You shouldn’t be using gethostbyname() anyway

Today's GHOST vulnerability is in gethostbyname(), a Sockets API function from the early 1980s. That function has been obsolete for a decade. What you should be using is getaddrinfo() instead, a newer function that can also handle IPv6.

The great thing about getaddrinfo() is the fact that it allows writing code that is agnostic to the IP version. You can see an example of this in my heartleech.c program.

x = getaddrinfo(hostname, port, 0, &addr);
fd = socket(addr->ai_family, SOCK_STREAM, 0);
x = connect(fd, addr->ai_addr, (int)addr->ai_addrlen);

What you see here is your normal call to socket() and connect() just use the address family returned by getaddrinfo(). It doesn't care if that is IPv4, IPv6, or IPv7.

The function actually returns a list of addresses, which may contain a mixture of IPv4 and IPv6 addresses. An example is when you lookup www.google.com:

[ ] resolving "www.google.com"
[+]  74.125.196.105:443
[+]  74.125.196.147:443
[+]  74.125.196.99:443
[+]  74.125.196.104:443
[+]  74.125.196.106:443
[+]  74.125.196.103:443
[+]  [2607:f8b0:4002:801::1014]:443

My sample code just chooses the first one in the list, Continue reading

How to stay ahead of threats to DNS servers

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Gartner predicts more than 30 billion devices will be connected by the Internet of Things (IoT) by 2020, and Domain Name System (DNS) servers are critical to keeping it all running. However, the number, frequency and variety of attacks on DNS servers is rising, putting businesses and initiatives like IoT at enormous risk. The good news is, there are steps you can take to mitigate these attacks.

The DNS system translates easily memorized domain names into the numerical IP addresses needed for locating computer services and devices worldwide. According to the Internet Corporation for Assigned Names and Numbers (ICANN), there are 30 to 50 million DNS servers on the planet. These servers are being hit by four main types of attacks: zero-day, cache poisoning, denial of service (DoS) and distributed denial of service (DDoS).

To read this article in full or to leave a comment, please click here

Noction Intelligent Routing Platform (IRP) – What is it?

I was contacted by some people at Noction and asked if I was interested in writing about their platform, the Intelligent Routing Platform (IRP). Since it’s a product that uses Border Gateway Protocol (BGP), it peaked my interest. First let’s make the following things clear:

  • I am not being paid to write this blog post
  • My opinions can’t be bought
  • I will only write about a product if it’s something that interests me

BGP is the glue of the Internet (with DNS) and what keeps everything running. BGP is a well designed and scalable protocol which has been around for a long time. It has grown from carrying a few hundred routes to half a million routes. However, there will always be use cases where BGP might not fit your business model.

In Noction’s white paper they define the following as the network’s major challenges:

  • Meeting the customer’s demand for 100% uptime
  • Facing the low latency requirement
  • Achieving reliable data transmission
  • Avoiding network congestion and blackouts
  • Achieving consistency of throughput
  • Keeping bandwidth usage below predefined commit levels
  • Reducing the cost and time of network troubleshooting

The product is designed for multihomed networks running BGP. You can’t optimize network flows if Continue reading

How to transition from customer understanding to customer action

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Many companies focus on using cheaper, faster data warehouses to organize their accumulated customer data for business intelligence. But in order to remain competitive, businesses need to be using customer data to build applications that make real-time, data-driven decisions.

If you can interpret each attribute, event and transaction as a hint to help make the best predictions and decisions for your customers, you can transition from just customer understanding to customer action. But acting upon data to optimize customer experiences requires an architecture different from traditional data warehousing and business intelligence applications.

To read this article in full or to leave a comment, please click here

Its a new year!

My apology. I have been very absent here as of late.

I have been doing some different stuff, which is irrelevant here, but rest assured, i got some posts lined up. The next one on Unified MPLS. I think you will like it, so stay tuned!  :)

Happy New Year! :)

 

PCI DSS 3.0 went into effect Jan. 1. Are you in compliance?

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

The new Payment Card Industry Data Security Standard 3.0 (PCI DSS 3.0) that became mandatory January 1 contains significant changes that will require some businesses to do heavier lifting than they did in years past, and many may not realize it.

Certain e-commerce merchants who re-direct their customers to third parties for payment card data collection and third party service providers who remotely manage merchant systems and networks now face a bevy of technical controls that they have never dealt with before.

To read this article in full or to leave a comment, please click here

More Bang For Your Budget With Whitebox

white-box-sdn-nfv

As whitebox switching starts coming to the forefront of the next buying cycle for enterprises, decision makers are naturally wondering about the advantages of buying cheaper hardware. Is a whitebox switch going to provide more value for me than buying something from an established vendor? Where are the real savings? Is whitebox really for me? One of the answers to this puzzle comes not from the savings in whitebox purchases, but the capability inherent in rapid deployment.

Ten Thousand Spoons

When users are looking at the acquisition cost advantages of buying whitebox switches, they typically don’t see what they would like to see. Ridiculously cheap hardware isn’t the norm. Instead, you see a switch that can be bought for a decent discount. That does take into account that most vendors will give substantial one-time discounts to customers to entice them into more lucrative options like advanced support or professional services.

The purchasing advantage of whitebox doesn’t just come from reduced costs. It comes from additional unit purchases. Purchasing budgets don’t typically spell out that you are allowed to buy ten switches and three firewalls. They more often state that you are allowed to spend a certain dollar amount on devices Continue reading

PQ Show 44 – The OPNFV Project with Margaret Chiosi

Margaret Chiosi, president of the OPNFV project hosted at the Linux Foundation, discusses OPNFV in a briefing with Ethan Banks.

Author information

Ethan Banks

Co-host at Packet Pushers

Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 3M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks
TwitterGoogle+LinkedIn

The post PQ Show 44 – The OPNFV Project with Margaret Chiosi appeared first on Packet Pushers Podcast and was written by Ethan Banks.

Video: IPv6 High Availability Components

Last spring I ran an IPv6 High Availability webinar which started (not surprisingly) with a simple question: “which network components affect availability in IPv6 world, and how is a dual-stack or an IPv6-only environment different from what we had in the IPv4 world?

This part of the webinar is now available on ipSpace.net content web site. Enjoy the video, explore other IPv6 resources on ipSpace net, and if you’re from Europe don’t forget to register for the IPv6 Security Summit @ Troppers in mid-March.

Watch the video

VIRL – A slow greatness

I had a migration project from 6500 to ASRs. I have decided to check out VIRL.

My migration setup requires 14 routers and a test server. Reading the system requirements for such a setup made me decide not to install on my laptop.

I went ahead and installed it on a not so small ESX server: A new UCS machine (24 cores, 380G memory, running 4 VMs, including VIRL), ESX 5.1.

I have allocated VIRL 4vCPU, 16GB memory.

The installation was not that short, but not that hard either. After the installation was over, I installed VM Maestro and started building my lab. Working with VM Maestro, which is VIRL's GUI, was really easy. The only annoying thing was my inability to set the interface numbers for the connections between routers.

Here is how my final setup looks like:


The setup is running 12 vIOS, 2 CSR1K, and one Ubuntu server, from where I ran my automated tests.

I pressed on "Start simulation" and then when trouble started. It took about 40 minutes for all the routers to load. Then the CLI felt like 2400 baud. It was crawling!

Notice that each time you start Continue reading

Docker Networking 101 – Mapped Container Mode

image

In this post I want to cover what I’m considering the final docker provided network mode.  We haven’t covered the ‘none’ option but that will come up in future posts when we discuss more advanced deployment options.  That being said, let’s get right into it.

Mapped container network mode is also referred to as ‘container in container’ mode.  Essentially, all you’re doing is placing a new containers network interface inside an existing containers network stack.  This leads to some interesting options in regards to how containers can consume network services.

In this blog I’ll be using two docker images…

web_container_80 – Runs CentOS image with Apache configured to listen on port 80
web_container_8080 – Runs CentOS image with Apache configured to listen on port 8080

These containers aren’t much different from what we had before, save the fact that I made the index pages a little more noticeable.  So let’s download web_container_80 and run it with port 80 on the docker host mapped to port 80 on the container…

docker run -d --name web1 -p 80:80 jonlangemak/docker:web_container_80

Once it’s downloaded let’s take a look and make sure its running…

image
Here we can see that it’s Continue reading

What is Motivation?

Original content from Roger's CCIE Blog Tracking the journey towards getting the ultimate Cisco Certification. The Routing & Switching Lab Exam
What is Motivation? Why do some people pass one CCIE after the other and others never make it to one? The answer is motivation. They know what they want and more importantly they know what they need to do to achieve it. More motivational quotes here Have you ever wondered what makes you decide to... [Read More]

Other pages of interest:

Post taken from CCIE Blog

Original post What is Motivation?

Qemu ASAv Appliance as Personal Firewall on Linux

The article discuss how to run Cisco Adaptive Security Virtual Appliance (ASAv) on KVM hypervisor as your personal firewall. Since ASAv version 9.3.2-200, Cisco supports deploying ASAv using Kernel-based Virtual Machine (KVM). Thanks for the support of KVM hypervisor, ASAv can be deployed  in a very easy manner on Linux and any mysterious hacks is needed anymore.

Unfortunately until a valid license file is installed, ASAv throughput is limited to 100 Kbps. So far I have not found a way how to bypass this limitation as Cisco does not provide any evaluation licence as they offer for their CSR100v IOS-XE router. I also found out that ASAv keeps rebooting when Qemu is started without enabled KVM option. It limits deployment of ASAv Qemu images on Linux/FreeBSD as KVM is available for these operation systems only. Windows users should download and install ASAv edition for VMware hypervisor.

Software Requirements
• Linux x86_64 with installed Qemu and KVM
• Cisco ASAv Virtual Appliance - Qemu image asav932-200.qcow2 or later

HardwareRequirements
• CPU with VT-X or AMD-V hardware virtualization support
• 2GB RAM dedicated for ASAv virtual machine

1. ASAv Installation

Installation does not requires any special skills and takes only one reboot. Start the ASAv virtual machine Continue reading

Dynamically monitor interfaces with Nagios

Network switchesWhen you’re setting up your monitoring configuration for Nagios or compatible software it can be a hassle to decide which interfaces you actually want to monitor. Well rather how to monitor those interfaces. The nm_check_admin_up_oper_down plugin (part of Nelmon) checks the configuration of your network devices and reports a problem if you’ve indicated that the interface should be up.

Continue reading

VRF Race Condition

A while ago I observed an interesting problem due to a routing misconfiguration. An asymmetric route was introduced across two discrete switches/routing instances. The route was then imported in a separate location.

Quick and dirty network diagram

Quick and dirty network diagram

When I began troubleshooting I was under the impression that the importer preferred one route over another because of admin distance or some other metric, or perhaps it was some sort of BGP esoterica you’d only encounter if you were using VRFs and MP-BGP to learn routes. However, the truth was probably something more prosaic.

Both routes were static routes. This meant their learning mechanism across importers was the same. The reason the importer preferred one route over another was probably due to one entering the routing table before the other.


Dynamically monitor interfaces with Nagios

Network switchesWhen you’re setting up your monitoring configuration for Nagios or compatible software it can be a hassle to decide which interfaces you actually want to monitor. Well rather how to monitor those interfaces. The nm_check_admin_up_oper_down plugin (part of Nelmon) checks the configuration of your network devices and reports a problem if you’ve indicated that the interface should be up.
Continue reading

Using Git with GitHub

Building on my earlier non-programmer’s introduction to Git, I wanted to talk a little bit about using Git with GitHub, a very popular service for hosting Git repositories. This post, in conjunction with the earlier introductory post on Git, will serve as the basis for a future post that talks about how to use Git and GitHub to collaborate with others on an open source project hosted on GitHub.

If you aren’t familiar with Git and haven’t yet read the earlier introductory post, I strongly recommend reading that post first.

Recall that Git is a distributed version control system (DVCS), and is designed to operate in such a way that full copies of repositories exist on multiple systems. This means you (as a single user) might have multiple copies of a repository across multiple systems. So how does one keep these repositories in sync? Generally, this would be handled via the use of a “server-side” repository to which the various repository clones are linked via a Git remote. This server-side repository might be hosted on an internal server or on a public server, and you may be connecting to it using the Git protocol, SSH, or HTTP(S). You Continue reading

1 3,656 3,657 3,658 3,659 3,660 3,854