How To Blackhole (Null Route) An IPv6 Block On Linux Using ‘ip -6 route’

If there’s an IPv6 netblock you’d like your host to stop responding to, one tactic is to blackhole the traffic. That is, send any traffic from your host destined to the troublesome IPv6 netblock into a blackhole. Blackholes are also called null routes.

A Simple Example

Let’s say I’m getting repeated SQL injection attacks from various hosts in IPv6 block 2a09:8700:1::/48. Just a totally random example with no basis in reality whatsoever, whoever you are in Belize. There are various ways I can defend against this, but one (sorta ugly) option (I don’t actually recommend, read to the bottom to see my logic) is to create a blackhole aka a null route.

On many flavors of Linux, including Ubuntu 18.04, 20.04, and 22.04, I can accomplish this task with the ip route utility. Let’s take a look at our existing host routing table.

user@host:~$ ip route
default via 123.94.146.1 dev enp1s0 proto dhcp src 123.94.146.227 metric 100
169.254.169.254 via 123.94.146.1 dev enp1s0 proto dhcp src 123.94.146.227 metric 100
123.94.146.0/23 dev enp1s0 proto kernel scope link src 123.94.146. Continue reading

The Case for Fixed Wireless Access

Fixed wireless access traffic is projected to grow seven times by 2026 when it will represent more than 20% of worldwide mobile network data traffic.

Virtual networks need a rethink to meet hybrid-, multi-cloud demands

Everyone in tech likely thinks they know what “cloud computing” and “networking” mean, but they’re probably wrong, and their misconceptions about the first topic color their view of the second. Yes, the cloud is dominating computing, but most stuff isn’t “moving to the cloud”. This subtle point is already changing how we think about networking.I’ve worked with the cloud from the first, and while there was a bit of “move this to the cloud” going on for server consolidation reasons, the overwhelming majority of stuff enterprises run in the cloud today isn’t an entire application at all. It’s the presentation layer of legacy data-center apps.Corporate transaction processing, data storage and retrieval, and analytics are all things that demand security and reliability. From the first, enterprise executives have been telling me that these activities aren’t going to move to the cloud because they believe that their requirements can’t be met, and the cost would be greater rather than lower. My work with them proves out that view. Despite all the hype about the economy of scale of the cloud providers, the fact is that most enterprises achieve economies close enough to those of the cloud that the difference wouldn’t Continue reading

Virtual networks need a rethink to meet hybrid-, multi-cloud demands

Growth of hybrid and multi-cloud demands new thinking about virtual networks.

Repost: LISP Is a False Economy

Minh Ha left this comment on the Packet Forwarding 101 blog post. As is usually the case, it’s fun reading and it would be a shame not to repost it as a standalone blog post (even though I don’t necessarily agree with all his conclusions).

I always enjoy Bela’s great insights, esp. on hardware and transport networks, but this time I beg to differ. LISP, is a false economy. It was twisted from the start, unscalable right from the get-go. In Networking and OS, to name (ID) something is to locate it, and vice versa. So the name LISP itself reflects a false distinction. Due to this misconception, LISP proponents are unable to establish the right boundary conditions, leading to the size of xTRs’ RIB diverging (going unbounded). In a word, it has come full circle back to BGP, an exemplary manifestation of RFC 1925 rule 6.

Repost: LISP Is a False Economy

I always enjoy Bela’s great insights, esp. on hardware and transport networks, but this time I beg to differ. LISP, is a false economy. It was twisted from the start, unscalable right from the get-go. In Networking and OS, to name (ID) something is to locate it, and vice versa. So the name LISP itself reflects a false distinction. Due to this misconception, LISP proponents are unable to establish the right boundary conditions, leading to the size of xTRs' RIB diverging (going unbounded). In a word, it has come full circle back to BGP, an exemplary manifestation of RFC 1925 rule 6.

Technology Short Take 152

Welcome to Technology Short Take #152! Normally I’d publish a Technology Short Take in the morning on a Friday, but I really wanted to get this one out so I’m making it live late in the day on a Monday. Here’s hoping I’ve included some content below that you find useful!

Networking

I was (and am) familiar with RFC 1918 and the concept of non-routable address spaces. However, I was not familiar with the term “bogons” to refer to such prefixes that should not be publicly routed. Thanks to this article, that oversight is now corrected. Oh, and the article shares a handy Python script to help implement bogon filtering in NSX-T.
Koyeb describes, at a high level, the global networking stack for their serverless platform. Components involved include the open source Kuma service mesh (in turn leveraging Envoy), anycast BGP, and mutual TLS (mTLS).
Ivan Pepelnjak does a great job of describing all the things you really shouldn’t do (or don’t really need to do) when trying to deal with migrating container hosts in a data center fabric. In truth, the answer is exactly as Ivan says at the top of the article: when it comes to Continue reading

MWC: Microsoft expands 5G, edge-network offerings through Azure

Microsoft announced a range of new carrier infrastructure offerings through Azure, including services for private 5G enterpise networks, at this week’s Mobile World Congress, in a move designed to bolster the company’s position as a partner to the telecom industry as 5G and edge computing deployments progess.To read this article in full, please click here

MWC: Microsoft expands 5G, edge-network offerings through Azure

Cloud Engineering For The Network Pro: Part 3 – VPCs And Virtual Networks (Video)

The next installment of Michael Levan’s series on networking in public clouds walks through how to set up a VPC (Virtual Private Cloud) in AWS and a VNet (Virtual Network) in Microsoft Azure. You can subscribe to the Packet Pushers’ YouTube channel for more videos as they are published. It’s a diverse a mix of […]

The post Cloud Engineering For The Network Pro: Part 3 – VPCs And Virtual Networks (Video) appeared first on Packet Pushers.

Tech Bytes: How Fortinet’s FortiGuard Labs Turns Billions Of Security Events Into Intelligence (Sponsored)

Today’s Tech Bytes podcast explores threat intelligence with sponsor Fortinet and its FortiGuard Labs. FortiGuard Labs analyzes billions of global security events daily and distills them into actionable information for network and security teams. Fortinet also uses those events to inform security updates to its products.

Tech Bytes: How Fortinet’s FortiGuard Labs Turns Billions Of Security Events Into Intelligence (Sponsored)

The post Tech Bytes: How Fortinet’s FortiGuard Labs Turns Billions Of Security Events Into Intelligence (Sponsored) appeared first on Packet Pushers.

Aurora In A Socket: What Intel’s “Falcon Shores” XPU Might Do

We are still chewing through some of the announcements that came out of Intel Investor Day and the ISSCC 2022 chip conference, and one of the things we want to circle back on is the “Falcon Shores” hybrid CPU-GPU that Intel is working on for future servers. …

Aurora In A Socket: What Intel’s “Falcon Shores” XPU Might Do was written by Timothy Prickett Morgan at The Next Platform.

VMware And NVIDIA Focus On The Far Edge To Host Network Services On SmartNICs

This post originally appeared on the Packet Pushers’ Ignition site on October 19, 2020. The network edge is desirable new territory for software and hardware vendors. The objective is to get compute, networking, storage, and security features as close as possible to data sources and data-hungry applications. VMware and NVIDIA have launched new initiatives to […]

The post VMware And NVIDIA Focus On The Far Edge To Host Network Services On SmartNICs appeared first on Packet Pushers.

Network Break 371: Arista Turns Campus Switch Into NDR Sensor; Mikrotik Puts A Router On A PCIe Card

Take a Network Break! This week we examine how Arista is turning a campus switch into a sensor for network detection and response, a new PCIe card from Mikrotik running router software, a Dell/Marvell partnership on hardware for Open RAN gear, Cisco and Dell financial results, potential equipment danger from solar flares, and more.

Topology aware fabric analytics

Real-time telemetry from a 5 stage Clos fabric describes how to emulate and monitor the topology shown above using Containerlab and sFlow-RT. This article extends the example to demonstrate how topology awareness enhances analytics.

docker run --rm -it --privileged --network host --pid="host" \
  -v /var/run/docker.sock:/var/run/docker.sock -v /run/netns:/run/netns \
  -v ~/clab:/home/clab -w /home/clab \
  ghcr.io/srl-labs/clab bash

Start Containerlab.

curl -O https://raw.githubusercontent.com/sflow-rt/containerlab/master/clos5.yml

Download the Containerlab topology file.

sed -i "s/prometheus/topology/g" clos5.yml

Change the sFlow-RT image from sflow/prometheus to sflow/topology in the Containerlab topology. The sflow/topology image packages sFlow-RT with useful applications that combine topology awareness with analytics.

containerlab deploy -t clos5.yml

Deploy the topology.

curl -O https://raw.githubusercontent.com/sflow-rt/containerlab/master/clos5.json

Download the sFlow-RT topology file.

curl -X PUT -H "Content-Type: application/json" -d @clos5.json \
http://localhost:8008/topology/json

Post the topology to sFlow-RT.

Connect to the sFlow-RT Topology application, http://localhost:8008/app/topology/html/. The dashboard confirms that all the links and nodes in the topology are streaming telemetry. There is currently no traffic on the network, so none of the nodes in the topology are sending flow data.

docker exec -it clab-clos5-h1 iperf3 -c 172.16.4.2

Generate traffic. You should see the Nodes No Flows number drop Continue reading

Performance Improvements in Automation Controller 4.1

Red Hat Ansible Automation Platform 2 is the next generation automation platform from Red Hat’s trusted enterprise technology experts. With the release of Ansible Automation Platform 2.1, users now have access to the latest control plane – automation controller 4.1.

Automation controller helps standardize how automation is deployed, initiated, delegated, and audited, allowing enterprises to automate with confidence while reducing sprawl and variance. Users can manage inventory, launch and schedule workflows, track changes, and integrate into reporting, all from a centralized user interface and RESTful API.

Automation controller 4.1 provides significant performance improvements when compared to its predecessor Ansible Tower 3.8. To put this into context, we used Ansible Tower 3.8 to run jobs, capture various metrics while jobs were running/finished, and compare that with automation controller 4.1. This post highlights the significant performance improvements in automation controller 4.1.

Benchmark framework

In order to deep dive into the prospective performance enhancements with the latest automation controller, we at the performance engineering team at Red Hat created a benchmarking framework consisting of the following workflow:

Installation of RHEL 8.3 virtual machines with 4 CPU and 16 GB RAM deployed within the IBM Cloud
Continue reading

How 6 top SD-WAN and SASE vendors are evolving

As the COVID-19 pandemic drags on and continues to impact the way people work, SD-WAN vendors are responding by investing heavily in new capabilities that extend the enterprise edge to wherever workers happen to be—branches, campuses, home offices, co-working spaces, mobile, etc.The main thrust of this evolution in SD-WAN technology is the merger of networking and security functions into a single platform, which most vendors now call Secure Access Service Edge (SASE).Who’s selling SASE, and what do you get? SASE, a term coined by Gartner in 2019, converges SD-WAN with basic security offerings, including encryption, anti-malware, and firewalls, while adding advanced services, such as Next-Generation Firewall (NGFW), Firewall-as-a-Service (FWaaS), Data Leak Prevention (DLP), Secure Internet Gateway (SIG), and Zero Trust Network Access (ZTNA).To read this article in full, please click here

Running a Ubuntu VM on a Mac M1

If you’re brand-new to Python and Ansible, you might be a bit reluctant to install a bunch of packages and Ansible collections on your production laptop to start building your automation skills. The usual recommendation I make to get past that hurdle is to create a Ubuntu virtual machine that can be destroyed every time to mess it up.

Creating a virtual machine is trivial on Linux and MacOS with Intel CPU (install VirtualBox and Vagrant). The same toolset no longer works on newer Macs with M1 CPU (VMware Fusion is in tech preview, so we’re getting there), but there’s an amazingly simple alternative: Multipass by Canonical.