Keyless SSL: The Nitty Gritty Technical Details

We announced Keyless SSL yesterday to an overwhelmingly positive response. We read through the comments on this blog, Reddit, Hacker News, and people seem interested in knowing more and getting deeper into the technical details. In this blog post we go into extraordinary detail to answer questions about how Keyless SSL was designed, how it works, and why it’s secure. Before we do so, we need some background about how encryption works on the Internet. If you’re already familiar, feel free to skip ahead.

TLS

Transport Layer Security (TLS) is the workhorse of web security. It lets websites prove their identity to web browsers, and protects all information exchanged from prying eyes using encryption. The TLS protocol has been around for years, but it’s still mysterious to even hardcore tech enthusiasts. Understanding the fundamentals of TLS is the key to understanding Keyless SSL.

Dual goals

TLS has two main goals: confidentiality and authentication. Both are critically important to securely communicating on the Internet.

Communication is considered confidential when two parties are confident that nobody else can understand their conversation. Confidentiality can be achieved using symmetric encryption: use a key known only to the two parties involved to encrypt Continue reading

Virtual Networking in CloudStack

If you mention open-source cloud orchestration tools these days, everyone immediately thinks about OpenStack (including the people who spent months or years trying to make it ready for production use). In the meantime, there are at least two other comparable open-source products (CloudStack and Eucalyptus) that nobody talks about. Obviously having a working product is not as sexy as having 50+ vendors and analysts producing press releases.

Some New Old Books

Colour calibration in Linux

#!/bin/sh
NAME=$1
COLOR=$2
DESC="Some random machine"
QUALITY=h   # or l for low, m for medium
set -e

dispcal -m -H -q $QUALITY -y l -F -t $COLOR -g 2.2 $NAME
targen -v -d 3 -G -e 4 -s 5 -g 17 -f 64 $NAME
dispread -v -H -N -y l -F -k $NAME.cal $NAME
colprof -v -D $DESC -q m -a G -Z p -n c $NAME
dispwin -I $NAME.icc

Using AppShape++ to change a request’s URL

Lab goal

Setup

I'll use my Loadbalancer Lab Setup.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

/c/slb/real 1
        ena
        ipver v4
        rip 10.136.85.1
/c/slb/real 2
        ena
        ipver v4
        rip 10.136.85.2
/c/slb/real 3
        ena
        ipver v4
        rip 10.136.85.3
/c/slb/group 10
        ipver v4
        add 1
        add 2
        add 3

Alteon configuration

1
2
3
4
5

 /c/slb/virt 6_13
        ena
        vip 10.136.6.13
 /c/slb/virt 6_13/service 80 http
        group 10

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

attach group  Continue reading

Why Far-Flung Parts of the Internet Broke Today

VolumeDrive is a Pennsylvania-based hosting company that uses Cogent and (since late May of this year) Atrato for Internet transit. A routing leak this morning by VolumeDrive was passed on to the global Internet by Atrato causing disruptions to traffic in places as far-flung from the USA as Pakistan and Bulgaria.

Background

The way Internet transit is supposed to work in BGP is that a provider announces the global routing table to its customers (i.e., a large number of routes). Then, in turn, the customers announce local routes to their respective providers (generally a small number of routes). Each customer selects the routes it prefers from the options it receives. When a transit customer accidentally announces the global routing table to back one of its providers, things get messy. This is what happened earlier today and it had far-reaching consequences.

At 06:49 UTC this morning (18-September), VolumeDrive (AS46664) began announcing to Atrato (AS5580) nearly all the BGP routes it learned from Cogent (AS174). The resulting AS paths were of the following format:

    … 5580 46664 174 …

Normally, VolumeDrive announces 39 prefixes (networks) to Atrato: 27 it originates itself and 12 it transits for two of its downstream Continue reading

ThousandEyes Network Monitoring Use Cases

CCIE SP — Experience

I have passed the CCIE SP Lab . I will share my experience here. I will only share things pertaining to the SP lab.

>Dont forget to take the config backup before starting the LAB
>Notepad is your  best friend in lab. Many configurations are repetitive. You will save time and reduce the chance of making a mistake by using it.
>Read the LAB end to end carefully before starting.
>Speed and Accuracy is imp ingrediant to pass the LAB.
>Proctator wont help you much after providing intial instruction.You need to listen carefully to protector.
>I lost access to all the device while labbing.I asked protector to help but he advised to check myself.I cleared power cycle and got the access back.
>IMP : Don’t forget to create the BGP_PASS RPL to allow eBGP routes to pass.

Questions are welcome.I would try my best to help you .

Smiles
Crazyrouter

Let’s Talk About NewPosThings

by Dennis Schwarz and Dave Loftus

NewPosThings is a point of sale (PoS) malware family that ASERT has been tracking for a few weeks. It operates similarly to other PoS malware by memory scraping processes looking for credit card track data and then exfiltrating the spoils to a command and control (C2) server. Based on compilation times, it has been in active development since at least October 20, 2013—with the latest timestamp being August 12, 2014. Since we haven’t come across any public details of this family, we’re releasing our malware analysis for posterity and to get ahead of the threat.

The analyzed sample has an MD5 of 4196c67648003a18f61573a77b6d3be6.

Naming

Its name comes from an embedded PDB pathname string from the analyzed sample:

C:UsersTomdocumentsvisual studio 2012ProjectsNewPosThingsReleaseNewPosThings.pdb

Initialization

The malware initializes itself as follows:

• Sets some insecure file flags in the Registry:
  • “LowRiskFileTypes” in “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations”
  • “1806” in “HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones”
• Copies itself to “%APPDATA%JavaJavaUpdate.exe”
• Checks whether it is running as 64-bit and if so, exits with a MessageBox of “Use 64bit version.”
• Kills any existing “JavaUpdate.exe” processes
• Sets up Registry Run persistence (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) under “Java Update Manager”
• Executes copied executable passing the original executable’s pathname and “RM” as Continue reading

Response: CloudFlare Keyless SSL Means The End of Big Pipes and Load Balancers in The Data Centre

This blog post from Cloudflare should mean the end of big Internet pipes in Enterprise Data Centre with massive reductions in load balancers, IDS units and web servers.

The post Response: CloudFlare Keyless SSL Means The End of Big Pipes and Load Balancers in The Data Centre appeared first on EtherealMind.

So what if the tables wobble a little?

When I first met Cumulus, they were working out of a borderline-sketchy kind of warehouse space they had outgrown long before I showed up.

My job was to “make things better.” Initially, this had a lot to do with boxes and taking out garbage. I threw out a pile of flattened boxes about three feet high early on. The boxes had been stacked and tossed and shoved into a massive pile that consumed the small loft that hovered over the space. These people have no idea how dangerously close they came to becoming an episode of Hoarders.

Despite the mess, they are very good people. I’d been there only a short time when, one day, the bottom fell out of a box of stuff I was moving. Instantly I was surrounded by people who had everything picked up before I’d even registered what happened. One of them was on the phone the entire time and never missed a beat, I think he even made a sale. They were halfway back to their desks before I managed to say “thank you.”

I am not an engineer, but I am married to one, which is almost the same thing. (That Continue reading

Trying out IPv6 Prefix Delegation

In this post i will show how and why to use a feature called IPv6 Prefix Delegation (PD).

IPv6 prefix delegation is a feature that provides the capability to delegate or hand out IPv6 prefixes to other routers without the need to hardcode these prefixes into the routers.

Why would you want to do this? – Well, for one is the administration overhead associated with manual configuration. If the end-customer only cares about the amount of prefixes he or she receives, then it might as well be handed out automatically from a preconfigure pool. Just like DHCP works today on end-user systems.

On top of that, by configuring a redistribution into BGP just once, you will automatically have reachability to the prefixes that has been handed out, from the rest of your SP network.

So how do you go about configuring this? – Well, lets take a look at the topology we’ll be using to demonstrate IPv6 Prefix Delegation.

First off, we have the SP core network which consists of R1, R2 and R3. They are running in AS 64512 with R1 being a BGP route-reflector for the IPv6 unicast address-family. As an IGP we are running OSPFv3 to provide Continue reading

Announcing Keyless SSL™: All the Benefits of CloudFlare Without Having to Turn Over Your Private SSL Keys

CloudFlare is an engineering-driven company. This is a story we're proud of because it embodies the essence of who we are: when faced with a problem, we found a novel solution. Technical details to follow but, until then, welcome to the no hardware world.

Fall in San Francisco

The story begins on a Saturday morning, in the Fall of 2012, almost exactly two years ago. I got a call on my cell phone that woke me. It was a man who introduced himself as the Chief Information Security Officer (CISO) at one of the world's largest banks.

"I got your number from a reporter," he said. "We have an incident. Could you and some of your team be in New York Monday morning? We'd value your advice." We were a small startup. Of course we were going to drop everything and fly across the country to see if we could help.

I called John Roberts and Sri Rao, two members of CloudFlare's team. John had an air of calm about him and owned more khaki pants than any of the rest of us. Sri was a senior member of our technical operations team and could, already at that point, Continue reading

Resiliency in Controller based Network Architectures

Last week Ivan Pepelnjak wrote an article about the failure domains of controller based network architectures. At the core of SDN solutions is the concept of a controller, which in most cases lives outside the network devices themselves. A controller as a central entity controlling the network (hence its name) provides very significant values and capabilities to the network. We have talked about these in this blog many times.

Centralized Control

When introducing a centralized entity into any inherently distributed system, the architecture of such a system needs to carefully consider failure domains and scenarios. Networks have been distributed entities, with each device more or less independent and a huge suite of protocols defined to manage the distributed state between all of them. When you think about it, it’s actually quite impressive to think about the extend of distribution we have created in networks. We have created an extremely large distributed system with local decision making and control. I am not sure there are too many other examples of complex distributed systems that truly run without some form of central authority.

It is exactly that last point that we networking folks tend to forget or ignore. Many control systems in Continue reading

Dynamic FCoE – Sparse-Mode FCoE Strikes Again

A while ago Cisco added dynamic FCoE support to Nexus 5000 switches. It sounded interesting and I wanted to talk about it in my Data Center Fabrics update session, but I couldn’t find any documentation at that time.

In the meantime, the Configuring Dynamic FCoE Using FabricPath configuration guide appeared on Cisco’s web site and J Metz wrote a lengthly blog post explaining how it all works, triggering a severe attack of déjà vu.

BASICS- ICMP REDIRECTS

Redirect, ICMP type 5, is used by routers to notify hosts of another router on the data link that should be used for a particular destination.

TOPOLOGY

——————–

———-                                   ROUTER R3——|
| Internet |                                  /                 |——PC2 10.10.10.1
———                                         /
|                                               /
ROUTER R1                            ROUTER R2
172.16.10.40|                                | 172.16.10.5

|                                 |
—————-LAN——————————–
|
|
PC1
172.16.10.1
Gateway 172.16.10.40

—————————————-
Consider above topology,where PC1 has default gatway config as 172.16.10.40 .PC1 send packet to router R1 to reach remote destination  10.10.10.1.Router R1  checks its routing table and find that next-hop to reach 10.10.10.1 is Router R2.SO now the ROuter R1 has to fwd  packet througth the same interface on which it was received.Router R1 fwd packet to Router R2 and also send ICMP redirect message to PC1.This informs about the best path to reach destination 10.10.10.1 is through Continue reading

BASICS – PROXY ARP

Its very important for routing and is enabled default in IOS.

Its method by which router made himself available to the host.How ?

|——-ROuter——|
|                            |
PC1                       PC2
IP 10.10.20.1/24      10.10.40.1/24

Consider that HostA(10.10.20.1/24) want to send traffic to HostB of diff subnet (10.10.40.1/24).
Host A neither have any default gateway configured nor it knows how to reach router.It will send arp request for 10.10.40.1,local router
when receives the request and also know how to reach subnet 10.10.40.0,will reply arp with its own hardware address.
Host A will see this reply, cache it, and send future IP packets for host B to the gateway.  The gateway will forward such packets to
host B by the usual IP routing mechanisms.  The gateway is acting as an agent for host B, which is why this technique is called “Proxy ARP”; we will refer to this as a transparent subnet gateway or ARP subnet gateway.

ARP cache entries generally shows multiple ip address are mapped to single hardware addresss ,It that case proxy arp is used and single hardware addresss is of router interface and multiple ip address is of hosts.

BASICS – ARP

How the ARP works ? Basic question but very imp to know it.

ARP is address resolution protocol,used to resolve logical IP address to physical hardware address.

ROUTER

|
|
———LAN——-
|                          |
|                          |
PC1                   PC2
10.10.10.1          10.10.10.14

Consider that PC1 want to communicate with PC2.What is the actual process to communicate b/w them ?

PC want to sent traffic to PC2 ,it has got layer 3 address for source(10.10.10.1) and also destination (10.10.10.14).
It will move from upper layer down to lower layer 2 i.e data link layer.Layer 2 need to have source and destination MAC
address information to process further.PC1 has layer 3 information for source and destination but no layer 2 information for destination .
Here comes the saviour known as ARP .PC1 will send broadcast into the LAN asking that whoever owns IP 10.10.10.14 respond with its mac address.

The broadcast packet will have following info.
Source Ip             : 10.10.10.1
Destination IP      : 10.10.10.14
Source MAC        : MAC Continue reading

On Policy in the Data Center: Comparing OpenStack policy efforts

(This post was written by Tim Hinrichs and Scott Lowe, with contributions from Pierre Ettori, Aaron Rosen, and Peter Balland.)

In the first two parts of this blog series we discussed the problem of policy in the data center and the features that differentiate solutions to that problem. In this post, we give a high-level overview of several policy efforts within OpenStack.

Remember that a policy is a description of how (some part of) the data center ought to behave, a service is any component in the data center that has an API, and a policy system is designed to manage some combination of past, present, and future policy violations (auditing, monitoring, and enforcement, respectively).

The overview of OpenStack policy efforts talks about the features we identified in part 2 of this blog series. To recap, those features are:

• Policy language: how expressive is the language, is the language restricted to certain domains, what features (e.g. exceptions) does it support?
• Policy sources: what are the sources of policy, how do different sources of policy interact, how are conflicts dealt with?
• Services: which other data center services can be leveraged and how?
• Actions: what does the system do once Continue reading

Making better use of libvirt hooks

• changing network policy
• instantiating named routing tables
• creating ramdisks for use by containers 
• pre-loading data before container startup
• archiving interesting data at container shutdown 
• purging data at container destruction

 /etc/libvirt/hooks/lxc MyAwesomeContainer prepare begin -  
 /etc/libvirt/hooks/lxc MyAwesomeContainer start begin -  
 /etc/libvirt/hooks/lxc MyAwesomeContainer started begin -  
 /etc/libvirt/hooks/lxc MyAwesomeContainer stopped end -  
 /etc/libvirt/hooks/lxc MyAwesomeContainer release end -