Operational Annoyances: SSL Certificates and Keys

SSL Key

You’re asked to update the SSL certificate for movingpackets.net on a load balancer. The requestor (me, in this case) gives you the certificate file. I don’t need to give you the intermediate certificate bundle because you’re going to use the checkcert tool to sort that out. I also tell you to use the same private key as for the last certificate. How do you know that the old private key works with the new public certificate?

Checking SSL Certificates and Keys

My good friend OpenSSL can help us match a certificate and key. The basic premise is that the modulus of both the key and the cert file should be the same. The openssl commands to do this are:

# openssl x509 -noout -modulus -in microsoft.com.crt
Modulus=B788D872FFB6C827EF5656A0535CC1E36343D6A29F1824564238793737BB2C17EAB7FF6A2032AB95174FDA4A24AFF438DFB23B85746E7B37D657F5EB3E3580291218CA66AC8CF872C2A62FD1A7F1DB85C554E4DE803E3F9397D251C8A283FA0EF4314210BFF88AE0AF656C5953A71A8D6A4C2A4476B6AD1EADE1920D1CEEEB8E0C16583698CC735861FA98D63DA3EB5632968751D099AAB7D22321920AE962B065100FFEA7BC5EF7E3DC1398935F3C6F8C43DC689BC290DAACEEDD487ECD81795BC7CA702B20369029CE6F7527D0E16CD9CC603671B05940433D49590EB15C6768DF0A326AEE7AE77084BCCC4707D1AE2694E6E0477C038598F5552B46D04C95

# openssl rsa -noout -modulus -in microsoft.com.key
Modulus=B788D872FFB6C827EF5656A0535CC1E36343D6A29F1824564238793737BB2C17EAB7FF6A2032AB95174FDA4A24AFF438DFB23B85746E7B37D657F5EB3E3580291218CA66AC8CF872C2A62FD1A7F1DB85C554E4DE803E3F9397D251C8A283FA0EF4314210BFF88AE0AF656C5953A71A8D6A4C2A4476B6AD1EADE1920D1CEEEB8E0C16583698CC735861FA98D63DA3EB5632968751D099AAB7D22321920AE962B065100FFEA7BC5EF7E3DC1398935F3C6F8C43DC689BC290DAACEEDD487ECD81795BC7CA702B20369029CE6F7527D0E16CD9CC603671B05940433D49590EB15C6768DF0A326AEE7AE77084BCCC4707D1AE2694E6E0477C038598F5552B46D04C95

Are they the same? Did you check every byte? The lazy way to do this, then, is to take an md5 hash of the output and compare those instead; it’s little easier and while there’s a remote chance that two non-equal moduli could have the same md5 hash, it’s pretty unlikely. And so:

# openssl x509 -noout -modulus -in microsoft. Continue reading

Understanding the real problems for Network Design

Designers should be trained to understand the real problems. An excellent solution to the wrong problem is worse than no solution. As a designer, you shouldn’t start by trying to solve the problem given to you. You shouldn’t try to find a best design for the given problem.You should try to understand the real issues.… Read More »

The post Understanding the real problems for Network Design appeared first on Network Design and Architecture.

IT/IT: Network scale is more than size

yoda“Judge me by my size, do you?”

I’ve had several discussions with people over the years about the concept of scale in the world of network engineering. Most often, when network engineers think of a “large scale network,” they used to mention large service providers. Now they tend to think of some large cloud provider. But is scale really about size? I’m not much into the backflipping Yoda of the later Star Wars movies, but I would argue scale is much more about backflips than it is about being big.

So what is scale about? In the networking world, scale can be given the shorthand services x size. Standing in a huge data center with rows and rows of racks and blinking lights, it’s easy to forget about the services part of that equation.

A useful way to understand this is consider the services offered by a pair of networks, one large, and one small. The typical cloud provider’s network might contain thousands of nodes in a single data center — something more than 1000x10g (or 10,000x1g) ports on the edge is moderately sized in this world. What services does such a network — within the network itself — Continue reading

The IPv6 Revolution Will Not Be Broadcast

IPv6Revolution

There are days when IPv6 proponents have to feel like Chicken Little. Ever since the final allocation of the last /8s to the RIRs over four years ago, we’ve been saying that the switch to IPv6 needs to happen soon before we run out of IPv4 addresses to allocate to end users.

As of yesterday, ARIN (@TeamARIN) has 0.07 /8s left to allocate to end users. What does that mean? Realistically, according to this ARIN page that means there are 3 /21s left in the pool. There are around 450 /24s. The availability of those addresses is even in doubt, as there are quite a few requests in the pipeline. I’m sure ARIN is now more worried that they have recieved a request that they can’t fulfill and it’s already in their queue.

The sky has indeed fallen for IPv4 addresses. I’m not going to sit here and wax alarmist. My stance on IPv6 and the need to transition is well known. What I find very interesting is that the transition is not only well underway, but it may have found the driver needed to see it through to the end.

Mobility For The Masses

I’ve Continue reading

Do you really need Quality of Service ?

Quality of service (QoS) is the overall performance of a telephony or computer network, particularly the performance seen by the users of the network. Above is the Quality of Service definition from the Wikipedia. Performance metrics can be bandwidth, delay, jitter, pocket loss and so on. Two Quality Of Service approaches have been defined by… Read More »

The post Do you really need Quality of Service ? appeared first on Network Design and Architecture.

The Upload: Your tech news briefing for Wednesday, June 24

Ford drives into car-sharing spaceAs car-sharing and ride-hailing apps make it ever easier for people, especially the urban young, to shrug off the expense of actually owning a car, at least one automaker wants to get in the driver’s seat and steer the trend in a more favorable direction. Ford is launching a pilot car-sharing program in six U.S. cities and London, CNBC reports, and will let customers who use the carmaker’s financing program rent out their vehicle via the Getaround sharing app.U.S. government is falling behind on application securityU.S. government organizations are struggling when it comes to securing the software they use, according to a report by application security firm Veracode that puts government in dead last place among all sectors. Problems include use of old scripting and programming languages, failure to self-regulate and failure to impose security requirements on software suppliers.To read this article in full or to leave a comment, please click here

Webinars in 1H2015, and a Look Forward

The first half of 2015 was extremely productive – seven brand new webinars (or 22 hours of new content) were added to the ipSpace.net webinar library.

Most of the development focus was on SDN and network automation: OpenFlow, NETCONF and YANG, Ansible, Jinja and YAML, and Monitoring SDN networks. There was also the traditional Data Center Fabrics Update session in May, IPv6 Microsegmentation webinar in March, and (finally!) vSphere 6 Networking Deep Dive in April.

Do I have to mention that you get all of them (and dozens of other webinars) with the ipSpace.net subscription?

Read more ...

Is Container Networking Holding On To The Past?

There has been a plethora of docker-related info on the internet this week, thanks in no small part to DockerCon, and I was motivated to finish this blog post about container networking.

In short, it seems like most if not all container networking projects are going out of their way to give devs the feeling of a “flat” network. My question is - who cares?

For this post, I am not talking about IaaS (which is arguably a declining use case). I am talking about an application cloud provider (i.e. SaaS, and maybe PaaS) where all IP addresses are assigned by the provider and under their control, within the context of the data center.

The way that most of these projects are being marketed to developers is that they provide one big flat network upon which to communicate. Why this choice of terminology? Why does “cloud-native” application design not by default include things like IPv6, or application nodes that are agnostic of what broadcast domain they are participating in?

I have Continue reading

Is Container Networking Holding On To The Past?

There has been a plethora of docker-related info on the internet this week, thanks in no small part to DockerCon, and I was motivated to finish this blog post about container networking.

In short, it seems like most if not all container networking projects are going out of their way to give devs the feeling of a “flat” network. My question is - who cares?

For this post, I am not talking about IaaS (which is arguably a declining use case). I am talking about an application cloud provider (i.e. SaaS, and maybe PaaS) where all IP addresses are assigned by the provider and under their control, within the context of the data center.

The way that most of these projects are being marketed to developers is that they provide one big flat network upon which to communicate. Why this choice of terminology? Why does “cloud-native” application design not by default include things like IPv6, or application nodes that are agnostic of what broadcast domain they are participating in?

I have Continue reading

Qualcomm partners with large Chinese foundry on chips

China’s largest chip foundry is entering into a joint venture with Qualcomm to develop chips, at a time when the country is looking for technology to emerge as a semiconductor producing powerhouse.The foundry, Semiconductor Manufacturing International Corporation (SMIC), has partnered with Qualcomm, Huawei Technologies and Belgian firm Imec to establish the joint venture, the companies said Tuesday.In terms of chip technology, SMIC is still two generations behind its rivals including Intel, Samsung and Taiwan Semiconductor Manufacturing Company (TSMC). But the new joint venture hopes to help the Chinese foundry streamline its research operations.To read this article in full or to leave a comment, please click here

More Leaky Routes

Most of the time, mostly everywhere, most of the Internet appears to work just fine. Indeed, it seems to work just fine enough to the point that that when it goes wrong in a significant way then it seems to be fodder for headlines in the industry press. But there are some valuable lessons to be learned from these route leaks about approaches to routing security.

Announcing DockerCon 2015 Europe

Today at DockerCon 2015, we are very happy to announce DockerCon Europe 2015, the second official Docker conference in Europe organized by both Docker, Inc. and members of the community. The conference will take place in Barcelona, at CCIB on November 16th and 17th. … Continued

Swedish man sentenced for powerful Blackshades malware

The creator of a tool that was used to steal data from a half-million computers will go to prison for close to five years, the U.S. Department of Justice said Tuesday.Alex Yucel, 25, of Sweden, pleaded guilty in February in a New York federal court to one count of distributing malicious software. He was sentenced to four and three-quarter years in prison and must forfeit $200,000, according to a news release.To read this article in full or to leave a comment, please click here

Is Container Networking Holding On To The Past?

There has been a plethora of docker-related info on the internet this week, thanks in no small part to DockerCon, and I was motivated to finish this blog post about container networking. In short, it seems like most if not all container networking projects are going out of their way to give devs the feeling of a “flat” network. My question is - who cares? Seems to me that "cloud-native" applications should be okay if two of the cattle are not on the same broadcast domain.

Is Container Networking Holding On To The Past?

There has been a plethora of docker-related info on the internet this week, thanks in no small part to DockerCon, and I was motivated to finish this blog post about container networking. In short, it seems like most if not all container networking projects are going out of their way to give devs the feeling of a “flat” network. My question is - who cares? Seems to me that "cloud-native" applications should be okay if two of the cattle are not on the same broadcast domain.

The Cloud Is Now A Thing

In the networking world, we’re starting to see the term “cloud” more and more. When I teach classes, if I so much as mention the word cloud, I start to see some eyes roll. That’s completely understandable, as the term cloud was such an overused buzzword, only having been recently supplanted only by “software defined”.

Here’s real-life supervillain (dude owns an MiG 29 and an island with a volcano on it… seriously) Larry Ellison freaking out about the term cloud.

“It’s not water vapor! All it is, is a computer attached to a network!”

But here’s the thing, it’s actually a thing now. Rather than a catch-all buzzword, it’s being used more and more to define a particular type of operational model. And it’s defined by NIST, the National Institute of Standards and Technology, part of the US Department of Commerce. With the term cloud, we now get a higher degree of specificity.

The NIST definition of cloud is as follows:

  • On-demand self service
  • Broad network access
  • Resource pooling (multi-tenant)
  • Rapid Elasticity
  • Measured service

That first item on the list, the on-demand self service, is a huge change in how we will be doing networking. Right now network Continue reading

Liveblog: Scaling New Services

This is a liveblog for the DockerCon 2015 session titled “Scaling New Services: From Container Creation to Automated Deployments”. This session is being led by the Disney Systems Engineering team and will feature a discussion/demo involving Docker, Mesos, Chef, Consul, and HAProxy.

The session starts with an introduction by Alex Williams, founder of The New Stack, who quickly turns it over to the Disney staff—Brian Scott and Patrick O’Connor. Brian starts with an overview of all the various companies within Disney, and the challenges that breadth creates. He then discusses the role of Disney’s Systems Engineering team, and the responsibilities of the team. That includes managing infrastructure, both on-premises as well as cloud-based infrastructure.

So, why Docker? To improve the guest experience, Disney needs to be able to move fast. They want to get away from managing VMs and cattle to managing containers and micro-bots. Brian talks about issues with onboarding developers, battling configuration drifts, and similar challenges. Disney started on their Docker journey 6-10 months ago, and lots of teams are still exploring the use cases for Docker. Some teams are already using it in the CI pipeline, and other teams are evaluating production use cases. CI is a Continue reading

1 3,435 3,436 3,437 3,438 3,439 3,855