0

Chinese Routing Errors Redirect Russian Traffic

In recent weeks, Russian President Vladimir Putin announced a plan to enact measures to protect the Internet of Russia. In a speech to the Russian National Security Council he said, “we need to greatly improve the security of domestic communications networks and information resources.” Perhaps he should add Internet routing security to his list because, on a number of occasions in the past year, Russian Internet traffic (including domestic traffic) was re-routed out of the country due to routing errors by China Telecom. When international partners carry a country’s domestic traffic out of the country, only to ultimately return it, there are inevitable  security and performance implications.

Last year, Russian mobile provider Vimpelcom and China Telecom signed a network sharing agreement and established a BGP peering relationship. However, as can often happen with these relationships, one party can leak the routes received from the other and effectively insert itself into the path of the other party’s Internet communications. This happened over a dozen times in the past year between these two providers. This is a general phenomenon that occurs with some regularity but isn’t often discussed in BGP security literature. In this blog post, we’ll explore the issue Continue reading

0

Improving performance and security with a visibility plane in virtual network infrastructures

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Software-defined networking (SDN) and network functions virtualization (NFV) promise numerous benefits, but adding layers of network abstraction come at a cost: visibility into the traffic traversing the links at the physical layer.

The migration to ever-faster networks is compounding this challenge because virtually no network monitoring, management or security tool today is capable of operating at 40Gbps or 100Gbps. Network packet brokers (NPBs), also known as network visibility controllers, address this challenge by capturing, filtering, aggregating and optimizing traffic. This enables 1Gbps and 10Gbps performance management and security systems to operate in 40/100Gbps networks.

To read this article in full or to leave a comment, please click here

0

Node and Link Protection

Node and link protection is a mechanism for protecting LSPs from (you guessed it) the failure of nodes and links.   It differs from fast re-route in that you have to specify node and link protection on the interfaces of all the downstream routers as well as on the LSP at its source.

My network looks like this at the moment, with an LSP running from R5 to R1 using the shortest path determined by the IGP:

So on R5, I configure node-link-protection on the LSP:

root@R5> show configuration protocols mpls
no-propagate-ttl;
label-switched-path R5-to-R1 {
    to 10.0.6.1;
    node-link-protection;
}
interface ge-0/0/0.0;
interface ge-0/0/1.0;

This has the effect of signalling to the downstream routers that link and node protection is desired, as you can see here:

root@R5> show mpls lsp name R5-to-R1 detail
Ingress LSP: 6 sessions

10.0.6.1
  From: 10.0.3.5, State: Up, ActiveRoute: 0, LSPname: R5-to-R1
  ActivePath:  (primary)
  Node/Link protection desired                        <===== Node Link Protection 
  LSPtype: Static Configured, Penultimate hop popping
  LoadBalance: Random
  Encoding type: Packet, Switching type: Packet, GPID: IPv4
 *Primary                    State: Up
    Priorities: 7 0
 Continue reading

0

Setting up the Tools for Contributing to OpenStack Documentation

For non-programmers, making a meaningful contribution to an open source project can be difficult; this is as true for OpenStack as for other open source projects. Documentation is a way to contribute, but in the case of OpenStack there is a non-trivial setup required in order to be able to contribute to the OpenStack documentation. In this post, I’m going to share how to set up the tools to contribute to OpenStack documentation in the hopes that it will help others get past the “barrier to entry” that currently exists.

I’ve long wanted to be more involved in supporting the OpenStack community, beyond my unofficial support via advocacy and blogging about OpenStack. I felt that documentation might be a way to achieve that goal. After all, I’ve written books and have been blogging for 9 years, so I should be able to add some value via documentation contributions. However, the toolchain that the OpenStack documentation uses requires a certain level of familiarity with development-focused tools, and the “how to” guides were less than ideal because of assumptions made regarding the knowledge level of new contributors. For these reasons, I felt that sharing how I (a non-programmer) set up the tools Continue reading

0

Monitoring OTV – Overlay Transport Virtualization

If there is anything I find more enjoyable then doing some type of network design or writing on whiteboard, it’s thinking about  network management and creating some new alert or poller that let’s me know when something changes that shouldn’t. It would seem over the last few years Data Center technologies have really become popular: […]

0

The Quanta LB4M – Cheap White Box Switching?

“Hey,” said my friend, “are you interested in buying an Ethernet switch? 48 1Gbps copper ports and two 10Gbps fiber uplinks. Very cheap. Layer 2 only, though.” A few minutes later, we were doing business out of the trunk of … Continue reading →

If you liked this post, please do click through to the source at The Quanta LB4M – Cheap White Box Switching? and give me a share/like. Thank you!

0

The Philosophy of Network-as-a-Service

In the world of Anything-as-a-Service (I will leave the acronym to your imagination), Network-as-a-Service is not a new term. In fact, it even has its own wikipedia page which will tell you it has been used for many years now, well before the current set of service related terms in IT have become popular.

Like most high tech industries, we get somewhat carried away when we have some new terminology and quickly overuse and overload them, watering them down to be meaningless or at least highly confusing. But when you cut through the clutter a bit, the as-a-Service terminology most certainly articulates a shift in thought process and behaviors on how we provide and consume IT resources.

The IT organization has always been a service organization, there is nothing much new there. From the days of mainframes and supercomputers, their job was to provide access to these expensive resources and maintain them. They provided environments that allowed the users to conveniently consume these abilities, and the business applications that ran on top of them, whether those were financial systems, email, uucp news (remember those days) or the basic ability to run user created jobs.

With the distribution of compute and Continue reading

0

Setting up the Tools for Contributing to OpenStack Documentation

For non-programmers, making a meaningful contribution to an open source project can be difficult; this is as true for OpenStack as for other open source projects. Documentation is a way to contribute, but in the case of OpenStack there is a non-trivial setup required in order to be able to contribute to the OpenStack documentation. In this post, I’m going to share how to set up the tools to contribute to OpenStack documentation in the hopes that it will help others get past the “barrier to entry” that currently exists.

I’ve long wanted to be more involved in supporting the OpenStack community, beyond my unofficial support via advocacy and blogging about OpenStack. I felt that documentation might be a way to achieve that goal. After all, I’ve written books and have been blogging for 9 years, so I should be able to add some value via documentation contributions. However, the toolchain that the OpenStack documentation uses requires a certain level of familiarity with development-focused tools, and the “how to” guides were less than ideal because of assumptions made regarding the knowledge level of new contributors. For these reasons, I felt that sharing how I (a non-programmer) set up the tools Continue reading

0

So You’re an Open Source Shop? Really?

I carried out an interesting quiz during one of my Interop workshop:

• How many use Linux-based servers? Almost everyone raised their hands;
• How many use Apache or Tomcat web servers? Yet again, almost everyone.
• How many run applications written in PHP, Python, Ruby…? Same crowd (probably even a bit more).
• How many use Nginx, Squid or HAProxy for load balancing? Very few.

Is there a rational explanation for this seemingly nonsensical result?

Read more ...

0

Musing: On Using Cisco ACI and VMware NSX in the same network

So, sure, you COULD run NSX and ACI in the same network. No, you WOULD NOT run NSX and ACI in the same network.

The post Musing: On Using Cisco ACI and VMware NSX in the same network appeared first on EtherealMind.

0

Show 212 – HP Networking in the Data Centre – Sponsored

In today's sponsored podcast, HP Networking looks to educate network engineers about HP’s data center portfolio and technologies that make it a formidable choice for architecting today’s data center networks. Tune in to learn how HP is helping customers develop Data Center solutions that deal with today and tomorrow’s challenges.

Author information

The post Show 212 – HP Networking in the Data Centre – Sponsored appeared first on Packet Pushers Podcast and was written by Greg Ferro.

0

The Importance of Knowing Baselines

When observing network utilization (whether that’s bandwidth or some other element you monitor), you have to know your baseline. The big idea is to understand what’s normal for your network, as every network is a little different. Only when you know your network’s baseline does it become possible to detect anomalies. For example, when […]

0

Increased MTTR is Good?

In Episode 167 of The Cloudcast – “Bringing Advanced Analytics to DevOps”, Dave Hayes brings up an interesting point about Mean Time to Resolution (MTTR). At about 8:30 in, he states:

“In a counter-intuitive sense, you actually want this to be going up…If you’re removing false alerts, and you’re getting better about the quantity of alerts, you’re going to be solving far fewer, more difficult problems, so you should see a slight trend upwards in Mean Time to Resolution”

This is a really interesting way of looking at things. Obviously you don’t want to set your goal as “Increase our MTTR,” but this could be a positive side-effect of improved processes.

I recommend listening to the whole episode. PagerDuty is a very cool product in itself, but this is a broader discussion about operations, analytics, and best practices.

Subscribe to the podcast while you’re there too. Lots of interesting technology discussed there.

0

Using ssldump to Decode/Decrypt SSL/TLS Packets

Who needs the Wireshark GUI right; let’s do this at the command line and be grown up about things. This is a straight copy of my popular Using Wireshark to Decode/Decrypt SSL/TLS Packets post, only using ssldump to decode/decrypt SSL/TLS packets at the CLI instead of Wireshark. Aside from the obvious advantages, immediacy and efficiency of a CLI tool, ssldump also […]

Author information

The post Using ssldump to Decode/Decrypt SSL/TLS Packets appeared first on Packet Pushers Podcast and was written by Steven Iveson.

0

The Quick Way to get f5 Viprion Serials

Ever been asked to list the serial numbers on an f5 Viprion? No? Well stay with me anyway – this is a quick one, and you never know when it will be helpful! Once upon a time, much of the … Continue reading →

If you liked this post, please do click through to the source at The Quick Way to get f5 Viprion Serials and give me a share/like. Thank you!

0

DNSSEC: Complexities and Considerations

This blog post is a follow-up to our previous introduction to DNSSEC. Read that first if you are not familiar with DNSSEC.

DNSSEC is an extension to DNS: it provides a system of trust for DNS records. It’s a major change to one of the core components of the Internet. In this post we examine some of the complications of DNSSEC, and what CloudFlare plans to do to reduce any negative impact they might have. The main issues are zone content exposure, key management, and the impact on DNS reflection/amplification attacks.

Zone content exposure

DNS is split into smaller pieces called zones. A zone typically starts at a domain name, and contains all records pertaining to the subdomains. Each zone is managed by a single manager. For example, cloudflare.com is a zone containing all DNS records for cloudflare.com and its subdomains (e.g. www.cloudflare.com, api.cloudflare.com).

There is no directory service for subdomains in DNS so if you want to know if api.cloudflare.com exists, you have to ask a DNS server and that DNS server will end up asking cloudflare.com whether api.cloudflare.com exists. This is not true with DNSSEC. In Continue reading

0

SDN Job Numbers – 3QCY14

How many SDN jobs are out there so far? If you missed the previous post, well, I’ve been counting them for about five months. Today’s post looks at the numbers for 3QCY14. Check out the previous post for all the picky details about how we gathered the data. This post focuses on the numbers!

 

 

 

SDN in the Job Title, 3QCY14

I’m theorizing that for a term to be in the title of the job posting, that term must be a pretty important part of the job. So, we searched for “SDN” in the title, at Dice.com and Monster.com, did some averaging to keep a week or two spike or drop from skewing the perception, and we’ve created some graphs.

Figure 1 shows the first graph:

• Searches for SDN in the job title
• The data is about new job listings per week
• We use a couple of rolling averages to reduce the bumps in the graph
• The graph shows both Dice and Monster combined, but with the raw numbers as well

 

Figure 1: SDN in the Job Title, Per-Week New Job Listings, 3QCY14

 

 

SDN in the Job Description

When we find “SDN” Continue reading

0

Mass Customization

I’ve mentioned in past articles about my belief that networking – both as a discipline and a technology – needs to be more consumable to other disciplines. But what does this mean? I was reminded of a few great examples today that I think are relevant to this idea, and might help explain my point a little more clearly.

Mass Production Meets Customization

The assembly line revolutionized the auto industry. Prior to this, vehicle production was very slow, and extremely costly. The introduction of the assembly line for creating automobiles allowed cars to be created in a predictable, repeatable way. However, Ford famously required all Model T’s to be painted black. Even before the introduction of the assembly line, the Model T was available in other colors, but with the move to mass production, this option was taken away.

The term “mass customization” is essentially the idea that mass production can co-habitate with customization, resulting in a customer experience that is personal and custom-built, but that also gets to experience the low unit cost that comes with mass production.

A great example of mass customization is the Moto X phone, whose commercials famously offer all kinds of customization options Continue reading

0

Response: Black Energy 2 Malware Router Abuse – Kaspersky

Kaspersky published a research note on Black Energy malware that uses backdoors and exploits on Cisco routers to install a TCL file, perform surveillance or destruction of the device configuration.   And, they revealed that their Cisco routers with different IOS versions were hacked. They weren’t able to connect to the routers any more by […]

The post Response: Black Energy 2 Malware Router Abuse – Kaspersky appeared first on EtherealMind.

0

Musing: VMware Sells More Services Than Licenses

In their Q3-2014 VMware results, the revenue from "services" is 30% larger than licensing revenue. What does this mean for customers ?

The post Musing: VMware Sells More Services Than Licenses appeared first on EtherealMind.