Accidentally stealing the Internet

Just a few days ago we learned  about an incident involving a mis-issued SSL certificate that was used in a Man in the Middle attack to intercept Gmail data. In this blog post we’ll talk about how Man in the Middle (MITM) attacks work and we’ll look at recent BGP MITM event that caused traffic for some major networks such as Microsoft and Facebook to be redirected to an ISP in France.

Certificate authorities and SSL
Just as the DigiNotar storm seemed to have calmed down, Google announced they discovered, yet another Certificate Authority that was involved in a similar incident. TURKTRUST, a certificate authority, mis-issued two intermediate certificates that were later used to intercept SSL traffic to Gmail. In cases like this the attacker is interested in intercepting communication between Gmail users and the Gmail servers. In order to successfully execute such an attack the attacker will need to insert his fake Gmail impersonating webserver between the user and the actual Gmail servers, this is what we call a Man in the Middle Attack, sometimes referred to as MITM.
The challenge here is: how do you get the user to send traffic to your fake server instead of to the Continue reading

IPv6 – SLAAC EUI-64 Address Format

How does the internet work - We know what is networking

Stateless autoconfiguration or SLAAC SLAAC is another method in which the host or router interface is assigned a 64-bit prefix, and then the last 64 bits of its address are derived by the host or router with help of EUI-64 process which is described here. SLAAC uses NDP protocol to work. As the format of the EUI-64 format […]

IPv6 – SLAAC EUI-64 Address Format

phpIPAM installation on debian 6.0.6

I have received a request for help on manual installation of phpIPAM on debian linux, so I decided to write a small how-to if anyone else has problems or is not so familiar with linux distributions and environment. I have used fresh default debian 6.0 as distribution because it is widely used, I believe on ubuntu linux procedure should be very similar, except maybe for locations of some config files.

I have used the following settings for installation:

  • Fresh debian installation
  • MySQL server not yet installed and no root pass configured
  • Apache not installed and configured
  • phpipam will be installed in default directory (no vhosts) under /phpipam/ folder

If you already have MySQL/apache set you can skip point 3.

Installation procedure:

1.) Preparing environment and installing required apps

Update your sources (apt-get update) and install Apache, php and mysql server:

apt-get install apache2 mysql-server php5 php5-gmp php-pear php5-mysql php5-ldap

After all is installed and the apache server is running, you need to decide weather you will be running it under vhost or in subdirectory or root directory. For this guide I will have it in subdirectory http://server/phpipam/, so do the following:

cd /var/www/
wget http://freefr.dl.sourceforge.net/project/phpipam/phpipam-1. Continue reading

vSphere 5.1 Auto Deploy on Cisco UCS C220 M3 Server

I set up Auto Deploy in my home lab using vSphere 5.1 on an existing server, in order to boot a Cisco UCS C220 M3 server whose local hard drives have not arrived yet. I followed Duncan Epping’s walkthrough for Auto Deploy on vSphere 5.0, but this post is about what I had to do differently to get it working. Hopefully I save you some headaches. There might be some improvements to this process, but I was under a deadline and I know that it worked for me - please share any improvements in the comments.

vSphere 5.1 Auto Deploy on Cisco UCS C220 M3 Server

I set up Auto Deploy in my home lab using vSphere 5.1 on an existing server, in order to boot a Cisco UCS C220 M3 server whose local hard drives have not arrived yet. I followed Duncan Epping’s walkthrough for Auto Deploy on vSphere 5.0, but this post is about what I had to do differently to get it working. Hopefully I save you some headaches. There might be some improvements to this process, but I was under a deadline and I know that it worked for me - please share any improvements in the comments.

What about 2013?

Happy new year to you all! I truly hope that all your dreams for 2013 may come true and maybe even more.

For the first time I didn’t really made a to-do list for 2013, but in my head I’m still working on things I want to have accomplished by the end of the year. I wanted to discuss in short a few of those topics.

House

Just at the end of December I bought a house in Utrecht, Netherlands. This is going to fill up a lot of time for me in 2013, where I literally need to buy everything and arrange a lot of things.

Of course the fun part of designing my home network, automating my house as much as possible and designing my little office if already in progress :)

CCIE Data Center

The CCIE Data Center is also taking up a lot of time in 2013. Besides that I’m studying to pursue the title myself. I’m also writing the CCIE Data Center Lab Workbook for IPexpert. This is an amazing opportunity and I really love to work on it. I really hope you like using it when you purchase. Otherwise I’m more than happy to Continue reading

L2TP – Layer 2 Tunneling Protocol

How does the internet work - We know what is networking

L2TP Attributes Summary Projected L2TP standard was made available in the year 1999 by means of RFC 2661. It was originated primarily from two different tunneling protocols, named as: Point-to-Point communication protocol and PPTP (Point to Point Tunneling protocol). In other words, L2TP (Layer 2 Tunnel Protocol) is an up-and-coming IETF (Internet Engineering Task Force) […]

L2TP – Layer 2 Tunneling Protocol

Offline Cable Management

Full disclosure: I got some stuff for free. Details.

In The Old Days
Cisco Catalysts used to be offered with RJ21 (Amphenol) connectors, rather than individual 8P8C jacks. Installations using this type of switch always stayed nice and clean regardless of the port density because the inevitable tangled mess of cable developed in a different rack, far away from failed fan trays, line cards, power supplies, etc...

I'm not sure why, but Cisco stopped offering line cards with RJ21 interfaces. It doesn't seem like this needed to happen: 1000BASE-T requires the same type of cable (Category 5) as 100BASE-TX, and Cisco demonstrated that the port density required for 48 gigabit ports is possible.

I worked in one environment where the tradition of remote patching continued on gigabit gear through the use of 25-pair cables terminated with six individual 8P8C connectors. Whenever a new switch or line card got installed, it was immediately populated with eight of these multi-headed copper cables. They terminated in a very large 110 block patch area. It worked well, but the Plug Pack is better.

Six Pack Rings For Network Cables
Panduit's Plug Pack modules keep your cables nicely collated, especially when a component is removed Continue reading

Installing apcupsd with USB Support on OmniOS

I installed OmniOS on my home filer over the Christmas break. Jumping from a Solaris Nevada build to OmniOS meant figuring out what software packages are available in the OmniOS repositories, what third-party repos are available and what software I would have to compile by hand. Given that this machine is only acting as a filer and isn't running any other services to speak of, the list of software to get up and running is small; however a critical component is apcupsd which talks to the Uninterruptible Power Supply (UPS) and cleanly powers down the filer if the power goes out for an extended time.

The hangup for me is that my UPS connects to the filer via USB, not a serial connection. It took me some hours to figure out how to get apcupsd installed with USB support. Here's how.

2012 in Review, and 2013 Resolutions

2012 has been a crazy year for me. I’d like to briefly summarize my year and publicly post some of my goals for 2013. Accomplishments in 2012 Blogging - Monthly Views to Keeping It Classless increased by over 450% this year, and every single month had consistently more views than the month before. I want to thank each and every one of you for reading my articles - I really only got into this recently and the explosive growth is still hard to believe.

2012 in Review, and 2013 Resolutions

2012 has been a crazy year for me. I’d like to briefly summarize my year and publicly post some of my goals for 2013. Accomplishments in 2012 Blogging - Monthly Views to Keeping It Classless increased by over 450% this year, and every single month had consistently more views than the month before. I want to thank each and every one of you for reading my articles - I really only got into this recently and the explosive growth is still hard to believe.

NDP – Neighbor Discovery Protocol: IPv6 Stateless address autoconfiguration SLAAC

How does the internet work - We know what is networking

IPv6 Neighbor Discovery Protocol It’s the way the IPv6 hosts learn the addresses as well as about the neighbors around himself. That includes learning about other hosts and routers on local network. That is the biggest difference between IPv4 and IPv6. The Neighbor Discovery Protocol is also called ND or NDP, makes this and other […]

NDP – Neighbor Discovery Protocol: IPv6 Stateless address autoconfiguration SLAAC

2012 in review

The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.

Here’s an excerpt:

The new Boeing 787 Dreamliner can carry about 250 passengers. This blog was viewed about 1,100 times in 2012. If it were a Dreamliner, it would take about 4 trips to carry that many people.

Click here to see the complete report.


Quiz #2 &#8211 OSPF Redistribution between different processes

Redistribution between different or same routing protocols can become a nasty thing when there are 2 or more redistribution points.
In this quiz, redistribution is configured between 2 different OSPF processes on 2 routers. Without a proper configuration, this can lead to routing loops. Read the quiz to see the loop in action and try to solve it.

Upgrading ESXi Hypervisor to 5.1

Ahh the Christmas break. The perfect time for good food, enjoying the company of family and friends and of course…. IT projects at home! My project last year was to immerse myself in the source code for OpenBSD's snmp daemon so that I could integrate my patch-set for Net-SNMP directly into the native OpenBSD daemon. That was time well spent as I was able to integrate my code in the following weeks. This year I have maintenance to do in the home lab. It looks like 2013 is going to be a busy year as far as getting my hands on new stuff so I want the lab ready to rock.

First project: upgrade my VMware ESXi server from 4.1 to 5.1.

PNRP Name Resolution – How it works?

How does the internet work - We know what is networking

PNRP name resolution protocol uses this two steps: Endpoint determination – In this step the peer is determining the IPv6 address of the computer network card on which the PNRP ID service is published. PNRP ID resolution – After locating and testing the reachability of the peer with the PNRP ID with desired PNRP service, […]

PNRP Name Resolution – How it works?

PNRP the New DNS – Peer Name Resolution Protocol

How does the internet work - We know what is networking

PNRP – The Peer Name Resolution Protocol is new protocol made by Microsoft which is one of the first technology that will change the way we think about naming resolution in computer networking and possibly be the next DNS – Domain Name System like technology. PNRP is the new DNS but there are so much […]

PNRP the New DNS – Peer Name Resolution Protocol

Quiz #1 &#8211 MSTP

This is my first quiz and I chose an MSTP misconfiguration scenario that could be easily overlooked on the first encounter.
A fiber got cut revealed some hidden MSTP implementation problems. It was enough for one link to go down and the connectivity got impacted in a network that was supposed to be redundant. Read along and try to spot the problem.

1 3,801 3,802 3,803 3,804 3,805 3,832