October 06, 2015

Potaroo blog

DNS OAARC Fall 2015 Workshop Report

The DNS Operations, Analysis and Research Centre holds a 2 day workshop twice a year. These are my impressions of the Fall 2015 workshop, held at the start of October in Montreal.

October 06, 2015 12:00 PM

October 05, 2015


A Few Points About VMware EVO SDDC Networking

A Packet Pushers listener that heard us chatting about VMware's EVO SDDC solution raised a few concerns about the networking functionality in the current version of EVO SDDC. I was able to talk briefly with Krish Sivakumar, Director of Product Marketing, EVO SDDC & Ven Immani, Senior Technical Marketing Engineer, EVO SDDC at VMware to help clarify some of the issues.

by Ethan Banks at October 05, 2015 09:35 PM

Interop 2016: Introducing The Future of Networking Track @interop

For the last several North American Interop conferences, I have been the Infrastructure track chair or co-chair. For Interop Las Vegas 2016, I will be doing something else. Greg Ferro and I are working together to create a new premium track titled The Future of Networking.

by Ethan Banks at October 05, 2015 07:53 PM

Networking Now (Juniper Blog)

Network Security: It’s a Zero-Sum Game

Unite_Logo_nobackground.pngMake sure you win it with Juniper’s new network security solutions.


Cybercriminals. They’re inside your network perimeter. Already.


Read about Juniper's security innovations within the newly announced Juniper Unite architecture.

by rajoon at October 05, 2015 06:30 PM

Network Design and Architecture

Network Design Best Practices – Simplicity

Network Design should be simple.Simplicity is the first of the network design best practices which I want you to remember. If you are in the field for enough time, you probably heard the KISS principle. If you are a good follower of my blog , you maybe heard SUCK principle as well. KISS stands for… Read More »

The post Network Design Best Practices – Simplicity appeared first on Network Design and Architecture.

by orhanergun at October 05, 2015 05:13 PM

Networking Now (Juniper Blog)

IPv6 Dominance Will Come on a Weekend

Are you ready?

If you are not doing IPv6 today, you're probably negatively impacting your users.

by bshelton at October 05, 2015 02:19 PM

Potaroo blog

Some Thoughts on the Open Internet

I’m sure we’ve all heard about "the Open Internet." The expression builds upon a rich pedigree of term "open" in various contexts. We seem to have developed this connotation that "open" is some positive attribute, and when we use the expression of the "Open Internet" it seems that we are lauding it in some way. But in what way? So let’s ask the question: What does the "Open Internet" mean?

October 05, 2015 01:00 PM

XKCD Comics

October 02, 2015

XKCD Comics

October 01, 2015

Networking Now (Juniper Blog)

Eight Ways to Heighten Cybersecurity

As our world has become ever more connected, we’ve all learned common online safety tips. It’s now second nature to use strong passwords and antivirus software; take care when connecting to public Wi-Fi; and remain alert to social engineering scams (e.g., phishing).

by bworrall at October 01, 2015 01:00 PM

In Search of Tech

In Pursuit of the CCIE

Just a short post to let you know this blog is not dead. I have not written anything in several months. While I have several posts that are partially complete, I have not been able to finish them…..yet.

For the past several months, I have been busy studying for the CCIE Wireless lab exam. Prior to that, I was sort of working towards the CCIE Route/Switch written and lab exam. I wasn’t fully committed, so my studying was sporadic at best. My heart just wasn’t in forcing myself to learn more about IPv6, multicast, MPLS, and some of the other blueprint items.

Somewhere along the line it changed. Maybe it was having another co-worker who was serious in his pursuit of the CCIE Wireless. Maybe it was that my job working for a reseller had me doing more and more Cisco wireless work. Maybe I just liked the fact that wireless was hard. I’m not really sure. I just know that at some point, a switch flipped inside my head and I just decided to go all in on my studies. Honestly, I should have done this years ago, but the timing just didn’t seem right.

I’ve been studying most nights every week for a few months. I don’t sleep a whole lot these days. A lot of times, I fall asleep in my chair up in my office and don’t wake up until my wife comes up to check on me. On those nights when I do make it to my bed, I think about the lab blueprint until my brain finally shuts down and I drift off to dream. I have dreams about odd things like wireless authentication. My thoughts are always on the lab. Whether I am in a meeting with a client, sitting in church, or just driving down the road, it consumes me.

I’m constantly fighting off the voices in the back of my mind telling me to stop and go back to life as it was before the study urges took over. I have a wife and two kids. I have a job that demands a decent level of performance mentally. I travel a fair amount for work. I work odd hours. I am fairly active in my local church. I also make a decent living, so passing the lab doesn’t mean a massive pay raise for me. There are so many reasons I shouldn’t do this, and they almost overshadow the reasons that I should.

On the positive side, I am convinced there are doors that will not open career-wise, without the CCIE. Will I make more money after passing the lab? Probably. Will I have more recruiters and HR folks pinging me on LinkedIn? Yes. Will I have interesting career choices cross my path? Probably. I’m not planning on doing anything different work-wise after I pass, but as any of you who have CCIE digits knows, you have more options.

Those are all well and good, but if there is one reason I want to pass the lab, it is related to a quote attributed to John F. Kennedy from a speech he gave in 1962 regarding the USA’s attempts to land on the moon:

“We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard.”

That’s it in a nutshell. I need to know if I can push myself to finish something that on the surface, seems impossible. When I was 15 years old, I ran a mile(1600 meters) in 4 minutes and 56 seconds on a dirt track in Hawaii. I had been trying to break 5 minutes for a while at that point. I remember that race vividly. I had a great running coach that trained me well. I put in a lot of miles on hills and roads leading up to that point, and I only mentioned the locale(Hawaii) to give you an idea of what kind of “hills” I was referring to. It was the end of our track season and I was in peak shape. Had it been a rubber track, I could have probably run it in 5 or 6 seconds faster. It doesn’t matter though. I broke 5 minutes. For some, that is not a big deal. For a kid who had asthma at a younger age, that was huge. It will always be one of my favorite moments in my life, taking a back seat to only the birth of my children and the marriage to my wife.

I am always telling my kids that they can be anything they want to be as long as they are willing to work hard for it. I can tell them all day long. It’s better if I show them through example. I’ll find out in 18 days when I sit the lab for the first time. I may go back several more times before I pass it, but I am prepared to do that.

Nobody ever talks to me about my sub-5 minute mile I ran. In fact, my father was the only one in my family who witnessed it. When, and it is a “when”, I pass the CCIE Wireless lab, most of the people in my day to day life, outside of work, will not even know what that is. I am perfectly fine with that. I’m not doing this for accolades or pats on the back. I’m doing this for me, and also to secure a potentially greater ability to provide for my family.

When it is over, I will take a break from studying. I’ll stop reading technical books for a few months, and not think about this stuff too much outside of my work hours. I have several hundred books I have put off reading for several years. I also have 60 years of National Geographic magazines that a friend gave me that are sitting in my office closet begging to be read. After a few months and a few dozen books and magazines, I will get back on the study “horse” and push towards the Aruba ACMX.

While I would have loved to create a bunch of blog posts documenting the technical aspects of my studies, I made the decision to devote that time to studying. Anyone who has written even one technical post knows how much time those things take. I am very grateful for people like Rasika who took the time to document all of their studies. If you are studying for the CCIE Wireless as well, you are probably already familiar with his excellent site. Much of that content applies to the version 3 lab blueprint.

Just wanted to put something up here to let you know I have not abandoned this site. I’m still around. I’m just busy studying.


by Matthew Norwood at October 01, 2015 06:52 AM

September 30, 2015

My Etherealmind
Potaroo blog

Measuring the Root KSK Keyroll

A little over five years ago the root zone of the DNS was signed with DNSSEC for the first time. At the time the Root Zone operators promised to execute a change of key in five years time. It's now that time and we are contemplating a roll of the root key of the DNS. The problem is that we believe that there are number of resolvers who are not going to follow the implicit signalling of a new key value. So for some users, for some domain names things will go dark when this key is rolled. Is there any way to predict in advance how big a problem this will be?

September 30, 2015 06:30 AM

XKCD Comics

September 29, 2015

The Networking Nerd

Premise vs. Premises


If you’ve listened to a technology presentation in the past two years that included discussion of cloud computing, you’ve probably become embroiled in the ongoing war of the usage of the word premises or the shift of people using the word premise in its stead. This battle has raged for many months now, with the premises side of the argument refusing to give ground and watch a word be totally redefined. So where is this all coming from?

The Premise of Your Premises

The etymology of these two words is actually linked, as you might expect. Premise is the first to appear in the late 14th century. It traces from the Old French premisse which is derived from the Medieval Latin premissa, which are both defined as “a previous proposition from which another follows”.

The appearance of premises comes from the use of premise in legal documents in the 15th century. In those documents, a premise was a “matter previously stated”. More often than not, that referred to some kind of property like a house or a building. Over time, that came to be known as a premises.

Where the breakdown starts happening is recently in technology. We live in a world where brevity is important. The more information we can convey in a brief period the better we can be understood by our peers. Just look at the walking briefing scenes from The West Wing to get an idea of how we must compress and rapidly deliver ideas today. In an effort to save precious syllables during a presentation, I’m sure some CTO or Senior Engineer compressed premises into premise. And as we often do in technology, this presentation style and wording was copied ad infinitum by imitators and competitors alike.

Now, we stand on the verge of premise being redefined. This has a precedent in recent linguistics. The word literally was recently been changed from the standard definition of “in a literal sense” or describing something as it actually happened into an informal usage of “emphasizing strong feeling while not being literally true”. This change has grammar nerds and linguistics people at odds. Some argue that language evolves over time to include new meanings. Others claim that changing a word to be defined as the exact opposite meaning is a perversion and is wrong.

The Site of Your Ideas

Perhaps the real solution to this problem is to get rid of the $2 words when a $.50 word will do just fine. Instead of talking about on-premises cloud deployments, how about referring to them as on-site? Instead of talking about the premise behind creating a hybrid cloud, why not refer to the idea behind it (especially when you consider that the strict definition of premise doesn’t really mean idea).

By excising these words from your vocabulary now, you lose the risk of using them improperly. You even get to save a syllable here and there. If word economy is truly the goal, the aim should be to use the most precise word with the least amount of effort. If you are parroting a presentation from Amazon or Google and keep referring to on-premise computing you are doing a disservice to people that are listening to you and will carry your message forward to new groups of listeners.

Tom’s Take

If you’re going to insist on using premises and premise, please make sure you get them right. It takes less than a second to add the missing “s” to the end of that idea and make it a real place. Otherwise you’re going to come off sounding like you don’t know what you’re talking about. Kind of like this (definitely not safe for work):

Instead, let’s move past using these terms and get back to something more simple and straightforward. Sites can never be confused for ideas. It may be more direct and less flashy to say on-site but you never have to worry about using the wrong term or getting the grammarians on your bad side. And that’s a premise worth believing in.


by networkingnerd at September 29, 2015 04:50 AM

September 28, 2015

My Etherealmind

Teaching AND Training Are Education

Training isn't enough. You need some teaching too.

The post Teaching AND Training Are Education appeared first on EtherealMind.

by Greg Ferro at September 28, 2015 05:44 PM

Renesys Blog

Iran: Latest Nation to Host Critical Global Internet Infrastructure


As crippling economic sanctions are poised to be lifted by the United States, Iran is starting to emerge from its isolation as a regional and, in a very limited sense, global Internet player.  Iran continues to methodically build out its Internet infrastructure, working on its domestic connectivity (including IPv6), providing service to neighboring countries (such as Iraq and Afghanistan), stockpiling limited IPv4 address space, and providing a strategic terrestrial alternative to vulnerable submarine cables.

Recently, Iran began hosting a root DNS server, thereby potentially providing this critical service to the rest of the world.  In this blog, we’ll explore some of these latest developments and their challenges.  In November, European Internet registrar RIPE will hold its regional operator meeting (MENOG) in Tehran, where attendees from around the world will learn firsthand about recent developments in the fast-growing Iranian Internet.

K-root Debuts in Iran

As most readers of this blog will know, when you access any resource on the Internet by name (e.g., www.cnn.com), your computer must first convert this name into an IP address (e.g.,, which it then uses to gain access to the resource you’ve requested.  The process of converting names to IP addresses relies on a distributed hierarchy of servers, each responsible for only a subset of names, with the root name servers at the top of this heap.  The root servers tell you how to reach the top-level domains, like .com, .gov, or .uk, and from there you can work your way down the hierarchy to find what you want.  This is why the root name servers are so important.  They are the starting point for navigating the Internet.  There are 13 root server IP addresses — each of which is known by a single letter (A through M) — and there are hundreds of instances of these servers, distributed throughout the world.

A few weeks ago, we noticed an instance of the K-root appearing in Iran, filling in an important geographic gap in root server coverage, as shown below.


The route to the K-root in Iran makes its way into the global routing table via the Telecommunications Infrastructure Company, TIC (formerly, DCI), the country’s incumbent telecommunications provider.  Although TIC attempts to limit propagation of this route (via prepending its AS four times in the corresponding BGP announcement), it is accepted by Omantel, one of TIC’s international providers, and from there propagates out to the rest of the Internet.  A routing-level map of Iran’s Internet is shown below, highlighting the importance of TIC (AS48159 and AS12880, red ovals) to the country’s connectivity.


Once Iran’s K-root route makes it outside the country, it is free to be picked up (or not) by any service provider anywhere in the world — exactly as intended.  We’re seeing routes to Iran from major economies as diverse as India and the United States.  In fact, two of India’s major providers, Bharti Airtel (AS9498) and Tata Communications (AS4755), carry this route. The next two graphics illustrate the move from India and Russia to Tehran for K-root service from providers in Mumbai and Delhi, India, along with a considerable decrease in performance.

Mumbai-K-root-Iran Delhi-K-root-Iran

Unfortunately, along with the decrease in performance to the K-root in Iran, we’re also observing an extremely high rate of failure to answer DNS queries, presumably due to congested international links or, perhaps, overloaded DNS root servers.  We’re not the first to observe DNS traffic leaving India for Iran, despite the existence of quite a few root nameservers in India, including the K root.  That’s just how Internet routing works sometimes — there should be no expectation of geographic locality for your Internet traffic.  (In particular, there is considerable uncertainty around anycast routing.  See our presentation here for more details.)


Staying with India as an example, we next consider Dyn’s servers in Bangalore, Chennai, Delhi and Mumbai.  Some of these servers are routed to the K-root in Iran, while others are routed to K-root servers in other locations.  (We’ll call the latter set our control group.)  From both of these two sets of servers, we ran numerous queries to all of the 13 root servers over the course of a day and recorded the answers and the failures.  While all of the root servers showed some very low levels of failure from India, only the K-root instance in Iran consistently failed to respond.  Failure rates for this Iranian server can consistently hover around 50%, which is terrible by any standard.


On the bright side, unlike the case when Chinese root nameservers were globally reachable, we see no evidence of Iranian censorship via poisoned DNS responses.  When the K-root in Iran does respond, it faithfully provides the correct answers.

Western Connectivity into Iran

In perhaps the most surprising recent development, on 10 June 2015, we observed McLean, Virginia-based GTT Communications (GTT) initiating service into Iran via the Gulf Bridge International (GBI) cable.  As shown below, GBI runs a submarine cable system linking up the Gulf region to Europe and Asia, and maintains a cable landing in the port city of Bushehr, Iran.  In addition, GBI has publicly announced their partnership with GTT.

GBI-International GBI-Regional


The next graphic illustrates the transit percentages for Iran’s TIC (AS48159) over time, as computed by Dyn’s IP Transit Intelligence product.  The percentage of routes carried by GTT (AS3257) grows quickly after its introduction, at the expense of a number of its competitors.  (This plot includes a normalized (upper) and absolute (lower) representation of the amount of routed address space announced through TIC’s various international carriers over recent months.)


The following example trace illustrates the path from GTT into Iran via the GBI gateway. Routers on Iran’s border are often unresponsive to trace probes and are indicated here at hops 14 — 18 with *’s.


Iran Buying and Selling IPv4 Address Space

As we’ve noted previously, Iran has been an active participant in the IPv4 transfer market, recently acquiring nearly two million addresses of this increasingly scarce commodity.  (Iran has acquired nearly 800,000 IPv4 addresses since we first broke this story in April and it was covered by the Washington Post.)  Iran is also an exporter, having transferred some of their address space to Syria, as shown on RIPE’s IPv4 transfer page, a snippet of which is reproduced below.


None of this space was routed before being acquired by the Syrians, but is now originated by STE, Syrian Telecommunications Establishment (AS29256).  Regardless of the penetration of IPv6 (still low by any objective standard), when most of the world’s content and users remain exclusively on IPv4 and its very limited pool of available addresses, IPv4-rich nations will continue to have a decided advantage over those who are IPv4-poor.


While Iran is making all of the right strategic moves, it still has a long way to go to become much of a global or even regional player on the Internet.  Despite being in an ideal central geographic location in the Middle East, Iran has few customers outside the country.  And, as our K-root example illustrates, performance into the country remains quite poor, undoubtedly inhibiting the growth of Iran’s Internet economy.  Were it not for economic sanctions against the country, it would certainly be better-connected to the regional and global Internet.


But there is no magic to discovering Internet connectivity and performance issues and then fixing them.  With a globally diversified sensor network, good tools and detailed analysis, anyone can explore the pathways and problems that Internet traffic encounters as it flows from place to place.  Dyn’s Internet Intelligence family of products puts sophisticated Internet infrastructure mapping, measurement, and monitoring technology in the hands of IT professionals.  Try it for yourself!

A translation of this blog is available in Farsi courtesy of ASL19:

Please see follow-up analysis by Anurag Bharti and RIPE Labs:

The post Iran: Latest Nation to Host Critical Global Internet Infrastructure appeared first on Dyn Research.

by Earl Zmijewski at September 28, 2015 03:25 PM

XKCD Comics