Address + Port = “Stall Tactics”

I recently listened to Packet Pushers Show 72 on “How we are killing the internet” and want to voice my thoughts on the topics discussed. The majority of the conversation circled around IPv6 adoption, and the state of the internet in light of the existence of tunneling mechanisms being used. Ivan mentioned that we are destroying the internet with all the tunnels (PPPoE, PPPoA, 6to4, 4to6, 6rd, etc) and translation points.

Address + Port = “Stall Tactics”

I recently listened to Packet Pushers Show 72 on “How we are killing the internet” and want to voice my thoughts on the topics discussed. The majority of the conversation circled around IPv6 adoption, and the state of the internet in light of the existence of tunneling mechanisms being used. Ivan mentioned that we are destroying the internet with all the tunnels (PPPoE, PPPoA, 6to4, 4to6, 6rd, etc) and translation points.

This New “Cloudshark” Thing

I had heard of CloudShark a while back but was reminded of it by a recent Packet Pushers article. For those that haven’t, CloudShark is a new product that basically claims to be a cloud-based capture file (such as from Wireshark) archiving solution. Viewing the main CloudShark website, you’ll be unable to miss what is obviously their big pull - CLOUDSHARK BRINGS YOUR CAPTURE FILES TO THE CLOUD OMGZ!!! (Did the fact that those words are at the top of each page on their site not give away their enthusiasm?

This New “Cloudshark” Thing

I had heard of CloudShark a while back but was reminded of it by a recent Packet Pushers article. For those that haven’t, CloudShark is a new product that basically claims to be a cloud-based capture file (such as from Wireshark) archiving solution. Viewing the main CloudShark website, you’ll be unable to miss what is obviously their big pull - CLOUDSHARK BRINGS YOUR CAPTURE FILES TO THE CLOUD OMGZ!!! (Did the fact that those words are at the top of each page on their site not give away their enthusiasm?

junos vrf-import funnies

Consider this configuration:

> show configuration routing-instances VRF1 instance-type vrf; route-distinguisher 42:1; vrf-import [ VRF1-IMPORT VRF-DEFAULT-IMPORT ]; vrf-export [ VRF1-EXPORT VRF-DEFAULT-EXPORT ]; vrf-table-label; > show configuration policy-options policy-statement VRF1-IMPORT from community [ VRF1 VRF2 ]; > show configuration policy-options policy-statement VRF-DEFAULT-IMPORT term cust_routes { from protocol bgp; then default-action accept; } > show configuration policy-options community VRF1 members target:42:1; > show configuration policy-options community VRF2 members target:42:2;

If you configure this on any router on your network, it'll work, VRF will import correct and only correct routes. This will give you assumption, that VRF import in JunOS works like this:

  1. start with empty array of routes to evaluate policy against
  2. when you hit 'match community' push matching routes from bgp.l3vpn.0 to the list
  3. evaluate rules normally against the list

If you create multiple of these to single router, and you only have single 'from community [ X ]' in each, it also works perfectly. However, if you have more than one community in 'from community' AND you have more than one VRF using the 'VRF-DEFAULT-IMPORT' things go wrong. If we have three routes:

  1. 10.10.1.0/24 RT:42:1
  2. 10.10.2.0/24 RT:42:1 RT:42:2 RT:42:3
  3. 10.10.3. Continue reading

no usage scenario for ssh-agent forwarding

Many people, especially those in consulting business have need to access multiple different organization 'jump boxes' from which they can ssh towards the organization servers. And due to security it makes sense to have different ssh key being allowed for different organization servers. For convenience people often allow ssh-agent towards the 'jump boxes'.

Problem with ssh-agent is, that it has no idea who is requesting the key signing, it could very well be organization1 evil admin asking for organization2 key, when sshing into organization2 jump-box, and your agent would simply allow this.

One solution to the problem could be that when ever signing is requested, user gets prompt 'localhost < organization2-jump < organization2 requests sign of organization1 identity, allow yes/no, [ ] always'. Now you'd have idea if sign request is legit or not. However this would require protocol changes to ssh, as ssh-agent has no idea who is requesting signing much less of the full path, which would be absolutely needed to make this feature work.

So I asked openssh dev mailing list, how this problem should be solved. Turns out there is recently added feature in openssh, which could potentially remove need for agent forwarding completely, to access organization1-server through organization1-jump you'd do ssh -oProxyCommand='ssh -W %h:%p organization1-jump' organization1-server, now obviously this is inconvenient, especially if there are more than 1 box through which you need to jump. .ssh/config can help somewhat:

# cat >> ~/.ssh/config Host org1-ultimate ProxyCommand ssh -W %h:%p org1-secondjump Host org1-secondjump ProxyCommand ssh -W %h:%p org1-firstjump ^d

Now you'd ssh 'ssh Continue reading

OpenBSD 5.0 SNMP MIBs

The OpenBSD SNMP MIBs are now updated to compile under OpenBSD 5.0. Full details of how to install and use the MIBs are on the SNMP MIBs page. There is no functional change in this release. Download: obsd-mibs50.tar As usual, if you find OpenBSD valuable, please make a donation to the project as they are dependent upon donations to cover many of their costs.

OpenFlow Symposium 2011 – Morning Session

I was able to watch a good chunk of the morning session of the OpenFlow Symposium in San Jose. The stream was having issues at the beginning of the afternoon session, plus I was pulled away for other issues, so I was only able to watch the morning session. I’d like to provide a bit of a write-up from what I was able to catch, and point out some of the highlights that I took interest in from the day’s speakers.

OpenFlow Symposium 2011 – Morning Session

I was able to watch a good chunk of the morning session of the OpenFlow Symposium in San Jose. The stream was having issues at the beginning of the afternoon session, plus I was pulled away for other issues, so I was only able to watch the morning session. I’d like to provide a bit of a write-up from what I was able to catch, and point out some of the highlights that I took interest in from the day’s speakers.

OpenFlow Symposium 2011 – Morning Session

I was able to watch a good chunk of the morning session of the OpenFlow Symposium in San Jose. The stream was having issues at the beginning of the afternoon session, plus I was pulled away for other issues, so I was only able to watch the morning session. I’d like to provide a bit of a write-up from what I was able to catch, and point out some of the highlights that I took interest in from the day’s speakers.

Link-State vs. Distance Vector – The Lowdown

I’ve been trying to get more into networking message boards like Networking Forum and TechExams.net lately. It’s a great way to get in touch with fellow packet lovers and gain some interesting perspectives along the way. In fact, it’s great for anyone in networking, whether you’re a hardened veteran or a newbie - there’s usually a place for you in at least one of these sites. As a result, I’ve seen quite a few posts asking about fundamental concepts, which is great because it shows that new networkers are getting out there and learning new things proactively.

Link-State vs. Distance Vector – The Lowdown

I’ve been trying to get more into networking message boards like Networking Forum and TechExams.net lately. It’s a great way to get in touch with fellow packet lovers and gain some interesting perspectives along the way. In fact, it’s great for anyone in networking, whether you’re a hardened veteran or a newbie - there’s usually a place for you in at least one of these sites. As a result, I’ve seen quite a few posts asking about fundamental concepts, which is great because it shows that new networkers are getting out there and learning new things proactively.

Link-State vs. Distance Vector – The Lowdown

I’ve been trying to get more into networking message boards like Networking Forum and TechExams.net lately. It’s a great way to get in touch with fellow packet lovers and gain some interesting perspectives along the way. In fact, it’s great for anyone in networking, whether you’re a hardened veteran or a newbie - there’s usually a place for you in at least one of these sites. As a result, I’ve seen quite a few posts asking about fundamental concepts, which is great because it shows that new networkers are getting out there and learning new things proactively.

Network Humor: Partial Mesh

Partial Mesh [pahr-shuhl mesh] noun A type of networking where each node must not only capture and disseminate its own data, but also serve as a _relay_ for other nodes, that is, it must collaborate to propagate the data in the network. What happens to your screen doors when you get cats Image and definition credit: Wikipedia

Network Humor: Partial Mesh

Partial Mesh [pahr-shuhl mesh] noun A type of networking where each node must not only capture and disseminate its own data, but also serve as a _relay_ for other nodes, that is, it must collaborate to propagate the data in the network. What happens to your screen doors when you get cats Image and definition credit: Wikipedia