Help us test our DNSSEC implementation

For an introduction to DNSSEC, see our previous post

Today is a big day for CloudFlare! We are publishing our first two DNSSEC signed zones for the community to analyze and give feedback on:

www.cloudflare-dnssec-auth.com - a fully signed zone managed by CloudFlare
www.cloudflare-dnssec-cname.com - an external zone linking to a signed record with a CNAME

We've been testing our implementation internally for some time with great results, so we now want to know from outside users how it’s working!

Here’s an example of what you should see if you pull the records of, for example, www.cloudflare-dnssec-auth.com.

$ dig www.cloudflare-dnssec-auth.com A +dnssec

; <<>> DiG 9.10.1-P1 <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29654
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com.    IN  A

;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com.    300 IN  A   104.28.29.67  
www.cloudflare-dnssec-auth.com.    300 IN  A   104.28.28.67  
www.cloudflare-dnssec-auth.com.    300 IN  RRSIG   A  Continue reading

The Vast World of Fraudulent Routing

As network security engineers have attempted to categorize blocks of IP addresses associated with spam or malware for subsequent filtering at their firewalls, the bad guys have had to evolve to continue to target their victims. Since routing on the global Internet is based entirely on trust, it’s relatively easy to commandeer IP address space that belongs to someone else. In other words, if the bad guys’ IP space is blocked, well then they can just steal someone else’s and continue on as before.

In an attempt to cover their tracks, these criminals will sometimes originate routes using autonomous system numbers (ASNs) that they don’t own either. In one of the cases described below, perpetrators hijacked the victim’s ASN to originate IP address space that could have plausibly been originated by the victim. However, in this case, the traffic was misdirected to the bad guy and an unsophisticated routing analysis would have probably shown nothing amiss.

The weakness of all spoofing techniques is that, at some point, the routes cross over from the fabricated to the legitimate Internet — and, when they do, they appear quite anomalous when compared against historical data and derived business Continue reading

Case Study: Combine Physical and Virtual Appliances in a Private Cloud

Cloud builders are often using my ExpertExpress service to validate their designs. Tenant onboarding into a multi-tenant (private or public) cloud infrastructure is a common problem, and tenants frequently want to retain the existing network services appliances (firewalls and load balancers).

The Combine Physical and Virtual Appliances in a Private Cloud case study describes a typical solution that combines per-tenant virtual appliances with frontend physical appliances.

IOS server load balancing with mininet server farm

The idea is to play with IOS load balancing mechanism using large number of “real” servers (50 servers), and observe the difference in behavior between different load balancing algorithms. Due to resource scarcity in the lab environment, I use mininet to emulate “real” servers. I will stick to the general definition for load balancing: A load balancer is a device […]

IOS server load balancing with mininet server farm

Create a free virtual private server on Amazon Web Services

As an incentive to use their service, Amazon Web Services offers new users a “free tier” of service that provides a VPS “micro-instance” at no cost for one year.

The free tier of service is fairly flexible. Amazon AWS provides enough free hours to run the micro-instance twenty-four hours a day for a year. But if a user needs more services, he or she may create multiple micro instances and run them concurrently, which multiplies the rate the user consumes hours.

In this post, we’ll show how to set up the free server, and how to connect to it using SSH.

Create an AWS account

The first step is to create a user account on AWS. Go to the AWS Free Tier web page and click on “Sign up for AWS Account”

Then, click on “Create a free Account”.

Click on the “Free Account” button

Follow the directions provided on the AWS web site to set up a user account. You need to have a mobile phone for identity verification.

If you already have an account on amazon.com, you can use your already existing account to log into AWS services.

Create a free instance

Amazon AWS provides excellent Continue reading

Nobody thought BlackPhone was secure — just securer

An exploitable bug was found in BlackPhone, a "secure" Android phone. This is wildly misinterpreted. BlackPhone isn't a totally secure phone, such a thing is impossible. Instead, it's a simply a more secure phone. I mention this because journalists can't tell the difference.

BlackPhone is simply a stock version of Android with the best settings and with secure apps installed. It's really nothing different than what you can do with your own phone. If you have the appropriate skill/knowledge, you can configure your own Android phone to be just like BlackPhone. It also comes with subscriptions to SilentCircle, a VPN service, and a cloud storage service, which may be cheaper as a bundle with installed separately on the phone.

BlackPhone does fork Android with their "PrivateOS", but such a fork is of limited utility. Google innovates faster than a company like BlackPhone can keep up, including security innovations. A true fork would quickly become out of date with Google's own patches, and hence be insecure. BlackPhone is still new, so I don't know how they plan on dealing with this. Continually forking the latest version of Android seems the most logical plan, if not convincing Android to accept their changes.

The Continue reading

Some notes on GHOST

I haven't seen anybody compile a list of key points about the GHOST bug, so I thought I'd write up some things. I get this from reading the code, but mostly from the advisory.

Most things aren't vulnerable. Modern software uses getaddrinfo() instead. Software that uses gethostbyname() often does so in a way that can't be exploited, such as checking inet_addr() first. Therefore, even though software uses the vulnerable function doesn't mean it's actually vulnerable.

Most vulnerable things aren't exploitable. This bug is hard to exploit, only overwriting a few bytes. Most of the time, hackers will only be able to crash a program, not gain code execution.

Many exploits are local-only. It needs a domain-name of a thousand zeroes. The advisory identified many SUID programs (which give root when exploited) that accept such names on the command-line. However, it's really hard to generate such names remotely, especially for servers.

Is this another Heartbleed? Maybe, but even Heartbleed wasn't a Heartbleed. This class of bugs (Heartbleed, Shellshock, Ghost) are hard to exploit. The reason we care is because they are pervasive, in old software often going back for more than a decade, in components used by other software, and Continue reading

Why Comments Aren’t Available Yet

A number of readers have asked—via e-mail, of course, given the subject of this post—why comments aren’t available yet on the new site. I’d like to take a quick moment to explain the current situation.

First and foremost, it’s not because I don’t want feedback from readers. I would love to continue to have the outstanding feedback from readers that I’ve had over the last 9 years of this site. It’s also not because it’s too much trouble (too much comment spam, too much time to moderate, etc.). It’s not because enabling comments is too difficult, either.

If not these reasons, then why? With a static site generator like Jekyll, I’m left with very few options for handling comments. The most common way is to use a service like Disqus, but there are a number of privacy and security concerns around Disqus (see here for just one example). As a result, I’m hesitant to put my readers in the situation where the privacy of their information is outside my hands. At least with WordPress, readers’ personal information was under my control alone. Not so with a service like Disqus (or any of the hosted alternative solutions).

I’ve tried Continue reading

Zero Touch Provisioning can help the network world catch up to server advances

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

While the term Zero Touch Provisioning (ZTP) might be increasingly more common to networking, the concept of automation has existed for years in IT. At its core, ZTP is an automation solution that’s designed to reduce errors and save time when IT needs to bring new infrastructure online.

This is particularly useful for data center servers, where scale and configuration similarities across systems make automation a necessity. In the server world, for example, Linux has revolutionized on boarding and provisioning. Rather than using command-line interfaces (CLI) to configure systems one at a time, administrators can use automation tools to roll out the operating system software, patches and packages on new servers with a single command, or the click of a mouse.

To read this article in full or to leave a comment, please click here

SDN’s First Use Case Is the WAN, But Wither Management?

SDN's First Use Case Is the WAN, But Wither Management?

by Steve Harriman, VP of Marketing - January 28, 2015

Considering how long Packet Design has been talking about the promise of SDN in the WAN, it was encouraging to see a Q&A in Network World last week on the subject. Editor John Dix interviewed Michael Elmore, IT Senior Director of the Enterprise Network Engineering Infrastructure Group at Cigna. Michael is also on the board of Open Network Users Group (ONUG).

Dix began the interview by asking why ONUG’s membership has voted the WAN as the top use case for SDN twice in a row now. In the context of the enterprise, Elmore replied that software defined WANs (SD-WANs) can reduce both capital and operational costs. He also said that they are easier to deploy than in the data center.

Elmore went on to discuss the limitations of today’s WANs (mainly the MPLS-based layer 3 VPN service offerings used by the Fortune 500) in terms of cost, scale, service quality, security, visibility, and agility/flexibility. He then outlined the benefits of SD-WANs in all those areas, saying that enterprises will be able to “take back control from service Continue reading

Open Networking is the New Normal

The data center is in a constant state of transition. What was once home for rows upon rows of propriety and often siloed equipment based on closed-architecture designs, the modern day data center is now filled with white box solutions serving various functions but working in a harmonious or converged manner.

Several key factors are driving the change to white box or open hardware – ROI, flexibility and customizability of design, ease of implementation, and the avoidance of vendor lock-in along with the high price-tag it can bring. The rise of white box hardware started with servers and storage, and now a movement towards the adoption of open networking has gained quite a bit of traction. The

Open Compute Project (OCP) movement is driving creation of bare metal switches, such as Open Switches, that are designed to be open and disaggregated. This white box model for switching enables users to deploy, monitor, and manage networking alongside servers and storage at a much lower price-point than a traditional network switch.

Scaled Networking Simplified

With a white box switch, the OS layer is decoupled from the hardware itself which allows users to independently select the best-of-breed components and networking software stack Continue reading

Big Switch Is Getting Bigger. Much Bigger.

Cool news today from BigSwitch who have taken some big steps forward with their rather awesome Big Cloud Fabric (BCF) solution.

Building on the existing features of BCF 2.0 that was announced last July (see my post on the BCF launch for more details), version 2.5 adds some pretty good new features and a surprise partner.

BCF 2.5 New Features

VMWare vCenter Support

BCF now supports VMWare vCenter. BigSwitch sees an Ethernet fabric as a complementary technology to VMWare’s NSX, not a competitor; very wisely they would like to be the underlay while NSX provides the overlay. The BCF controller integrates right into vCenter so that network configuration can be automated with the virtual environment, and the controller provides a single interface to the entire fabric.

CloudStack / OpenStack

The original BCF supported OpenStack. BCF 2.5 now has more elements of OpenStack (Juno) support and adds CloudStack support. With this and the vCenter integration, BCF has positioned itself quite nicely for full server and switch automation.

Brite Box Switching?

My first question when I heard about this was “What on earth is Brite Box switching?” It turns out that somebody somewhere coined the phrase Continue reading

Cisco Live 2015 – Time to get ready!

It is just about time to get ready for Cisco Live US this year and, harking back to 2012, we are again in San Diego, CA for the June 7-11th event. I just wanted to take a few moments and share some information that I have put together. Oh, if you have not registered yet – […]

The post Cisco Live 2015 – Time to get ready! appeared first on Fryguy's Blog.

Big Switch updates SDN controller options

Big Switch Networks this week rolled out a new release of its cloud fabric software, which includes support for VMware vSphere environments and Dell switches, among other features.Big Cloud Fabric was released in the third quarter of 2014. It is an SDN fabric designed for bare metal switches.To read this article in full or to leave a comment, please click here

News Analysis: Big Cloud Fabric 2.5 Released

Big Switch Networks has released version 2.5 of their Big Cloud Fabric SDN offering. Read the full press release here. What’s Big Cloud Fabric? BCF is an SDN-based IP fabric where you manage all of the individual switches as one “big switch.” In other words, you manage the fabric as a whole, and not individual switches. Big […]

MPLS TE Design -Part 3

This is a continuation from Part 2 Fast Reroute Why Fast Reroute? Many NSP’s like ACME have traffic with tight SLAs. For instance below is an ITU delay recommendation for Voice. One Way Delay Characterization of Quality 0-150ms Acceptable for most applications 150-400ms May impact some applications Above 400ms Unacceptable ITU G.114 delay recommendations Having […]

Author information

Diptanshu Singh

Diptanshu Singh,(3xCCIE,CCDE) is a Sr. Engineer mostly focused on service providers , data center and security. He is a network enthusiast passionate about network technologies so not only is it his profession, but something of a hobby as well.

The post MPLS TE Design -Part 3 appeared first on Packet Pushers Podcast and was written by Diptanshu Singh.

MPLS TE Design -Part 2

This is a continuation from Part 1 Case for LDPoRSVP As we mentioned at the very beginning that ACME provides L3VPN and L2VPN services, which requires end to end LSP between the PEs. But due to scaling reasons, ACME decided not to extend RSVP to the edge routers. This creates a problem as there is […]

Author information

Diptanshu Singh

The post MPLS TE Design -Part 2 appeared first on Packet Pushers Podcast and was written by Diptanshu Singh.

MPLS TE Design -Part 1

In this post we will be exploring different aspects of Traffic Engineering (RSVP-TE) from a design perspective using fictional ISP as a reference. The intent of the post is to not necessarily recommend a particular solution, but to bring up different aspects involved in the design. I am assuming that the reader already has somewhat […]

Author information

Diptanshu Singh

The post MPLS TE Design -Part 1 appeared first on Packet Pushers Podcast and was written by Diptanshu Singh.

Is Controller-Based Networking More Reliable than Traditional Networking?

Listening to some SDN pundits one gets an impression that SDN brings peace to Earth, solves all networking problems and makes networking engineers obsolete.

Cynical jokes aside, and ignoring inevitable bugs, is controller-based networking really more reliable than what we do today?