Coffee Break 7
This is “The Coffee Break”. A podcast on state of the networking business where we discuss vendors moves and news, analysis on product and positioning, and look at the business of networking. In the time it takes to have coffee break.
The post Coffee Break 7 appeared first on Packet Pushers.
Coffee Break 7
This is “The Coffee Break”. A podcast on state of the networking business where we discuss vendors moves and news, analysis on product and positioning, and look at the business of networking. In the time it takes to have coffee break. Topics Cisco Reveals OpenFlow SDN Killer:OpFlex protocol for ACI offered to IETF, OpenDaylight Researchs […]
Author information
The post Coffee Break 7 appeared first on Packet Pushers Podcast and was written by Greg Ferro.
Blessay: Overlay Networking, BFD And Integration with Physical Network
Lede: In discussions with a stealthy networking startup today, we were discussing how their overlay network technology for the SDN WAN was able to to detect network blackouts and brownouts in the physical network. Their answer was to run Bi-directional Forwarding Detection (BFD) in the overlay tunnels. Now you have effective quality and service detection in the overlay network.
The post Blessay: Overlay Networking, BFD And Integration with Physical Network appeared first on EtherealMind.
Internets of Interest for 24th April 2014
Collection of useful, relevant or just fun places on the Internets for 24th April 2014 and a bit commentary about what I’ve found interesting about them: Why I quit writing internet standards — Tech News and Analysis – Vidya Narayanan writes at GigaOm about the dysfunction and problems of the IETF. I have similar […]
The post Internets of Interest for 24th April 2014 appeared first on EtherealMind.
Thought for My Day: Existing Networks are Self Automated and Policy Driven
Today’s Networks are auto-configuring and self-orchestrating. When you connect a server to network device, the device will identity the MAC address of the server and update it’s database. The server can make a request to a DHCP server and self configure. A network can be intentionally designed so that multiple paths exist through the network. […]
The post Thought for My Day: Existing Networks are Self Automated and Policy Driven appeared first on EtherealMind.
26-bis – VxLAN VTEP GW: Software versus Hardware-based
Just a slight note to clarify some VxLAN deployment for an hybrid network (Intra-DC).
As discussed in the previous post, with the software-based VxLAN, only one single VTEP L2 Gateway can be active for the same VxLAN instance.
This means that all end-systems connected to the VLAN concerned by a mapping with a particular VNID must be confined into the same leaf switch where the VTEP GW is attached. Other end-systems connected to the same VLAN but on different leaf switches isolated by the layer 3 fabric cannot communicate with the VTEP L2 GW. This may be a concern with hybrid network where servers supporting the same application are spread over multiple racks.
To allow bridging between VNID and VLAN, it implies that the L2 network domain is spanned between the active VTEP L2 Gateway and all servers of interest that share the same VLAN ID. Among other improvements, VxLAN is also aiming to contain the layer 2 failure domain to its smallest diameter, leveraging instead layer 3 for the transport, not necessarily both. Although it is certainly a bit antithetical to VxLAN purposes, nonetheless if all leafs are concerned by the same mapping of VNID to VLAN ID, it is Continue reading
Mininet integrated hybrid OpenFlow testbed
 |
| Figure 1: Hybrid Programmable Forwarding Planes |
A number of vendors support sFlow and integrated hybrid OpenFlow today, examples described on this blog include: Alcatel-Lucent, Brocade, and Hewlett-Packard. However, building a physical testbed is expensive and time consuming. This article describes how to build an sFlow and hybrid OpenFlow testbed using free Mininet network emulation software. The testbed emulates ECMP leaf and spine data center fabrics and provides a platform for experimenting with analytics driven feedback control using the sFlow-RT hybrid OpenFlow controller.
First build an Ubuntu 13.04 / 13.10 virtual machine then follow instructions for installing Mininet - Option 3: Installation from Packages.
Next, install an Apache web server:
sudo apt-get install apache2Install the sFlow-RT integrated hybrid OpenFlow controller, either on the Mininet virtual machine, or on a different system (Java 1.6+ is required to run sFlow-RT):
Continue reading
What You Should Know Before Deploying and Designing OTV for Your DCI Strategy
I had a recent oportunity to come in to an OTV project half-way into its deployment cycle. There’s nothing too massive it, project was for a local Enterprise. Before OTV Diagram Overview Two...[[ Summary content only, you can read everything now, just visit the site for full story ]]
OpenStack + Docker + OpenContrail
Docker is a tool that simplifies the process of building container images. One of the issues with OpenStack is that building glance images is an off-line process. It is often difficult to track the contents of the images, how they where created and what software they contain. Docker also does not depend on virtualization; it creates linux container images that can be run directly by the host OS. This provides a much more efficient use of memory as well as better performance. It is a very attractive solution for DC operators that run a private infrastructure that serves in-house developed applications.
In order to run Docker as an openstack “hypervisor” start with devstack on ubuntu 12.04LTS. devstack includes a docker installer that will add a debian repository with the latest version of the docker packages.
After cloning the devstack repository one can issue the command:
tools/docker/install_docker.sh
For OpenContrail there isn’t yet a similar install tool. I built the OpenContrail packages from source and installed them manually, modifying the configuration files in order to have config, control and compute-node components all running locally.
Next, I edited the devstack localrc file to have the following settings:
VIRT_DRIVER=docker disable_service n-net enable_service neutron Continue reading
Blessay: The Internet is a “Cloud” for Networking
Can the Internet be the “Cloud Network” ? If so, when could the transition happen (if it hasn’t started already) ?
Supposition/Hypothesis As a technology, the Internet has strikingly similar properties to sharing Compute and Storage as ‘Cloud’. A large pool of resource that can be used or shared between many parties. The total pool of resource is dynamically allocated. Internet bandwidth is shared between all users and access is determined by bandwidth purchased at the network edge
The post Blessay: The Internet is a “Cloud” for Networking appeared first on EtherealMind.
SSH Fingerprint issue on Mac OS X
If you use an Apple Mac to SSH to a device and the terminal sends an error message saying the SSH fingerprint does not match (following text), the easiest way to get new SSH fingerprints is by doing a ‘ssh-keygen -R IP_Address’.
Last login: Tue Apr 22 10:21:10 on ttys000
doka:~ doka$ ssh -l root 10.100.0.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
81:79:83:12:f3:85:9c:13:f8:d2:01:ac:43:1c2:28:2c.
Please contact your system administrator.
Add correct host key in /Users/doka/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/doka/.ssh/known_hosts:88
RSA host key for 10.100.0.1 has changed and you have requested strict checking.
Host key verification failed.
doka:~ doka$ ssh-keygen -R 10.100.0.1
# Host 10.100.0.1 found: line 88 type RSA
/Users/doka/.ssh/known_hosts updated.
Original contents retained as /Users/doka/.ssh/known_hosts.old
doka:~ doka$ ssh -l root 10.100.0.1
The authenticity Continue reading
Passing Command Line Arguments to Python
The Common Way (I think) There’s a very well know way of grabbing command-line arguments and passing them to a Python program. This is done by importing the sys module and using the argv...[[ Summary content only, you can read everything now, just visit the site for full story ]]
EGP
Today I came across an old Cisco router with original IOS image. Big surprise (at least for me) when I did check what routing protocols are supported on this router: I was out of the game, or better not even yet had discover the networking games, when the EGP was still out there and available […]Trojan.Eclipse — A Bad Moon Rising?
ASERT’s malware collection and processing system has automatic heuristics that bubble up potentially new and interesting DDoS malware samples into a “for human analysis” queue. A recent member of this queue was Trojan.Eclipse and this post is my analysis of the malware and its associated campaigns.
Analysis was performed on the sample with an MD5 of 0cdd10cd3393d3fe916a55b946c10ad6.
The name Eclipse comes from two places: a mutex named “eclipseddos” and a hardcoded Cookie value used in the command and control (C2) phone home. We’ll see in the Campaign section below that this threat is also known as: shadowbot, gbot3, eclipsebot, Rhubot, and Trojan-Spy.Win32.Zbot.qgxi.
Based on the C2 domain names, GeoIP of the C2 IP addresses, and a social media profile of the owner of one of the C2 domains, I suspect this malware to be Russian in origin. In addition, Eclipse is written in Delphi and empirically Russian malware coders have a certain fondness for this language.
Command and Control
The analyzed binary has a hardcoded C2 domain string. This string is protected from modification by running it through a simple hashing algorithm and comparing it against a hardcoded hash at certain points of the code. The Continue reading
Is Netflix’s Arresting Development with Comcast a House of Cards, or Is it The New Black?
Is Netflix's Arresting Development with Comcast a House of Cards, or Is it The New Black?
by Brian Boyko, Technology Contributor - April 22, 2014
Comcast has decided to start charging Netflix extra to connect Netflix's customers on Comcast's network. More or less. It gets complicated, depending on whether Netflix is being charged for data transfer, or interconnectivity.
The headline in the New York Times reads: “Comcast and Netflix Reach Deal On Service.” But Netflix CEO Reed Hastings posted on the official Netflix blog that there was a need for “a strong net neutrality,” calling the Comcast deal an “Internet toll.” That does not sound to me like Hastings came out of the deal happy.
Now, to be clear, what the deal is actually doing, on a technical level, is allowing Netflix to deliver its content directly to Comcast's servers, rather than going through a middleman such as Cogent. It's a type of “paid peering,” instead of “paid prioritization.”
Hastings, however, believes the two are the same thing – charging the content provider to provide the data at the rate that the ISP charges its customers. After all, the only reason Continue reading
Packet Design to sponsor ENOG 7 in Moscow
Packet Design is a silver sponsor of ENOG 7, 26-27 May in Moscow, Russia.
Click here to register for this free event.
On Policy in the Data Center: The policy problem
(This post was written by Tim Hinrichs and Scott Lowe with contributions from Martin Casado, Mike Dvorkin, Peter Balland, Pierre Ettori, and Dennis Moreau.)
Fully automated IT provisioning and management is considered by many to be the ultimate nirvana— people log into a self-service portal, ask for resources (compute, networking, storage, and others), and within minutes those resources are up and running. No longer are the people who use resources waiting on the people who are responsible for allocating and maintaining them. And, according to the accepted definitions of cloud computing (for example, the NIST definition in SP800-145), self-service provisioning is a key tenet of cloud computing.
However, fully automated IT management is a double-edged sword. While having people on the critical path for IT management was time-consuming, it provided an opportunity to ensure that those resources were managed sensibly and in a way that was consistent with how the business said they ought to be managed. In other words, having people on the critical path enabled IT resources to be managed according to business policy. We cannot simply remove those people without also adding a way of ensuring that IT resources obey business policy—without introducing a way Continue reading
How do ACLs handle fragments ?
This post represents the solution and explanation for made a test connection -> client learned the PMTUD = 1476 (1500-24/GRE) then I configured lower MTU 1440 on the GRE tunnels also I disabled PMTUD with command sysctl -w net.inet.tcp.path_mtu_discovery=”0″ so the server cannot learn the new PMTUD value You will say that it was not nice of me to hack it this way, but I’ll say: it worth demonstrate this... [read more]How do ACLs handle fragments ?
This post represents the solution and explanation for quiz-22. It presents how fragmented traffic is handled differently by a simple access list. It is a long read about fragmentation, Path MTU Discovery, MSS and other stuff...