0

About Promotion

There is no such thing as career path.

I wrote this several years ago. And I believe it's still true. For those who don't understand why I wrote such thing, please spend few minutes to read that blog post before leaving nasty comment. (This means: you still can leave nasty comment after reading that post :))

Allow me to share my secret: patience is not my virtue.

Every time I want to change to new position, or to new job title, I move to new company. Some of my previous employers offered me promotion the moment I gave them my resignation letter. Some of them simply didn't care and just let me go. For those who offered me promotion, I never accepted the offer. I thought they should have offered that while I was still with them, not at my last moment in the company when I usually had decided to leave.

There was a time I even worked as independent contractor. Had to deal with the customer directly, defined the scope by myself, set the performance index, and delivered end-to-end solution to customer. No job title. No career. Hmm, good old days. Even it was only for several months Continue reading

0

Hadoop for network engineers part 2 – adding more nodes

In the first article here, I walked through importing netflow data into a single Hadoop instance (pseudonode) and mentioned a progression of the project to add multiple nodes. The ability to do distributed storage and distributed processing of data is ultimately the benefit of using Hadoop/HDFS. So, let’s expand on the project and add one or […]

Author information

The post Hadoop for network engineers part 2 – adding more nodes appeared first on Packet Pushers Podcast and was written by JR Mayberry.

0

Show 170 – The Spanning Tree Story and More SDN Analysis

This week it’s Greg was configuring spanning tree in the data centre and had a problem with a switch cluster that didn’t work proper. How much networking do you need in a data centre ? Lets say you purchases 2 x 32 port 40GbE switches (common Trident2 configuration) for USD$30K and you use QSFP breakouts […]

Author information

The post Show 170 – The Spanning Tree Story and More SDN Analysis appeared first on Packet Pushers Podcast and was written by Greg Ferro.

0

Troubleshooting EIGRP Neighbor Relationships

How does the internet work - We know what is networking

EIGRP internals and getting hands dirty in debugging routing adjacency and solving EIGRP neighboring issues. What is sequence TLV and Conditional Receive CR-mode and CR flag Couple of days ago I got a strange network behavior in my CCIE lab. Something was wrong between a router and L3 switch connection and there was EIGRP neighbor […]

Troubleshooting EIGRP Neighbor Relationships

0

Five Functional Facts about VXLAN

It seems appropriate to write a FFF post about Virtual Extensible LAN (VXLAN) now since VXLAN is the new hotness in the data center these days. With VMware’s NSX using VLXAN (among other overlays) as a core part of its overall solution and the recent announcement of Cisco’s Application Centric Infrastructure (ACI) and the accompanying Nexus 9000 switch, both of which leverage VXLAN for delivering a network fabric, it seems inevitable that network engineers will have to use and understand VXLAN in the not too distant future.

As usual, this post is not meant to be an introduction to the technology; I assume you have at least a passing familiarity with VXLAN. Instead, I will jump right into 5 operational/technical/functional aspects of the protocol.

For more information on VXLAN, check out the draft at the IETF.

1 – VXLAN Use Cases

Despite the apparent ubiquity and fervent hype around VXLAN, it’s actually been designed to solve specific problems. It has not been designed to be “everything to everyone”.

The first, and most often cited, use case is for data center operators that require more than ~4000 logical partitions in the network. These 4000 partitions equate to the maximum number of Continue reading

0

Five Functional Facts about VXLAN

It seems appropriate to write a FFF post about Virtual Extensible LAN (VXLAN) now since VXLAN is the new hotness in the data center these days. With VMware's NSX using VLXAN (among other overlays) as a core part of its overall solution and the recent announcement of Cisco's Application Centric Infrastructure (ACI) and the accompanying Nexus 9000 switch, both of which leverage VXLAN for delivering a network fabric, it seems inevitable that network engineers will have to use and understand VXLAN in the not too distant future.

As usual, this post is not meant to be an introduction to the technology; I assume you have at least a passing familiarity with VXLAN. Instead, I will jump right into 5 operational/technical/functional aspects of the protocol.

For more information on VXLAN, check out the draft at the IETF.

0

New GNS3 – Redesign changing networking again

GNS3 has been a crucial tool used by many network engineers to emulate computer networks.  It has proven to be fundamental  studying for all network certification levels such as CCNA, CCNP and CCIE. It has been crucial for network design validations within many companies.  With the news of Cisco’s VIRL, many said that GNS3 will disappear, but that doesn’t seem to be the case. GNS3 is going through a major redesign and needs the help of all the engineers that it helped over the years.

Recently, Stephen Guppy from GNS3.net contacted me about some of the changes coming to GNS3. He was very excited to share with me the new direction they are heading and the croudfounding campaign going on. These new software improvements incorporate:

• Switching
• On Demand Cloud Processing
• Automation of Configuration
• Lab Deployment and Training Programs
• Integration of Other Vendors

Switching

Switching has been a major feature preventing network engineer from exclusively using GNS3 for their certification study. The difficulty in supporting switching platforms is that most of their ASCIs were build on proprietary hardware and can’t be easily ported. With the new GNS3, switching will be supported using L2IOU. Some features are not supported Continue reading

0

How TPM-protected SSH keys work

In my last blog post I described how to set up SSH with TPM-protected keys. This time I'll try to explain how it works.

SRK

The SRK is a public key pair that is the main secret inside the TPM chip. It is always generated by the chip, and the private key cannot be read or migrated.

In order to use the SRK key with any operation, the SRK password must be supplied. The SRK password is just an access password. It's not related to the key itself. The SRK password is usually set to the Well Known Secret (20 null characters), or sometimes the empty string, or something silly like "12345678".

There is not much point in having a good SRK password, since you probably have to store it on disk somewhere anyway, to allow TPM operations by daemons.

If you want a password then you probably want to set that per key, not chip-wide like the SRK password is.

Key generation

The stpm-keygen binary asks the TPM to generate a key, and the TPM hands back the public portion of the key, and a "blob" that has no meaning to anyone except the TPM. The blob is encrypted Continue reading

0

How TPM-protected SSH keys work

In my last blog post I described how to set up SSH with TPM-protected keys. This time I'll try to explain how it works.

SRK

The SRK is a public key pair that is the main secret inside the TPM chip. It is always generated by the chip, and the private key cannot be read or migrated.

In order to use the SRK key with any operation, the SRK password must be supplied. The SRK password is just an access password. It's not related to the key itself. The SRK password is usually set to the Well Known Secret (20 null characters), or sometimes the empty string, or something silly like "12345678".

There is not much point in having a good SRK password, since you probably have to store it on disk somewhere anyway, to allow TPM operations by daemons.

If you want a password then you probably want to set that per key, not chip-wide like the SRK password is.

Key generation

The stpm-keygen binary asks the TPM to generate a key, and the TPM hands back the public portion of the key, and a "blob" that has no meaning to anyone except the TPM. The blob is encrypted Continue reading

0

On Python, Networks and the py-junos-eznc library

One of my recent forays into Increasing the Awesome has involved learning about NETCONF and the Python programming language. I was lucky enough to spend some time with Jeremy Schulman during my trip to Sunnyvale for the Juniper Ambassadors Summit, and he introduced me to the new py-junos-eznc Python library he has been working on. I had spent a little bit of time earlier in the year looking at the original Ruby library, and I was amazed at how much thought had been put into this new library – obviously Jeremy’s learned a lot on the way!

 An Impatient Start

Let me make a couple of things clear right from the outset:

1. I am not a programmer! Yes I have written the odd script here and there in the deep dark past, but I am by no means a programmer. All of my scripts have been about automating some task I had to do. As long as it worked, I didn’t care how efficient or pretty it was – it did what I needed.
2. I have no intention of becoming a full time programmer! I like being a network architect and I like building and playing with Continue reading

0

Quiz #21 &#8211 EIGRP as CE-PE

You have just received a nice job at a big enterprise that has multiple sites connected over their own managed MPLS Core. Each site runs EIGRP as the CE - PE routing protocol. You get the task to route some traffic in a particular way, but you cannot make it. What is missing ?

0

A Bit of Irony…

There’s something terribly wrong about this… RUSH hour in Nairobi can be a nightmare. “Most motorists don’t follow traffic rules and small inconveniences like a minor traffic accident or even a sudden downpour can cause delays of up to an hour,” says John Kimani, a small business owner in the Kenyan capital. A text message […]

Author information

0

Your Weak and Broken Heart

I can make you happy, I can give you everything you dreamed of. You already know that right? I’ve tried to make you understand this again and again; I’ll fall at your feet at a moments notice, but somehow I’m always here in the background,  a shadow. No matter your heart, somehow I’m always put […]

Author information

The post Your Weak and Broken Heart appeared first on Packet Pushers Podcast and was written by Steven Iveson.

0

ASA-CX – 15 Minutes to Configure ASA-CX in a PoC

Just finished building/validating a ASA-CX PoC script. Ran 27K web sites through it using a script on BT5R3. 15min and I was up and running.

Sceenshot of PRSM and Backtrack5 running the script
























In the future I may posts the steps required to get this up and running.

0

Show 169 – Cisco FabricPath Deep Dive Part 1

Cisco FabricPath is a TRILL-based layer 2 forwarding technology that can take the place of spanning-tree. Allowing a fully-meshed layer 2 network to forward traffic across all links, FabricPath helps customers to make the most of their expensive 10GbE and 40GbE interconnects. In this show, Jamie Caesar, Colby Glass, and Ed Diaz discuss real-world FabricPath […]

Author information

The post Show 169 – Cisco FabricPath Deep Dive Part 1 appeared first on Packet Pushers Podcast and was written by Ethan Banks.

0

TPM chip protecting SSH keys – properly

Not long after getting my TPM chip to protect SSH keys in a recent blog post, it started to become obvious that OpenCryptoKi was not the best solution. It's large, complicated, and, frankly, insecure. I dug in to see if I could fix it, but there was too much I wanted to fix, and too many features I didn't need.

So I wrote my own. It's smaller, simpler, and more secure. This post is about this new solution.

Why not Opencryptoki?

• It generates at least some keys in software. As I've explained earlier, I want to generate the keys in hardware.
• It generates migratable keys. This is hardcoded, and some people obviously want migratable keys (for backup purposes). So a fix would have to involve supporting both.
• Opencryptoki has no way to send such parameters from the command line key generator to the PKCS11 library. So not only would I have to implement the setting, but the whole settings subsystem.
• The code is big, because it supports a lot of features. Features I don't need or want. They get in the way of me as a user, and of me fixing the other issues.
• The code is of Continue reading

0

Installing OpenStack ML2 Neutron Plugin with DevStack on Fedora

OpenStack networking is tricky. This is primarily because programmable distributed systems are relatively new beyond the rigid L2/L3 control protocols we have used for the past 20 years. What I am consistently impressed with about OpenStack networking is the innovative network services that systems programmers are developing using APIs and virtual switching. Of course most vendors have a plugin for ...

...

0

Freddie Mercury

Is it just me or does it look like Freddie Mercury now works for Juniper?

0

Should I generate my keys in software or hardware?

A Hardware Security Module (HSM) is any hardware that you can use for crypto operations without revealing the crypto keys. Specifically I'm referring to the Yubikey NEO and TPM chips, but it should apply to other kinds of special hardware that does crypto operations. I'll refer to this hardware as the "device" as the general term, below.

Some background

When describing the Yubikey NEO I'm specifically referring to its public key crypto features that I've previously blogged about, that enable using Yubikey NEO for GPG and SSH, not its OTP generating features.

To generate keys for these devices you have two options. Either you tell the device to generate a key using a built in random number generator, or generate the key yourself and "import" it to the device. In either case you end up with some handle to the key, so that you command the device to do a crypto operation using the key with a given handle.

This "handle" is often the key itself, but encrypted with a key that has never existed outside the device, and never will. For TPMs they are encrypted (wrapped) with the SRK key. The SRK is always generated inside Continue reading

0

Introduction to Segment Routing

When I read the latest posts about Fast ReRoute from Russ White and as I had an introduction from a coworker contributing to some drafts, I thought it was the right time to write my first article on PacketPushers. And here it is the Introduction to Segment Routing! What is it? It is a new […]

Author information

The post Introduction to Segment Routing appeared first on Packet Pushers Podcast and was written by Youssef El Fathi.