Network Access Broker Conceptual Demo

The Network Access Broker Conceptual Demo

by Kris Olander, Sr. Technical Marketing Engineer - December 16, 2014

Talk is cheap when it comes to SDN, but at Packet Design we’ve created a working SDN analytics and orchestration prototype that will enable network engineers to effectively manage hybrid networks. In this new demo, we outline how our Network Access Broker (NAB) – based on our core Route Explorer™ System – analyzes application requests for network resources, assesses their impact on services, and provisions them optimally using a combination of the following (if you’re already familiar with SDN and its management challenges, you can skip the intro and head straight to the demo at the 2:47 mark): 

  1. A layer 3 network topology model maintained in real time (IGP, BGP, and SDN controller-provided topologies like OpenFlow),
  2. A traffic demand matrix,
  3. Predicted network loads from historical baselines, and
  4. Analytics algorithms that compute efficient paths based on link utilizations/end-to-end delays, model new demand, and predict the impact of link/node failures on routing and traffic. Once the optimal paths have been computed, the NAB configures the network to provision them using the SDN controller (OpenDaylight in this example).

In the NAB demo, we use Continue reading

Notes on the CIA light-torture report

I'm reading through the Senate report on the CIA's light-torture program, and I came across this giggly bit:

#10: The CIA coordinated the release of classified information to the media, including inaccurate information concerning the effectiveness of the CIA's enhanced interrogation techniques. The CIA's Office of Public Affairs and senior CIA officials coordinated to share classified information on the CIA's Detention and Interrogation Program to select members of the media to counter public criticism, shape public opinion
Of course they did, but then so did the Senate committee itself. They've been selectively leaking bits of the report for over a year. Their description of the "CIA hacking" scandal was completely inaccurate.

Moreover, this Executive Summary wasn't simply published, but given to select people in the media beforehand in order to shape the message.

There's no doubt that the CIA's brutal treatment of prisoners is evil, a stain on the nation's honor, and something that should be prosecuted. But Senator Feinstein and her colleagues are as guilty of this as anybody else. This report is political garbage designed to shield Feinstein from the blame she shares.



IPv6

Recently, I’ve heard several people suggest that the advent of IPv6 changes the requirements for data-center virtual network solutions. For instance, making the claim that network overlays are no longer necessary. The assumption made is that once an instance has a globally unique IP address that all requirements are met.

In my view, this analysis fails in two dimensions:

  • In the assumption that it is desirable to give instances direct internet access (via a globally routed address);
  • In the assumption that overlay solutions are deployed to solve address translation related problems;

Neither of these assumptions hold when examined in detail.

While there are IaaS use cases of users that just want to be able to fire up a single virtual-machine and use it as a personal server, the most interesting use case for IaaS or PaaS platforms is to deploy applications.

These applications, serve content for a specific virtual IP address registered in the DNS and/or global load-balancers; that doesn’t mean that this virtual IP should be associated with any specific instance. There is layer of load-balancing that maps the virtual IP into the specific instance(s) service the content. Typically this is done with a load-balancer in proxy mode.

As an aside, enabling IPv6 in the load-balancer Continue reading

Stop thief!

The Host-sFlow project recently added added CPU steal to the set of CPU metrics exported.
steal (since Linux 2.6.11)
       (8) Stolen time, which is the time spent in other operating systems
       when running in a virtualized environment
Keeping close track of the stolen time metric is particularly import when running managing virtual machines in a public cloud. For example, Netflix and Stolen Time includes the discussion:
So how does Netflix handle this problem when using Amazon’s Cloud? Adrian admits that they tracked this statistic so closely that when an instance crossed a stolen time threshold the standard operating procedure at Netflix was to kill the VM and start it up on a different hypervisor. What Netflix realized over time was that once a VM was performing poorly because another VM was crashing the party, usually due to a poorly written or compute intensive application hogging the machine, it never really got any better and their best learned approach was to get off that machine.
The following articles describe how to monitor public cloud instances using Host sFlow agents:
The CPU steal metric is particularly relevant to Network Function Virtualization (NFV). Virtual Continue reading

All malware defeats 90% of defenses

When the FBI speaks, you can tell they don't know anything about hacking. An example of this quote by Joseph Demarest, the assistant director of the FBI’s cyberdivision:

"The malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government”

He's trying to show how sophisticated, organized, and unprecedented the hackers were.

This is nonsense. All malware defeats 90% of defenses. Hackers need do nothing terribly sophisticated in order to do what they did to Sony.

Take, for example, a pentest we did of a Fortune 500 financial firm. We had some USB drives made with the logo of the corporation we were pen-testing. We grabbed a flash game off the Internet, changed the graphics so that they were punching the logo of their main competitor, and put text in the Final Score screen suggesting "email this to your friends and see what they get". We then added some malware components to it. We then dropped the USB drives in the parking lot.

This gave us everything in the company as people passed the game around. The CEO and Continue reading

Using bird to pull global BGP route counts

For an electronics project I’m working on I wanted a way to check the current global routing table every five minutes for both IPv4 and IPv6. I did not want to log into anyone else’s router or looking glass as checking every 5 minutes may be considered abuse. So I thought to spin up a […]

The Tale of the Mysterious PIM Prune

Christmas is lurking around the corner and in the spirit of Denise “Fish” Fishburne, I give you the “The Tale of the Mysterious PIM Prune”.

I have been working a lot with multicast lately which is also why I’ve blogged about it. To start off this story, let’s begin with a network topology.

Topology1

The multicast source is located in AS 65000 and contains two routers that are connected to the multicast source. The routers run BFD, OSPF, iBGP, PIM internally and the RP is located on C1. There is a local receiver in AS 65000 and a remote one in AS 64512. The networks 10.0.1.0/24 and 10.0.21.0/24 come off the same physical interface. If you want to replicate this lab, all the configs are provided here.

This network requires fast convergence and I have been troubleshooting a scenario where the active multicast router (R1) has its LAN interface go down, meaning that the traffic from the source must come in on R2. In this scenario I have seen convergence in up to 60 seconds which is not acceptable. The BGP design is for R2 to still exit out via R1 if the link is Continue reading

Network Break 24

It’s time for the Network Break! Sit back, grab a coffee, and join us for an analysis of the latest IT news, vendor moves and new product announcements. We’ll separate the signal from the noise--or at least make some noise of our own.

Author information

Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.

TwitterFacebookGoogle+LinkedIn

The post Network Break 24 appeared first on Packet Pushers Podcast and was written by Greg Ferro.

When and when not to multithread

At the end of my last post on Python multithreading, I said my example was not the best. Let me expand some more on this. While testing code in the previous post, I noticed that certain code was slower when multiple threads were running. Also these threads are not tied to a CPU. If we […]

Why Your Presentation Stinks (Part 1)

Powerpoint doesn’t stink. Our presentation skills do. So how do we fix it?

First, you must decide: what do I want this presentation to be? We’ve all seen the brilliant TED talks about new ideas. We’ve all seen the really cool sample presentations from those online presentation sites about someone’s trip around the world. When you’re looking at those talks, though, remember this: they are selected out of millions of talks for their content, and their content fits their format. I’ve seen folks do fairly standard slideshows with Prezy. It doesn’t work. I’ve also seen people do “let me tell you about my trip” presentations with Powerpoint. Again, it doesn’t work.

So, just like network engineering, pick the right tool for the job. Since most of an engineer’s presentations aren’t going to feature exciting trips down the River of Doubt, or even up Doubtin’ Mountain, we’re probably pretty safe to stick with a fairly standard presentation package — slides, warts, and all.

Yes, it’s important to get the flow right. I once stood in for a presenter who’d lost his voice — the material was router architecture (hardware and software), so it’s a topic I know well, so I wasn’t Continue reading

Dial-Peer Digit Manipulation

In the CCIE Collaboration lab, understanding dial-peers is extremely important. Lack of knowledge in this area can yield devastating results in your lab score report since they can be found in so many different sections of the exam. We must be thoroughly prepared to tackle every aspect of this technology should we be presented with it at some point.

I recently got a great question in our forums about digit manipulation within POTS dial-peers and how they interact with translation rules and profiles. I figured that since this is such an important topic, my answer to his question bears repeating so it can reach a wider audience.

Let’s begin with the simple example of dialing the number “123” from a CUCME phone. Of course, the POTS dial-peer must be created to support the desired behavior.

dmdm-001

When this pattern is selected, all digits will be stripped automatically since they are explicitly defined. This is due to the “automatic POTS dial-peer digit strip” feature in IOS. See below for the ISDN Q.931 debug output (no Called Party Number).

dmdm-002

Since we are not currently sending a Called Party Number, we’ll need some way to add the digits back to the string to Continue reading

Enterprises Have Many Unprofitable Applications, Public Clouds Do Not

Enterprise IT supports many unprofitable applications. Microsoft Exchange, legacy databases, obsolete accounting systems, end-of-life desktop operating systems and much more. Public clouds can, and do, cancel unprofitable products. This is a brutal truth in cloud planning. Takeaways: Enterprise IT supports many applications that are unprofitable to own and maintain Executives and managers are commonly unprepared […]


The post Enterprises Have Many Unprofitable Applications, Public Clouds Do Not appeared first on EtherealMind.

BGPSEC: Protections Offered

In my last post on the subject of BGPSEC, I explained the basic operation of the modifications to BGP itself. In this post, I’ll begin looking at some of the properties — both good and bad — of these extensions to BGP. To being, we’ll look at the simple network illustrated here, and see what […]

Author information

Russ White

Principal Engineer at Ericsson

Russ White is a Network Architect who's scribbled a basket of books, penned a plethora of patents, written a raft of RFCs, taught a trencher of classes, and done a lot of other stuff you either already know about — or don't really care about. You can find Russ at 'net Work, the Internet Protocol Journal, and his author page on Amazon.
TwitterGoogle+LinkedIn

The post BGPSEC: Protections Offered appeared first on Packet Pushers Podcast and was written by Russ White.

Sorting Bookmarks in Safari for Mac OS X

If you’re anything like me, then you may just be a bit OCD or ANAL when it comes to some things. One of those things is, I like my bookmarks/favorites in alphabetical order with folders sorted...

[[ Summary content only, you can read everything now, just visit the site for full story ]]
1 3,664 3,665 3,666 3,667 3,668 3,843