BGP Security Vulnerabilities a Growing Concern

BGP Security Vulnerabilities a Growing Concern

Border Gateway Protocol (BGP), the protocol that connects different networks together, was not designed with security in mind. It is easy to take down portions of the Internet by announcing illegitimate routes to those parts (referred to as route hijacking). A classic example of this attack is a widely popularized incident a few years ago by a Pakistani service provider. The Pakistan government wanted to block YouTube internally. The service providers there injected a BGP route for YouTube and directed YouTube traffic to nowhere. This route somehow leaked outside of Pakistan, and was carried by many service providers across the Internet. This resulted, in effect, in YouTube’s removal from the Internet. 

These incidents, many not as high-profile as the YouTube incident, are routine and go back as far as I can remember. The first incident I am aware of is a dial-up Internet provider in Florida taking down the MIT network in the pre-1994, non-commercial era Internet. Early on, these incidents were results of honest configuration mistakes or fat fingering of wrong BGP configuration knobs. 

As we all know, the days of Internet innocence Continue reading

Network ping with delay, jitter and MOS

Understanding IPv6: A Sniffer Full Of 3s

Screen Scraping: Still Sucks

I’ve written before about “Why Screen Scraping Sucks.” Well, I can report that nothing has changed. It still sucks. This time I got caught out by the changed behaviour of the “logging host” command.

Compliance Checks

At a customer site I use HP IMC to perform compliance checks across HP and Cisco networking gear. This has a set of rules that get run against the latest device backups. I have various rules that look for specific patterns – making sure they do, or don’t exist, as required.

My systems should all have two log servers defined. The configs should look something like this:

Rack1SW1#sh run | inc ^logg
logging 1.1.1.1
logging 2.2.2.2

So I defined an IMC compliance rule that looked for the existence of “logging 1.1.1.1″ and “logging 2.2.2.2″. I’m using the Advanced mode, which uses regex matching, so I need to escape the “.”.

This worked well. It alerted on systems that had the incorrect (or no) destinations defined.

Wait a minute…I thought you said “logging host”?

Turns out that “logging X.X.X.X” was the original form of this command. At 12.3(14)T, Cisco changed Continue reading

CloudFlare Now Supports WebSockets

CC BY 2.0 from Brian Snelson

I'm pleased to announce that CloudFlare now supports WebSockets. The ability to protect and accelerate WebSockets has been one of our most requested features. As of today, CloudFlare is rolling out WebSocket support for any Enterprise customer, and a limited set of CloudFlare Business customers. Over the coming months, we expect to extend support to all Business and Pro customers.

We're rolling out WebSockets slowly because it presents a new set of challenges. The story below chronicles the challenges of supporting WebSockets, and what we’ve done to overcome them.

The Web Before WebSockets

Before diving into WebSockets, it's important to understand HTTP—the traditional protocol of the web. HTTP supports a number of different methods by which a request can be sent to a server. When you click on a traditional link you are sending a GET request to a web server. The web server receives the request, then sends a response.

When you submit a web form (such as when you're giving your username and password when logging into an account) you use another HTTP method called POST, but the interaction is functionally the same. Your browser (called the ‘client’) sends data to Continue reading

A Full Year of Commercially Available Cumulus Linux Brings Us to Version 2.2

It’s been about one year since we released Cumulus Linux commercially to the market.

Cumulus Linux proved itself quickly as a powerful alternative to traditional networking approaches — not only for the choice it provided with a disaggregated model (choice of both networking hardware and networking OS) or the new business model it provided (a software-only solution with a transparent pricing model) — but also because for the first time, the operating system was a true Linux OS, one that is managed just like Linux on servers, thereby solving many customer challenges around IT automation with tools such as Puppet, Chef, Ansible, Salt, Graphite, and Ganglia readily available on networking platforms. Soon, cloud providers adopted Cumulus Linux and took advantage of various tools to automate rack provisioning, orchestrate switches like servers, and integrate networking with existing workflows.

Cumulus Linux 2.0 brought support for the latest industry-standard hardware platforms with Trident II-based switches and the latest technologies with hardware accelerated VXLANs and Layer 2 gateway integration with network virtualization providers such as VMware NSX. Since then, Cumulus Networks has added many platforms to the HCL, with major partners such as Dell on board, and has had broad coverage for modern Continue reading

ifupdown2, a New Network Interface Manager for Cumulus Linux

VMware NSX Use Case – Simplifying Disaster Recovery (Part 2)

Nicolas Vermandé (VCDX#055) is practice lead for Private Cloud & Infrastructure  at Kelway, a VMware partner. Nicolas covers the Software-Defined Data Center on his blog www.my-sddc.om,

This is Part 2 in a series of posts the describes a specific use case for VMware NSX in the context of Disaster Recovery. Here’s part 1,

++++++++++++++++++++++++++++++++++

Deploying the environment

Now let’s see have a closer look at how to create this environment. The following picture represents the vSphere logical architecture and the associated IP scheme…

… and the networks mapping:

First of all you have to create three vSphere clusters: one Management Cluster and two Compute Clusters, as well as  two distinct VDS, within the same vCenter. Each Compute cluster will be connected to the same VDS. One cluster will represent DC1, and the other one will represent DC2. The second VDS will connect to the Management and vMotion networks. Also, you have to create a couple of VLANs: one VLAN for VTEPs, used as the outer dot1q tag to transport VXLAN frames, two external transit VLANs to allow the ESGs to peer with your IP core and VLANs for traditional vSphere functions, such as Management, vMotion and IP storage if Continue reading

IPv6 and the VCR

IPv6 isn’t a fad.  It’s not a passing trend that will be gone tomorrow.  When Vint Cerf is on a nationally televised non-technical program talking about IPv6 that’s about as real as it’s going to get.  Add in the final depletion of IPv4 address space from the RIRs and you will see that IPv6 is a necessity.  Yet there are still people in tech that deny the increasing need for IPv6 awareness.  Those same people that say it’s not ready or that it costs too much.  It reminds me of a different argument.

IPvcr4

My house is full of technology.  Especially when it comes to movie watching.  I have DVRs for watching television, a Roku for other services, and apps on my tablet so the kids can watch media on demand.  I have a DVD player in almost every room of the house.  I also have a VCR.  It serves one purpose – to watch two movies that are only available on a video tape.  Those two movies are my wedding and the birth of my oldest son.

At first, the VCR stated connected to our television all the time.  We had some movies that we Continue reading

Juniper EX – Private vlans

DDoS and Geopolitics – Attack analysis in the context of the Israeli-Hamas conflict

Since its inception, the ASERT team has been looking into politically motivated DDoS events [1] and continues to do so as the relationship between geopolitics and the threat landscape evolves [2]. In 2013, ASERT published three situational threat briefs related to unrest in Syria [3] and Thailand [4] and threat activity associated with the G20 summit [5].  Recently, other security research teams, security vendors and news agencies have posited connections between “cyber” and geopolitical conflicts in Iraq [6], Iran [7], and Ukraine [8] [9].

Given the increasing connections being made between security incidents and geopolitical events, I checked Arbor’s ATLAS data to look at DDoS activity in the context of the current conflict between Israel and Hamas. Arbor’s ATLAS initiative receives anonymized traffic and DDoS attack data from over 290 ISPs that have deployed Arbor’s Peakflow SP product around the globe. Currently monitoring a peak of about 90 Tbps of IPv4 traffic, ATLAS see’s a significant portion of Internet traffic, and we can use that to look at reported DDoS attacks sourced from or targeted at various countries.

Israel as a Target of DDoS Attacks

Frequency

Figure 1 depicts the number of reported DDoS attacks initiated against Israel per Continue reading

“What Might Have Been?” Is The Wrong Question

Show 199 – Vectra Networks and “The Mushy Middle” – Sponsored

Security tools for the data centre need big analytics and powerful visibility to make sense of the volume of data. Vectra Networks talks about how they can secure the "mushy middle" of the Data Centre LAN.

Author information

Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.

TwitterFacebookGoogle+

The post Show 199 – Vectra Networks and “The Mushy Middle” – Sponsored appeared first on Packet Pushers Podcast and was written by Greg Ferro.

Permission and Proof in Private Clouds

I’m often told that the enterprise customer will take years to implement Private Clouds because the enterprise is slow to adopt new technologies. Yet the private cloud is happening faster than seems practical and there has to be a reason that is driving adoption so quickly. It's simple, point to the success of others and use that as proof of success and use that to generate permission to implement change.

The post Permission and Proof in Private Clouds appeared first on EtherealMind.

Juniper EX Virtual-Chassis notes

802.11ac Adjacent Channel Interference (ACI)

4G and 4G+ networks employ a type of waveform called orthogonal frequency division multiplexing (OFDM) as the fundamental element in the physical layer (PHY).  In fact, almost all modern communication networks are built on OFDM because OFDM improved data rates and network reliability significantly by taking advantage of multi-path a common artifact of wireless transmissions.  However as time and demands progress, OFDM technology suffers from out-of-band spectrum regrowth resulting in high side lobes that limit spectral efficiency.  In other words, network operators cannot efficiently use their available spectrum because two users on adjacent channels would interfere with one another.  OFDM also suffers from high peak-to-average ratio of the power amplifier, resulting in lower battery life of the mobile device.  To address OFDM deficiencies, researchers are investigating alternative methods including generalized frequency division multiplexing, filter bank multi-carrier, and universal filter multi-carrier.  Researchers speculate that using one of these approaches over OFDM may improve network capacity by 30 percent Continue reading

Dealing with Schema Changes

It’s not often I get to write about concepts rooted in database technology, but I’d like to illuminate a situation that software developers deal with quite often, and one that those entering this space from the network infrastructure side may want to consider.

Software will often communicate with other software using APIs – an interface built so that otherwise independent software processes can send and receive data between each other, or with other systems. We’re finding that this is a pretty hyped-up buzzword in the networking industry right now, since network infrastructure historically has had only one effective method of access, and that is the CLI; not exactly ideal for anything but human beings.

These APIs will typically use some kind of transport protocol like TCP (many also ride on top of HTTP), in order to get from point A to point B. The data contained within will likely be some kind of JSON or XML structure. As an example, here’s the output from a Nexus 9000 routing table:

<?xml version="1.0"?>
<ins_api>
    <type>cli_show</type>
    <version>0.1</version>
    <sid>eoc</sid>
    <outputs>
        <output>
            <body>
                <TABLE_vrf>
                    <ROW_vrf>
                        <vrf-name-out>default</vrf-name-out>
                        <TABLE_addrf>
                            <ROW_addrf>
                                <addrf>ipv4</addrf>
                                <TABLE_prefix>
                                    <ROW_prefix>
                                        <ipprefix>172.16.41.1/32</ipprefix>
                                        <ucast-nhops>1</ucast-nhops>
                                        <mcast-nhops>0</mcast-nhops>
                                        <attached>FALSE</attached>
                                        <TABLE_path>
                                            <ROW_path>
                                                <ipnexthop>172. Continue reading

Run desktop environment on guest VM in cloonix network simulator

The Cloonix open-source network simulator uses the Spice remote desktop system to provide a virtual desktop connection to quest virtual machines that run a graphical user interface, such as Microsoft Windows or a Linux desktop environment.

To use a graphical desktop user interface on a guest VM, we access the VM using the Spice desktop console.

Guest VM requirements

We must be running a guest VM that has a desktop environment installed and the Spice server installed.

We already upgraded a root filesystem with the XFCE desktop in a previous post. So, in this example, we will use that filesystem, which is named jessie-networking-xfce.qcow2 and is saved in the cloonix bulk directory.

Start the guest VM

Start the cloonix graph interface (see instructions for starting cloonix). Configure the VM object to load the jessie-networking-xfce.qcow2 filesystem.

Configure VM to use filesystem with desktop already installed

Then drag the VM object onto the graph interface so it starts up.

A Cloonix guest VM is now running

Use Spice to connect to the guest VM

Right-click on the VM and select the Open Spice desktop menu command.

Open the Spice desktop console on the guest VM

The Spice console will Continue reading

Server Bootstrap & Prep with Ansible

Dealing with Schema Changes