level service as compared to IPv4, and by offering the service over IPv6 they would be exposing their clients to an inferior level of performance of the service. But is this really the case? Is IPv6 an inferior cousin of IPv4 in terms of service performance? In this article I'll report on the results of a large scale measurement of IPv4 and IPv6 performance, looking at the relativities of IPv6 and IPv4 performance.

Many embedded devices ship without adequate security tests, analysis shows

An analysis of hundreds of publicly available firmware images for routers, DSL modems, VoIP phones, IP cameras and other embedded devices uncovered high-risk vulnerabilities in a significant number of them, pointing to poor security testing by manufactuers.The study was performed by researchers from the Eurecom research center in France and Ruhr-University Bochum in Germany, who built an automated platform capable of unpacking firmware images, running them in an emulated environment and starting the embedded Web servers that host their management interfaces.The researchers started out with a collection of 1,925 Linux-based firmware images for embedded devices from 54 manufacturers, but they only managed to start the Web server on 246 of them. They believe that with additional work and tweaks to their platform that number could increase.To read this article in full or to leave a comment, please click here

FlexVPN configuration

In this post we’ll have a look at the process of configuring a FlexVPN network (unofficially known as DMVPN phase 4). I’ll show what components are involved in configuration and how they all tie together. For most patient readers there’s a bonus at the end of this post. FlexVPN network topology The network we’ll be looking at is […]

The post FlexVPN configuration appeared first on Packet Pushers.

OVN service injection demonstration

Enabling extensibility in OVN, by Gal Sagie, Huawei and Liran Schour, IBM, Open vSwitch 2015 Fall Conference describes a method for composing actions from an external application with actions installed by the Open Network Virtualization (OVN) controller.


An API allows services to be attached to logical topology elements in the OVN logical topology, resulting in a table in the OVN logical flow table that is under the controller of the external service. Changes to the logical table are then automatically instantiated as concrete flows in the Open vSwitch instances responsible for handling the packets in the flow.

The demo presented involves detecting large "Elephant" flows using sFlow instrumentation embedded in Open vSwitch. Once a large flow is detected, logical flows are instantiated in the OVN controller to mark the packets. The concrete marking rules are inserted in the Open vSwitch packet processing pipelines handling the logical flow's packets. In the demo, the marked packets are then diverted by the physical network to a dedicated optical circuit.

There are a number of interesting traffic control use cases described on this blog that could leverage the capabilities of Open vSwitch using this approach:

The ‘need’ to control encryption and The Big Lie

Within hours of the recent Paris terrorist attacks, various politicians and current- and ex-government officials used it as an opportunity to push ther agendas. For example, in multiple interviews James Woolsey, former Director of the CIA, blamed Edward Snowden, the National Security Agency whistleblower: I think the blood of a lot of these French young people is on his hands ... I would give him the death sentence, and I would prefer to see him hanged by the neck until he’s dead, rather than merely electrocuted. He even went so far as to claim that the Obama administration’s changes to government surveillance policies were responsible for the inability of the US and French intelligence services to prevent the Paris attacks. Talk about a partisan viewpoint.To read this article in full or to leave a comment, please click here

Using an SSH Bastion Host

Secure Shell, or SSH, is something of a “Swiss Army knife” when it comes to administering and managing Linux (and other UNIX-like) workloads. In this post, I’m going to explore a very specific use of SSH: the SSH bastion host. In this sort of arrangement, SSH traffic to servers that are not directly accessible via SSH is instead directed through a bastion host, which proxies the connection between the SSH client and the remote servers.

At first, it may sound like the use of an SSH bastion host is a pretty specialized use case. In reality, though, I believe this is a design pattern that can actually be useful in a variety of situations. I plan to explore the use cases for an SSH bastion host in a future blog post.

This diagram illustrates the concept of using an SSH bastion host to provide access to Linux instances running inside some sort of cloud network (like an OpenStack Neutron tenant network or an AWS VPC):

SSH bastion host diagram

Let’s take a closer look at the nuts and bolts of actually setting up an SSH bastion host.

First, you’ll want to ensure you have public key authentication properly configured, both on the bastion host Continue reading

Open vSwitch 2015 Fall Conference

Open vSwitch is an open source software virtual switch that is popular in cloud environments such as OpenStack. Open vSwitch is a standard Linux component that forms the basis of a number of commercial and open source solutions for network virtualization, tenant isolation, and network function virtualization (NFV) - implementing distributed virtual firewalls and routers.

The recent Open vSwitch 2015 Fall Conference agenda included a wide variety speakers addressing a range of topics, including: Open Network Virtualization (OVN), containers, service chaining,  and network function virtualization (NFV).

The video above is a recording of the following sFlow related talk from the conference:
New OVS instrumentation features aimed at real-time monitoring of virtual networks (Peter Phaal, InMon)
The talk will describe the recently added packet-sampling mechanism that returns the full list of OVS actions from the kernel. A demonstration will show how the OVS sFlow agent uses this mechanism to provide real-time tunnel visibility. The motivation for this visibility will be discussed, using examples such as end-to-end troubleshooting across physical and virtual networks, and tuning network packet paths by influencing workload placement in a VM/Container environment.
This talk is a follow up to an Open vSwitch 2014 Fall Conference talk on the Continue reading

NASA: Crayons and cereal help test set baseline for jet engine tests

One of the most destructive and dangerous materials a commercial or military jet engine can ingest is volcanic ash and one of the least would be crayons and cereal.But those two substances were a key part of testing NASA has been conducting on smart engine sensors that could detect and help pilots avoid a volcanic plume. The new sensors are expected to detect the degradation caused by the volcanic ash, quantify the significance of the event, and aid in identifying which components might require maintenance, NASA stated. NASA The ash plume (the brown streak) from the big 2010 volcanic eruption of Eyjafjallajökull in Iceland contributed to airline disruptions in Europe for almost a week.To read this article in full or to leave a comment, please click here

1 3,190 3,191 3,192 3,193 3,194 3,793