NetworkingNexus.net

Packet Actions – Python and Scapy

Hello and welcome to the “Packet Actions” series of blog posts. I’d like to spend a few posts talking through how you can programmatically integrate with a network dataplane. I had thrown around the idea of calling this series “Doing things with packets” but that seemed a bit long and also could mean just about anything. So what does Packet Actions mean? Well – its the shortest way I could come up with to say “Looking at packets on the wire and doing things based on what you see in the packet”. To discuss this further I’d like to talk about the often made analogy of network engineers being plumbers – an analogy that makes fairly good sense in most cases. For instance, network engineers create the paths for data to flow – plumbers make paths for water to flow. Additionally both need to make sure that there are no blockages or issues with handling the amount of data or water that needs to flow through the pipes. Going a step further – plumbers might use a diagnostic tool like a scope to physically look inside the pipes if theres a blockage or issue so they can see what’s going Continue reading

Open-source: Get SLAs to protect network apps with open-source components

The continuous influx of open-source software (OSS) into enterprise IT departments is, in many ways, an enormous boon to both vendors and users. For the former, the ability to use open source components means getting rid of a great deal of duplicative effort—rather than having to design every part of, say, an IoT sensor and monitoring product from scratch, a vendor can adopt a well-understood, well-supported open source library for its networking stack, and focus more of its attention on the sensing and data analysis features that will set the product apart from its competitors.For end-users, one of the chief advantages is—at least in theory—the improved security that’s part of the usual sales pitch for open source software. The idea here is that the open nature of a piece of software—and the fact that anyone can look at it to discover and correct security flaws—means that it’s generally going to be more secure than a proprietary equivalent.To read this article in full, please click here

Open-source: Get SLAs to protect network apps with open-source components

Single-Metric Unequal-Cost Multipathing Is Hard

A while ago, we discussed whether unequal-cost multipathing (UCMP) makes sense (TL&DR: rarely), and whether we could implement it in link-state routing protocols (TL&DR: yes). Even though we could modify OSPF or IS-IS to support UCMP, and Cisco IOS XR even implemented those changes (they are not exactly widely used), the results are… suboptimal.

Imagine a simple network with four nodes, three equal-bandwidth links, and a link that has half the bandwidth of the other three:

Single-Metric Unequal-Cost Multipathing Is Hard

A while ago we discussed whether unequal-cost multipathing (UCMP) makes sense (TL&DR: rarely), and whether we could implement it in link-state routing protocols (TL&DR: yes). Even though we could modify OSPF or IS-IS to support UCMP, and Cisco IOS XR even implemented those changes (they are not exactly widely used), the results are… suboptimal.

Imagine a simple network with four nodes, three equal-bandwidth links, and a link that has half the bandwidth of the other three:

The Week in Internet News: Russia Hackers Target Human Rights Groups

Targeted attacks: A Russian hacking group is targeting international aid and human rights organizations, according to Microsoft, Al Jazeera reports. The recent attacks, from the Nobelium group, targeted about 3,000 email accounts of more than 150 organizations spanning 24 countries. Nobelium is blamed for the recent SolarWinds attacks as well. The group gained access to […]

The post The Week in Internet News: Russia Hackers Target Human Rights Groups appeared first on Internet Society.

Illusory Correlation and Security

Fear sells. Fear of missing out, fear of being an imposter, fear of crime, fear of injury, fear of sickness … we can all think of times when people we know (or worse, a people in the throes of madness of crowds) have made really bad decisions because they were afraid of something. Bruce Schneier has documented this a number of times. For instance: “it’s smart politics to exaggerate terrorist threats” and “fear makes people deferential, docile, and distrustful, and both politicians and marketers have learned to take advantage of this.” Here is a paper comparing the risk of death in a bathtub to death because of a terrorist attack—bathtubs win.

But while fear sells, the desire to appear unafraid also sells—and it conditions people’s behavior much more than we might think. For instance, we often say of surveillance “if you have done nothing wrong, you have nothing to hide”—a bit of meaningless bravado. What does this latter attitude—“I don’t have anything to worry about”—cause in terms of security?

Several attempts at researching this phenomenon have come to the same conclusion: average users will often intentionally not use things they see someone they perceive as paranoid using. Continue reading

Troubleshooting your bash scripts

If you run into problems building, testing or running complex bash scripts, don't lose heart. There are many ways you can help ensure that your scripts will work flawlessly. In this post, we'll examine some ways you can lessen the likelihood of errors and how to go about doing some simple but very effective troubleshooting.Through a combination of robust logic that tests for possible problems and some troubleshooting to help detect errors, your scripts are likely to be ready for showtime very quickly.Summarizing your command-line usage on Linux Building the outer edges first One way to avoid syntactical errors in scripts is to start your for and while loops, case statements and if/then commands using the outer logic first. If you start your script logic using a syntactical "skeleton", you won't forget to end it properly.To read this article in full, please click here

Make sure your laptop backups can handle ransomware

With increasingly mobile workforces, it’s important to effectively backup corporate data that resides on laptops, which requires a unique set of features not found in traditional backup systems used for desktops attached to corporate LANs.Laptops have all the functionality of desktops, but are readily lost or stolen, have limited bandwidth for connectivity to corporate resources, and can spend unpredictable spans of time disconnected or turned off. So it’s important to find backup options that meet these challenges, which can also include ransomware attacks.Backup lessons from a cloud-storage disaster Backing up laptops properly also makes upgrading them much easier, especially in the world of remote work. A good backup system can restore a user’s profile and data, and makes replacing a laptop much simpler for both the IT department and the person whose laptop is being replaced. With the right system in place, all you have to do is ship them a new laptop. They can restore their own profile and data without IT intervention, saving time, effort, and a lot of money.To read this article in full, please click here

Make sure your laptop backups can handle ransomware

Troubleshooting your bash scripts

netsim-tools release 0.7: Cumulus VX, EIGRP, and BGP IPv6 AF

netsim-tools release 0.7 is published, bringing you the following goodies (including stuff published a week ago as release 0.6.3):

Cumulus VX support on libvirt and virtualbox.
EIGRP configuration module
BGP IPv6 address family
Controlled BGP community propagation

Other changes include:

netsim-tools release 0.7: Cumulus VX, EIGRP, and BGP IPv6 AF

netsim-tools release 0.7 is published, bringing you the following goodies (including stuff published a week ago as release 0.6.3):

Cumulus VX support on libvirt and virtualbox.
EIGRP configuration module
BGP IPv6 address family
Controlled BGP community propagation

Other changes include:

VyControl Installation on Standalone VyOS Router

So far, we have discussed both the manual and Docker methods of installing VyControl. The manual method consists of cloning the VyOS git repository and installing Python dependencies in a virtual environment. The Docker method is based on downloding VyControl Docker image from Docker hub and launching the container. In both cases, VyOS controller is […]
Continue reading...

Worth Reading: Azure Datacenter Switch Failures

Microsoft engineers published an analysis of switch failures in 130 Azure regions (review of the article, The Next Platform summary):

A data center switch has a 2% chance of failing in 3 months (= less than 10% per year);
~60% of the failures are caused by hardware faults or power failures, another 17% are software bugs;
50% of failures lasted less than 6 minutes (obviously crashes or power glitches followed by a reboot).
Switches running SONiC had lower failure rate than switches running vendor NOS on the same hardware. Looks like bloatware results in more bugs, and taking months to fix bugs results in more crashes. Who would have thought…

Worth Reading: Azure Datacenter Switch Failures

Microsoft engineers published an analysis of switch failures in 130 Azure regions (review of the article, The Next Platform summary):

A data center switch has a 2% chance of failing in 3 months (= less than 10% per year);
~60% of the failures are caused by hardware faults or power failures, another 17% are software bugs;
50% of failures lasted less than 6 minutes (obviously crashes or power glitches followed by a reboot).
Switches running SONiC had lower failure rate than switches running vendor NOS on the same hardware. Looks like bloatware results in more bugs, and taking months to fix bugs results in more crashes. Who would have thought…

Tools 7. Show me your packets … with TCP dump

Hello my friend,

When something goes wrong with the distributed application, where the network is involved (e.g., between client and web service, or between frontend and backend of services), the network is a first thing to be blamed. After the troubleshooting, it is often turned out that the network is innocent, but we need first need to prove it.


1
2
3
4
5
No part of this blogpost could be reproduced, stored in a 

retrieval system, or transmitted in any form or by any 

means, electronic, mechanical or photocopying, recording, 

or otherwise, for commercial purposes without the 

prior permission of the author.

Automated troubleshooting for automated networks?

The truth is that automation helped me so many times to figure out the root cause of the network outages or malfunctions that I even stopped counting that. I may say that automaton solutions work perfect, if you create them to solve your issues and tailor to your environment.

That’s what our Live Network Automation Training (10 weeks) and Automation with Nornir (2 weeks) are all about: to show you real automation in a real environment with multiple vendors together. No matter what those vendors are, the automation principles, tools Continue reading

Worth Reading: Running BGP in Large-Scale Data Centers

Here’s one of the major differences between Facebook and Google: one of them publishes research papers with helpful and actionable information, the other uses publications as recruitment drive full of we’re so awesome but you have to trust us – we’re not sharing the crucial details.

Recent data point: Facebook published an interesting paper describing their data center BGP design. Absolutely worth reading.

Just in case you haven’t realized: Petr Lapukhov of the RFC 7938 fame moved from Microsoft to Facebook a few years ago. Coincidence? I think not.

Worth Reading: Running BGP in Large-Scale Data Centers

Recent data point: Facebook published an interesting paper describing their data center BGP design. Absolutely worth reading.

Just in case you haven’t realized: Petr Lapukhov of the RFC 7938 fame moved from Microsoft to Facebook a few years ago. Coincidence? I think not.

QUIC Version 1 is live on Cloudflare

On May 27 2021, the Internet Engineering Task Force published RFC 9000 - the standardarized version of the QUIC transport protocol. The QUIC Working Group declared themselves done by issuing a Last Call 7 months ago. The i's have been dotted and the t's crossed, RFC 8999 - RFC 9002 are a suite of documents that capture years of engineering design and testing of QUIC. This marks a big occasion.

And today, one day later, we’ve made the standardized version of QUIC available to Cloudflare customers.

Transport protocols have a history of being hard to deploy on the Internet. QUIC overcomes this challenge by basing itself on top of UDP. Compared to TCP, QUIC has security by default, protecting almost all bytes from prying eyes or "helpful" middleboxes that can end up making things worse. It has designed-in features that speed up connection handshakes and mitigate the performance perils that can strike on networks that suffer loss or delays. It is pluggable, providing clear standardised extensions point that will allow smooth, iterative development and deployment of new features or performance enhancements for years to come.

The killer feature of QUIC, however, is that it is deployable in reality. We are Continue reading

« Previous 1 … 734 735 736 737 738 … 3,856 Next »