January 23, 2019

My Etherealmind
Honest Networker

Keeping Brocade MLXs alive 2019

<video controls="true" dir="ltr" height="400" id="v-DRETF7ft-1-video" lang="en" poster="https://videos.files.wordpress.com/DRETF7ft/skft-d50e5774cdd1130dd9c4129fcd301b9ecdb669b378f827efedfa8161a9ec1a84_dvd.original.jpg" preload="metadata" width="640"><source avc1.64001e="avc1.64001E" src="https://videos.files.wordpress.com/DRETF7ft/skft-d50e5774cdd1130dd9c4129fcd301b9ecdb669b378f827efedfa8161a9ec1a84_hd.mp4" type="video/mp4; codecs=">
skft-d50e5774cdd1130dd9c4129fcd301b9ecdb669b378f827efedfa8161a9ec1a84

</video>

 

skft-d50e5774cdd1130dd9c4129fcd301b9ecdb669b378f827efedfa8161a9ec1a84

by ohseuch4aeji4xar at January 23, 2019 11:34 AM

ipSpace.net Blog (Ivan Pepelnjak)

Network Automation Is More than Just Ansible

One of the attendees of my Building Network Automation Solutions online course sent me this suggestion:

Stick to JUST Ansible - no GitHub, Vagrant, Docker or even Python - all of which come with their own significant learning curves.

While I understand how overwhelming the full-blown network automation landscape is to someone who never touched programming, you have to make a hard choice when you decide to start the learning process: do you want to master a single tool, or understand a whole new technology area and be able to select the best tool for the job on as-needed basis.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 23, 2019 10:23 AM

Q-in-Q Support in Multi-Site EVPN

One of my subscribers sent me a question along these lines (heavily abridged):

My customer is running a colocation business, and has to provide L2 connectivity between racks, sometimes even across multiple data centers. They were using Q-in-Q to deliver that in a traditional fabric, and would like to replace that with multi-site EVPN fabric with ~100 ToR switches in each data center. However, Cisco doesn’t support Q-in-Q with multi-site EVPN. Any ideas?

As Lukas Krattiger explained in his part of Multi-Site Leaf-and-Spine Fabrics section of Leaf-and-Spine Fabric Architectures webinar, multi-site EVPN (VXLAN-to-VXLAN bridging) is hard. Don’t expect miracles like Q-in-Q over VNI any time soon ;)

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 23, 2019 07:43 AM

January 22, 2019

ipSpace.net Blog (Ivan Pepelnjak)

Network Reliability Engineering on Software Gone Wild

In summer 2018 Juniper started talking about another forward-looking concept: Network Reliability Engineering. We wanted to find out whether that’s another unicorn driving DeLorean with flux capacitors or something more tangible, so we invited Matt Oswalt, the author of Network Reliability Engineer’s Manifesto to talk about it in Episode 97 of Software Gone Wild.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 22, 2019 06:58 AM

January 21, 2019

Potaroo blog

BGP in 2018 - Part2: BGP Churn

The scalability of BGP as the Internet’s routing protocol is not just dependant on the number of prefixes carried in the routing table. Dynamic routing updates are also part of this story. If the update rate of BGP is growing faster than we can deploy processing capability to match then the routing system will lose data, and at that point the routing system will head into turgid instability. This second part of the report of BGP across 2018 will look at the profile of BGP updates across 2018 to assess whether the stability of the routing system, as measured by the level of BGP update activity, is changing.

January 21, 2019 11:00 PM

My Etherealmind
ipSpace.net Blog (Ivan Pepelnjak)

Continuous Integration in Network Automation

In the first part of his interview with Christoph Jaggi Kristian Larsson talked about the basics of CI testing. Now let’s see how you can use these concepts in network automation (and you’ll learn way more in Kristian’s talk on April 9th… if you register for our network automation course).

How does CI testing fit into an overall testing environment?

Traditionally, in particular in the networking industry, it's been rather common to have proof of concepts (POC) delivered by vendors for various networking technologies and then people have sat down and manually tested that the POC meets some set of requirements.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 21, 2019 06:44 AM

XKCD Comics

January 18, 2019

XKCD Comics

January 17, 2019

IPEngineer.net

NAE: Some Help Dealing with Brain Block

For years, thanks to the gift of misaligned perception, I’ve been mentally blocked. I’ve avoided things like Machine Learning because my perceived skill with mathematics is weak, avoided programming languages like C# because the perceived uphill hike to get familiar is high and avoided front end web development because of the perceived browser nightmares.

Technology has come a long way since I last touched C# and web development and there are some great ML libraries out there which minimize the requirement for hardcore mathematical skill sets. My perceived problems have remained yet the actual blockers have moved and morphed. I’ve lived on old ideas without re-grouping and forming a refreshed attack. More on my foolish ways later.

For many people and organizations, it pains me to admit that perception of network automation is also misplaced. It spans from “Ansible is the answer, sorry, what were you asking?” to “Python will save the day”, following “The automation is the design!”.

Ivan Pepelnjak as usual has wrote some great content on topic as per usual. Read this post for a rather targeted view on expert beginners. TL;DR: “I got hello-world working for one tool, me now expert”.

Currently I also have a particular bee in my bonnet about terrible design. Severely lacking approaches can be explained through the lens of the psychological manner in which network engineers have traditionally learnt and approached problems. We’ve all been guilty at some point of hacking away at the CLI to get some routing protocol feature working, or to get a dodgy network design stabilized. A new RFC comes out and everyone seems to download a new virtual appliance or operating system patch to introduce it, then hack the thing to death to test. How many of you consume the RFC first, then assess the suitability of your $vendor patch to get the job done? Do you even need it? Network automation is one of those things that is design first and considering tools should be much further down the line once your opportunity is truly understood.

Couple the absolute desire to automate daily, business-as-usual and mundane tasks, with the human need to free up activities during unruly anti-social hours, with the demands of your managers and bosses against the ever-shifting landscape of technologies, breathe and what you get nothing more than deadlocked and really frustrated. As the ways of learning networking do not really compare well with learning automation, network engineers are becoming increasingly stuck when it comes to picking up new skills. It’s not that the community cannot do this, but I believe it’s the way they try to do this.

Recently, our household has got a new arrival. That’s right folks, a bouncing baby Beagle puppy!! The hardest thing about having a puppy is constantly comparing the puppy to a human and getting bent out of shape when the puppy doesn’t behave in the manner I expect or desire. Once I remember he’s a Beagle puppy and start thinking Beagle, his behavior and how to control it makes much more sense. Learning network automation is a different kind of puppy to network engineering, although they both share similar traits like distributed-ness.

Another reference story here, but when I want to learn a new programming library, feature or trick, I create mini scratch tests. Things that exercise the $thing and provide me knowledge. I then take that knowledge further and use it in a project after I’ve explored. One of the huge issues today is, exploration is short and the expectation is because of the familiarity of language and culture, that network engineers should pick this stuff up quickly. Managers assume because it has “network” in the title that it’s a short step away from network engineering and needless to say, it is not. It’s a whole new skill that is both laid over and adjacent to network engineering. Add in to the recipe the mountain of technology that is glossed with marketing and political grade misdirection, standards that aren’t quite standards and moving landscapes like programming language updates and sketchy support, brains are at an all-time high of locked. As a side note, this Tweet I saw from Frank Schroder was right on point on my train journey whilst writing this!

Automation stacks are composeable, they are highly configurable and thus can be fragile. The safety of a static set of network protocols to configure are not present by default and such, the learning curve is compounded by having to know how to build the stacks and explore the stacks. Knowledge in the industry is gathering and whilst automation will never be wholly driven by a single vendor, a combination of materials will realize a wide and deep education.

Close

The best way I find to learn a topic is to do it little and often. Read a bit, experiment a bit, reflect and repeat. With automation, it’s no different. NRE Labs is a platform that allows you to explore technology and tools, exercise them in a meaningful way and without the uphill battle of figuring out how to install them. NRE Labs provides this experience in the form of lessons. These lessons bring back some of the joy of experimentation from shortened feedback loops. No dodgy install error messages and frustration from having half built environments all over the place. The team behind NRE Labs did a great job here for the better of our community and I for one will be contributing lessons as soon as possible!!!

The post NAE: Some Help Dealing with Brain Block appeared first on ipengineer.net.

by David Gee at January 17, 2019 09:34 AM

ipSpace.net Blog (Ivan Pepelnjak)

Five Stages of Automation Grief

As I’m doing occasional consulting for large enterprises redesigning their data centers, I encounter a wide range of network automation readiness, from “we don’t need that” to “how could we automate as much as possible”.

Based on the pervasiveness of “we don’t need that” responses it looks like many enterprise network engineers still have to go through the five stages of automation grief.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 17, 2019 07:52 AM

January 16, 2019

Dyn Research (Was Renesys Blog)

Last Month in Internet Intelligence: December 2018

Closing out 2018, in December the Oracle Internet Intelligence team observed Internet disruptions in countries around the world due to power outages, government direction, technical faults, and possible issues relating to satellite connectivity. While these causes have become relatively common, it is interesting to note that other common reasons for Internet disruptions, including severe weather (such as typhoons and hurricanes), concerns over cheating on exams, and denial-of-service attacks did not appear to drive significant Internet disruptions observed in Oracle’s Internet Intelligence Map during the month. And while we tend to focus on Internet disruptions, it is also important to highlight that after several rounds of testing, nationwide mobile Internet access was finally activated across Cuba.

Cuba

In three tranches (based on the first two digits of a subscriber’s mobile phone number) over December 6, 7, and 8, ETECSA, Cuba’s national telecommunications company, enabled nationwide mobile Internet access. The rollout was reportedly stable, in contrast to the congestion experienced during the trials conducted several months prior. The figure below shows the gradual adoption of this newly available connectivity through changes in the DNS Query Rate. As seen in the graph, the query rate was comparatively low in the days ahead of December 6, with peak levels growing gradually each day as the rollout took place, ultimately settling into a fairly consistent rate. (It is unclear what caused the sudden drops evident in the graph late in the day on December 7 and 10.)

However, this new mobile Internet service is based on 3G, delivering slower connection speeds than those experienced in countries that have deployed 4G/LTE-based services. Cuba’s slower mobile connections come at a higher cost as well, with published reports indicating  “The new service will cost about 10 cents per megabyte, with packages ranging from 600 megabytes for about $7 to four gigabytes for about $30.”

ETECSA also found itself turning to social media to advise its subscribers in a number of areas related to Internet usage including data usage, security, and child safety – topics very familiar to users and network providers with more well established connectivity. In one Tweet posted by @ETECSA_Cuba, the provider cautions users that mobile data is charged by volume (as opposed to by connection time, as with local Wi-Fi connections), and that they should be cognizant of things like video format, image resolution, and the applications that they are signed into. In another Tweet, embedded below, ETECSA reminds users that while security is a shared responsibility, it is mainly the responsibility of the users. And in a Facebook post, ETECSA provided recommendations to parents around safe Internet usage for children.

<script async="async" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>

Power Outages

Similar to issues seen in July, August, and October, power issues in Venezuela disrupted Internet connectivity in the country during December. On December 14, Venezuela’s national electric company posted a Tweet noting that “strong fires” under high voltage lines was causing service interruptions in Aragua (a state in the north-central region of the country). The impact of these power outages is visible in the figure below, with two noticeable declines in the Traceroute Completion Ratio graph during the latter half of the day and into the 15th, and the DNS Query Rate graph declining during the same period, without exhibiting the second peak visible during previous days.

The power outage’s impact is also visible in the Traffic Shifts graph for AS21826 (Inter / Corporación Telemic C.A.), a network provider that services customers in Aragua. The figure below also shows two noticeable declines in the number of completed traceroutes to endpoints within the network during the latter half of the 14th and early on the 15th. Interestingly, the combined latency appears to drop concurrent with the power outage, but this is likely due to the lower number of completed traceroutes. (That is, higher latency paths were interrupted by the power outage, so the average combined latency becomes lower.)

Government Directed

On December 20, advocacy group Access Now posted a Tweet regarding reports of an Internet shutdown in Sudan. Multiple responses noted that access to social media platforms had been blocked across several network providers in the country, and several responses claimed that a complete Internet shutdown would occur on the following day. As shown in the figure below, an Internet disruption was observed in Sudan on December 21, with a brief but significant drop measured in the Traceroute Completion Ratio metrics, as well as a more prolonged drop in the number of routed networks. In addition, the DNS Query Rate metric remained largely flat on December 21, after seeing lower peak levels during the previous two days – these lower peaks could have been related to blocked access to social media platforms.

Completed traceroutes to endpoints in Sudatel (Sudan Telecom), a major telecommunications provider in the country, also experienced a brief but significant drop on December 21, as shown in the figure below.

At the end of December, Internet connectivity (and SMS services) were disrupted in the Democratic Republic of the Congo in advance of the announcement of results from the prior weekend’s presidential elections. The figure below shows that the disruptions appears to have started around mid-day (GMT) on December 31 and continued into the first week of 2019.

Technical Faults

On December 12, Dauphin Telecom, a telecommunications provider in Saint Martin, posted the update shown above to their Facebook page letting subscribers know of degraded service due to a cable break in Puerto Rico. It is likely that the post was referencing an issue with the Southern Caribbean Fiber system, as it connects a number of island nations where Internet disruptions were observed through Oracle’s Internet Intelligence Map.

The figures below show Country Statistics graphs for Saint Martin and Saint Barthelemy during the period of degraded service. In both countries, the graphs show that the issue disrupted all three measured metrics.

The impact of the cable break is also evident at a network level, as shown in the Traffic Shifts graphs below for AS36511 (Dauphin Telecom Guadeloupe) and AS18895 (Nustream Communications). The Dauphin Telecom graph shows the shift to a higher latency backup route during the latter half of the day on December 12. The shift seen at Nustream Communications, a Puerto Rican network provider, was shorter in duration and less pronounced.

 

On December 15, a Tweet posted by @InternetIntel referenced a large Internet outage in Kenya that started the prior evening, noting that local provider Wananchi Group was among the affected providers. This observed disruption aligns with Tweets to @ZukuOfficial and @Zuku_WeCare sent by users and/around December 14 complaining about Internet availability – Zuku is a brand name used by Wananchi Group for fiber and satellite TV services in East African countries, including Kenya. The figures below show the impact of the outage for the three measured metrics at a country level for Kenya, as well as on traceroutes to endpoints in AS15399 (Wananchi Group). The Traffic Shifts graphs indicate that the observed outage may have been due to an issue with upstream provider Seacom.

On December 16, a number of responses were posted by @ZukuOfficial that stated that the company was “working to restore internet service after a technical fault.”

<script async="async" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>

Starting late in the day on December 23, Comoros experienced a significant Internet disruption that stretched into the better part of the day on December 24. The Country Statistics figure below illustrates the significant impact seen across all three measured metrics. In line with that, the Traffic Shifts figure below for AS36939 (Comores Telecom) shows that there were no successfully completed traceroutes to endpoints within the network for the period of the disruption, until they failed over to a backup path across West Indian Ocean Cable Company. This backup path was used for several hours until connectivity through BICS (Belgacom ICS) was restored.

Just a couple of days after Christmas, major network services provider CenturyLink posted the following Tweet:

<script async="async" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>

Published reports (CNETLightReading) indicate that the disruption, which started several hours before CenturyLink posted that Tweet, impacted customers across multiple U.S. states, including disrupting access to 911 emergency services, and CenturyLink’s status portal reported impacted connectivity to “external network services” for a number of the company’s cloud data centers. Impacted users exchanged information about the disruptions on forums including Reddit and the Outages mailing list. The issue was reportedly caused by “a faulty network management card from a third-party equipment vendor”. The card’s misbehavior ultimately “congested controller card CPUs (central processing units) network-wide, causing functionality issues and rendering many nodes unreachable.”

The figure below shows the Traffic Shifts graph for AS11530 (CenturyLink Communications), one of many autonomous systems associated with CenturyLink, and a significant day-long decline in the number of completed traceroutes to endpoints within the network is clearly evident.

As would be expected, the issue impacted connectivity for networks that have upstream connectivity from CenturyLink. The Traffic Shifts figures below illustrate the impact on three (of many) such networks. In each case, traceroutes failed over to backup paths across other network providers, including (interestingly) Level 3, which is owned by CenturyLink, but was apparently unaffected by the outage.

Possible Satellite Connectivity Issues

Over the last ten days of December, we observed Internet disruptions across the Solomon Islands (December 22), Guyana (December 27), and Kiribati (December 30). The impacts of the disruptions can be seen in the figures below and were visibly more pronounced in the Solomon Islands and Kiribati.

Examining the disruptions at a network level, it appears that they may have been related to problems with upstream connectivity through O3b, a “network communications service provider building and operating a medium Earth orbit (MEO) satellite constellation primarily intended to provide voice and data communications to mobile operators and Internet service providers” that is a wholly owned subsidiary of SES S.A. The Traffic Shifts figures below for networks in the three impacted countries show that O3b is the primary upstream provider across all three, and the disruptions evident in these graphs align with the Country Statistics graphs above.

Conclusion

The Oracle Internet Intelligence Map provides insight into the impact of Internet disruptions around the world, both at a national and network level. Although the disruptions have varied in severity and duration, there have been a number of common root causes – some natural (typhoons, hurricanes), some technical (cable cuts, power outages), and some intentional (exams, elections). Going forward into 2019, the Oracle Internet Intelligence team will continue to track Internet disruptions and their associated causes – given the activity seen during the first week of January, things (unfortunately) show no sign of slowing down.

by David Belson at January 16, 2019 02:53 PM

My Etherealmind

Tech Notes: DNS Flag Day – February 1, 2019

Your DNS might stop in February. Are you DNS & IPAMs updated ?

The post Tech Notes: DNS Flag Day – February 1, 2019 appeared first on EtherealMind.

by Greg Ferro at January 16, 2019 11:38 AM

ipSpace.net Blog (Ivan Pepelnjak)

To Centralize or not to Centralize, That’s the Question

One of the attendees of the Building Next-Generation Data Center online course solved the build small data center fabric challenge with Virtual Chassis Fabric (VCF). I pointed out that I would prefer not to use VCF as it uses centralized control plane and is thus a single failure domain.

In case you’re interested in data center fabric architecture options, check out this section in the Data Center Fabric Architectures webinar.

Here are his arguments for using VCF:

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 16, 2019 07:33 AM

Moving Packets

Cisco SP Nails It at NFDx

The Networking Field Day Exclusive one-day event with Cisco’s Service Provider business unit definitely exceeded my expectations, and I believe showcased a different approach to technology and their customers than we might have seen from the Cisco Systems of four or five years ago.

Segment Routing

The topic-du-jour was definitely Segment Routing, and Cisco delivered great presentations on both SR-TE (Segment Routing – Tunnel Engineering) with SR Flexible Algorithm, and SRv6 (Segment Routing for IPv6). 

SR FlexAlgo

SR FlexAlgo effectively allows a network to calculate metric- and constraint-based primary and backup paths on demand and in a distributed fashion. For example, a policy might be that traffic to a given prefix should follow the lowest latency path using only MACSEC encrypted links, or perhaps the lowest cost path while staying within a particular geographical region. Cool stuff, and while it won’t fix every problem, conceptually I can see this as a relatively accessible way into Segment Routing, and one which could deliver tunnel engineering in a way that would be highly complex or impossible using RSVP-TE and a constraint-based IGP calculation.

SRv6

I had not looked at SRv6 before, and it’s a fascinatingly different beast to regular IPv4-based Segment Routing, finally putting the extensible IPv6 header to good use. SRv6 offers some very interesting use cases including using the internet (or any other third party network) as a segment, even though it is unaware that it’s a segment and doesn’t run Segment Routing. Additionally, SRv6 opened up an option to enable service chaining, and the demonstration of this in real time was pretty impressive.

EVPN

EVPN was also highlighted as a solution which can offer a fairly broad range of applications including, ultimately, replacing vPC, VSS, and HSRP/VRRP in the network. This is a protocol with much more to it than the standard context of VXLAN + BGP EVPN as a fabric, and one which deserves more attention.

Zero Touch Provisioning

I am a big fan of ZTP, and it’s good to see it in IOS XR as well. I’ve written about my positive experience with NXOS ZTP, and the IOS XR ZTP follows a very similar mechanism. Now, however, the on-box capabilities have been expanded to support multiple scripting languages as well as to take advantage of the root access given on the devices to permit container creation and other script/executable functions. A more recent addition is the idea of Golden ISO concept where software image downloaded to the device already has key elements like RPM installation and a base configuration already completed, minimizing the number of steps that have to be taken during the ZTP boot process.

Trusted Platforms

One of the questions that ZTP raises is who and what you can trust when booting a newly-installed device, and Cisco’s Dan Backman led us down Paranoia Lane from the network operating system all the way down to the CPU and BIOS in order to try and figure out whether we trusted the people who made each component, and the impact that penetration of a low-level component can have. This concept sounded familiar to me as I had previously written about Skyport Systems, a company whose aim was to provide a trusted compute platform. Guess who Cisco bought last year, and where Mr Backman was working at that time? The relevance to Cisco is the Hardware-Anchored Secure Boot architecture which attempts to protect Cisco hardware from low-level compromise.

gNMI/gRPC/OpenConfig

Just as I thought OpenConfig was going totally dark (perhaps the 3-year-out-of-date website is partly to blame for that opinion), Cisco presented all the fun stuff that can be done on the IOS XR platform using gRPC. I discussed OpenConfig on this site about three years ago, and had great hopes for it as a means of configuration, monitoring and telemetry. It seems that it is beginning to do exactly that, using gNMI (gRPC Network Management Interface) as a means to monitor and subscribe to telemetry streaming on IOS XR devices. I am super-excited to see this is getting traction, and looking forward to hearing about more in this area.

Fabrics, Fabrics, Fabrics

Everybody loves a good network fabric, and Cisco’s Phil Bedard looked at three kinds: metro fabric, core fabric and peering fabric, all guided by the concept of simplifying the network, making it scalable, secure and automatable. For a relatively simple topic, this presentation covered a lot of ground and will be worth another watch when the video is posted.

Thoughts

The theme I got through this event was of a consistent support for the ideas of making things easier, making them more accessible, and of support where possible for open standards. Cisco is even providing some support for IOS XR on whitebox (for a limited few customers, currently) which may lead to good things for a wider audience in the future. Automation, visibility, openness and operational simplicity came up time and time again throughout the presentations.

I had expected GoodNotes things from NFDx with Cisco’s Service Provider BU, but they really did deliver more than I had expected and I think on the whole the presenters did an outstanding job. I have a lot to think about, and I will be posting more in the coming weeks, and will provide links to the  videos when they have been posted.

This was really a very good one-day event and I’m delighted that I could be here to take part.

If you liked this post, please do click through to the source at Cisco SP Nails It at NFDx and give me a share/like. Thank you!

by John Herbert at January 16, 2019 01:50 AM

XKCD Comics

January 15, 2019

About Networks

Multicast lab 5: Source-Specific Multicast (SSM)

After giving a two-days training to a customer on multicast technology, I take the opportunity to have my lab and the configurations ready to share with you a suite of five different multicast configurations examples. And, how to make some tests and troubleshooting. These examples are based on the labs I used to practice the CCIE R&S practical exam. Content of the posts Any-source multicast (ASM) with static RP Any-source multicast (ASM) with auto-RP Any-source multicast (ASM) with anycast RP Any-source multicast (ASM) with bootstrap router (aka PIMv2) Source-specific multicast (SSM)…

The post Multicast lab 5: Source-Specific Multicast (SSM) appeared first on AboutNetworks.net.

by Jerome Tissieres at January 15, 2019 04:34 PM

Multicast lab 4: Any-Source Multicast with Bootstrap Router (BSR)

After giving a two-days training to a customer on multicast technology, I take the opportunity to have my lab and the configurations ready to share with you a suite of five different multicast configurations examples. And, how to make some tests and troubleshooting. These examples are based on the labs I used to practice the CCIE R&S practical exam. Content of the posts Any-source multicast (ASM) with static RP Any-source multicast (ASM) with auto-RP Any-source multicast (ASM) with anycast RP Any-source multicast (ASM) with bootstrap router (aka PIMv2) Source-specific multicast (SSM)…

The post Multicast lab 4: Any-Source Multicast with Bootstrap Router (BSR) appeared first on AboutNetworks.net.

by Jerome Tissieres at January 15, 2019 04:34 PM

Multicast lab 3: Any-Source Multicast with anycast RP

After giving a two-days training to a customer on multicast technology, I take the opportunity to have my lab and the configurations ready to share with you a suite of five different multicast configurations examples. And, how to make some tests and troubleshooting. These examples are based on the labs I used to practice the CCIE R&S practical exam. Content of the posts Any-source multicast (ASM) with static RP Any-source multicast (ASM) with auto-RP Any-source multicast (ASM) with anycast RP Any-source multicast (ASM) with bootstrap router (aka PIMv2) Source-specific multicast (SSM)…

The post Multicast lab 3: Any-Source Multicast with anycast RP appeared first on AboutNetworks.net.

by Jerome Tissieres at January 15, 2019 04:33 PM

Multicast lab 2: Any-Source Multicast with auto RP

After giving a two-days training to a customer on multicast technology, I take the opportunity to have my lab and the configurations ready to share with you a suite of five different multicast configurations examples. And, how to make some tests and troubleshooting. These examples are based on the labs I used to practice the CCIE R&S practical exam. Content of the posts Any-source multicast (ASM) with static RP Any-source multicast (ASM) with auto-RP Any-source multicast (ASM) with anycast RP Any-source multicast (ASM) with bootstrap router (aka PIMv2) Source-specific multicast (SSM)…

The post Multicast lab 2: Any-Source Multicast with auto RP appeared first on AboutNetworks.net.

by Jerome Tissieres at January 15, 2019 04:33 PM

Multicast lab 1: Any-Source Multicast with static RP

After giving a two-days training to a customer on multicast technology, I take the opportunity to have my lab and the configurations ready to share with you a suite of five different multicast configurations examples. And, how to make some tests and troubleshooting. These examples are based on the labs I used to practice the CCIE R&S practical exam. Content of the posts Any-source multicast (ASM) with static RP Any-source multicast (ASM) with auto-RP Any-source multicast (ASM) with anycast RP Any-source multicast (ASM) with bootstrap router (aka PIMv2) Source-specific multicast (SSM)…

The post Multicast lab 1: Any-Source Multicast with static RP appeared first on AboutNetworks.net.

by Jerome Tissieres at January 15, 2019 04:33 PM

ipSpace.net Blog (Ivan Pepelnjak)

BGP as High Availability Protocol

Every now and then someone tells me I should write more about the basic networking concepts like I did years ago when I started blogging. I’m probably too old (and too grumpy) for that, but fortunately I’m no longer on my own.

Over the years ipSpace.net slowly grew into a small community of networking experts, and we got to a point where you’ll see regular blog posts from other community members, starting with Using BGP as High-Availability protocol written by Nicola Modena, member of ExpertExpress team.

by Ivan Pepelnjak (noreply@blogger.com) at January 15, 2019 08:54 AM

The Networking Nerd

iPhone 11 Plus Wi-Fi 6 Equals Undefined?

I read a curious story this weekend based on a supposed leak about the next iPhone, currently dubbed the iPhone 111. There’s a report that the next iPhone will have support for the forthcoming 802.11ax standard. The article refers to 802.11ax as Wi-Fi 6, which is a catch branding exercise that absolutely no one in the tech community is going to adhere to.

In case you aren’t familiar with 802.11ax, it’s essentially an upgrade of the existing wireless protocols to support better client performance and management across both 2.4GHz and 5GHz. Unlike 802.11ac, which was rebranded to be called Wi-Fi 5 or 802.11n, which curiously wasn’t rebranded as Wi-Fi 4, 802.11ax works in both bands. There’s a lot of great things on the drawing board for 11ax coming soon.

Why did I say soon? Because, as of this writing, 11ax isn’t a ratified standard. According to this FAQ from Aerohive, the standard isn’t set to be voted on for final ratification until Q3 of 2019. And if anyone wants to see the standard pushed along faster it would be Aerohive. They were one of, if not the, first company to bring a 802.11ax access point to the market. So they want to see a standard piece of equipment for sure.

Making pre-standard access points isn’t anything new to the market. Manufacturers have been trying to get ahead of the trends for a while now. I can distinctly remember being involved in IT when 802.11n was still in the pre-standard days. One of our employees brought in a Belkin Pre-N AP and client card and wanted us to get it working because, in his words, “It will cover my whole house with Wi-Fi!”

Sadly, we ended up having to ditch this device once the 802.11n standard was finalized. Why? Because Belkin had rushed it to the market and tried to capitalize on the fervor of people wanting fast connection speeds. The AP only worked with the PCMCIA client card sold by Belkin. Once you started to see ratified 802.11n devices they were incompatible with the Belkin AP and fell back to 802.11g speeds.

Belkin wasn’t the only manufacturer that was trying to get ahead of the curve. Cisco also pushed out the Aironet 1250, which had detachable lobes that could be pulled off and replaced. Why? Because they were shipping a draft 802.11n piece of hardware. They claimed that anyone purchasing the draft spec hardware could send in the lobes and get an upgrade to ratified hardware as soon as it was finalized. Except, as a rushed product the 1250 also consumed lots of power, ran hot, and generally had very low performance compared to the APs that came out after the ratification process was completed.

We’re seeing the same rush again with 802.11ax. Everyone wants to have something new when the next refresh cycle comes up. Instead of pushing people toward the stable performance of 802.11ac Wave 2 with proper design they are going out on a limb. Manufacturers are betting on the fact that their designs are going to be software-upgradable in the end. Which assumes there won’t be any major changes during the ratification process.

Cupertino Doesn’t Guess

One of the major criticism points of 802.11ax is that there is not any widespread adoption of clients out there to push us to need 802.11ax APs. The client vs. infrastructure argument is always a tough one. Do you make the client adapter and hope that someone will eventually come out with hardware to support it? Or do you choose to instead wait for the infrastructure to jump up in speed and then buy a client adapter to support it?

I’m usually one revision behind in most cases. My home hardware is running 802.11ac Wave 2 currently, but my devices were 11ac capable long before I installed any Meraki or Ubiquiti equipment. So my infrastructure was playing catchup with my clients. But not everyone runs the same gear that I do.

One of the areas where this is more apparent is not in the Wi-Fi realm but instead in the carrier space. We’re starting to hear that carriers like AT&T are deploying 5G in many cities even though there aren’t many 5G capable handsets. And, even when the first 5G handsets start hitting the market, the smart money says to avoid the first generation. Because the first generation is almost always hot, power hungry, and low performing. Sound familiar?

You want to know who doesn’t bet on non-standard technology? Apple. Time and again, Apple has chosen to take a very conservative approach to introducing new chipsets into their devices. And while their Wi-Fi chipsets often seen upgrades long before their cellular modems do, you can guarantee that they aren’t going to make a bet on non-standard technology that could potentially hamper adoption of their flagship mobile device.

A Logical Approach

Let’s look at it logically for a moment. Let’s assume that the standards bodies get off their laurels and kick into high gear to get 802.11ax ratified at the end of Q2. That’s just after Apple’s WWDC. Do you think Apple is going to wait until post-WWDC to decide what chipsets are going to be in the new iPhone? You bet your sweet bandwidth they aren’t!

The chipset decisions for the iPhone 11 are being made right now in Q1. They want to know they can get sufficient quantities of SoCs and modems by the time manufacturing has to ramp up to have them ready for stores in October. That means you can’t guess whether or not a standard is going to be approved in time for launch. Q3 2019 is during the iPhone announcement season. Apple is the most conservative manufacturer out there. They aren’t going to stake their connectivity on an unproven standard.

So, let’s just state it emphatically for the search engines: The iPhone 11 will not have 802.11ax, or Wi-Fi 6, support. And anyone trying to tell you differently is trying to sell you a load of marketing.

The Future of Connectivity

So, what about the iPhone XII or whatever we call it? That’s a more interesting discussion. And it hinges on something I heard in a recent episode of a new wireless podcast. The Contention Window was started by my friends Tauni Odia and Scott Lester. In Episode 1, they have their big 2019 predictions. Tauni predicted that 802.11ax won’t be ratified in 2019. I agree with her assessment. Despite the optimism of the working group these things tend to take longer than expected. Which means Q4 2019 or perhaps even Q1 2020.

If 802.11ax ratification slips into 2020 you’ll see Apple taking the same conservative approach to adoption. This is especially true if the majority of deployed infrastructure APs are still pre-standard. Apple would rather take an extra year to get things right and know they won’t have any bugs than to rush something to the market in the hopes of selling a few corner-case techies on something that doesn’t have much of an impact on speeds in the long run.

However, if the standards bodies prove us all wrong and push 11ax ratification through we should see it in the iPhone X+2. A mature technology with proper support should be seen as a winner. But you should see them move telegraphed far in advance with adoption of the 11ax radios in the MacBook Pro first. Once the bigger flagship computing devices get support it will trickle down. This is just an economic concern. The MacBook has more room in the case for a first-gen 11ax chip. Looser thermal tolerances and space considerations means more room to make mistakes.

In short: Don’t expect an 11ax (or Wi-Fi 6) chip before 2020. And if you’re betting the farm on the iPhone, you may be waiting a long time.


Tom’s Take

I like the predictions of professionals with knowledge over leaks with dubious marketing value. The Contention Window has lots of good information about why 802.11ax won’t be ratified any time soon. A report about a leaked report that may or may not be accurate holds a lot less value. Don’t listen to the hype. Listen to the people who know what they’re talking about, like Scott and Tauni for example. And don’t stress about having the newest, fastest wireless devices in your house. Odds are way better that you’re going to have to buy a new AP for Christmas this year than the hope of your next iPhone support 802.11ax. But the one thing we can all agree on: Wi-Fi 6 is a terrible branding decision!


  1. Or I suppose the XI if you’re into Roman numerals ↩
Advertisements
<script type="text/javascript"> __ATA.cmd.push(function() { __ATA.initSlot('atatags-26942-5c3f9f211076c', { collapseEmpty: 'before', sectionId: '26942', width: 300, height: 250 }); }); </script>
<script type="text/javascript"> __ATA.cmd.push(function() { __ATA.initSlot('atatags-114160-5c3f9f2110770', { collapseEmpty: 'before', sectionId: '114160', width: 300, height: 250 }); }); </script>

by networkingnerd at January 15, 2019 07:10 AM

Potaroo blog

BGP in 2018 - Part1: The BGP Table

It has become either a tradition, or a habit, each January for me to report on the experience with the inter-domain routing system over the past year, looking in some detail at some metrics from the routing system that can show the essential shape and behaviour of the underlying interconnection fabric of the Internet.

January 15, 2019 05:00 AM

January 14, 2019

Ethan Banks on Technology

Automating Logistics To Improve Productivity

Getting work done is hindered by logistics. Logistics is work about work. It’s the work you do so that you can get something else done.

For example, there’s a workflow I use to create a podcast. Most of that work is logistical: creating a collaborative script document from a template, inviting guests to a recording channel, scheduling the recording, coordinating sponsor content, updating the production calendar, editing the episode, writing a blog post about the episode, and promoting the episode on social media.

Relatively little of the workflow is what I consider the meat of podcast creation: researching the topic and guests, writing interview questions, and recording the actual show.

I draw the line between logistics and meat by considering what I can delegate vs. what I need to do uniquely myself. Most tasks can be divided along this line.

Solving The Logistics Problem With Delegation

One way to boost productivity is to delegate logistics. Delegation frees up your time to focus on the remaining tasks requiring your unique skills.

Delegation comes in at least three forms.

  1. Humans.
  2. Software.
  3. Automation.

Some tasks can be delegated to other humans. In my case, I delegate many tasks in my business to consultants, contractors, employees, and my personal assistant. I still have to manage those relationships, and I have to compensate people for their time. Delegation doesn’t absolve me of task responsibility.

Delegating to other humans is challenging, creating process and interpersonal debt. You might welcome such a difficulty, but find that you aren’t in a position to delegate other humans. You still have delegation options.

In the digital age, delegating to software is self-explanatory–we all do this. As an aside, while I believe in delegating to software, I also believe in delegating software infrastructure. In my business, there is no advantage to be gained by hosting software myself. I delegate software hosting to a mix of SaaS and IaaS infrastructure providers.

Automation steps in where humans shouldn’t and software can’t. Tedious, repetitive tasks are best done by carefully programmed robots.

Software can’t predict all business workflows–businesses are unique, meaning software has limited task granularity out of the box. Software designers can’t create an overly specific product and still retain mass appeal. This is where automation steps in. Automation is the workflow layer on top of software that performs repetitive tasks quickly and predictably.

Delegating To Automation

In my own workflows, I’ve identified automation as the weak link. I’ve passed off as many tasks to other humans as appropriate. I continually review and revise my software tools. However, I don’t automate.

For instance, to prepare for a podcast recording, two of the steps are to create a Google document from a template, build a Slack channel, and invite the guests to both. Accomplishing this is a lot of predictable clicking and typing.

Google Drive has an API. Slack has an API. Why am I interfacing with Google Drive and Slack using the clicky-clicky GUI? Because it’s what I know. It’s easy. It’s time-consuming and error prone, but it gets the job done.

Automating these tasks seems too painful, because I don’t know how to write the code off the top of my head. I’ll have to read documentation, write some code, experiment, and fuss.

Will automating those document and channel creation tasks be worth it? The answer to that question comes in the form of time saved. How long does it take me to clicky-clicky and get these tasks done? Let’s say it’s twenty minutes. I don’t know exactly how long the actual clicking takes, and the reason is that there’s more time to account for than the click time.

There is also distraction time.

When I go into the standard Google Drive UI to create a document, I see a myriad of other folders and documents related to projects I’m working on. I’m reminded of other tasks I need to complete. The temptation to move orthogonally into another task is significant when my to-do list is long.

The same distraction exists when looking at Slack. Even though I squelch almost all notifications, opening the Slack interface to work on channel creation and invitations can take me far afield.

Because of distractions, twenty minutes becomes thirty or forty. Distractions eat the day away. Distractions cut into productivity. Therefore, automation isn’t simply about making clicks go faster. Automation is also about retaining focus by reducing distractions.

A script that gathers a bit of information from me can handle Google doc and Slack channel creation with a single command, instead of me performing a bunch of distractable clicking. Creating the script will be hard, but the result will be time saved and focus retained.

What about IFTTT or Zapier Instead Of Code?

What if I don’t want to read API documentation and write code? Might trigger-based tools like IFTTT or Zapier help? I believe the answer is “yes,” but there’s homework to do to know how much.

Historically, I’ve used both IFTTT and Zapier to automate straightforward tasks like posting to social media based on a RSS feed trigger. However, I’ve found both Zapier and IFTTT, powerful though they are, to be constrained. I can only execute the actions that they support, and the entirety of an platform’s API is unlikely to be exposed to an IFTTT recipe or Zapier zap.

Therefore, I’m leaning toward Python as a programming tool with comparatively infinite flexibility. With learning time invested in APIs, I can write Python scripts to do any action I need.

Writing my own code offers another interesting possibility: chatbots. That is, I can log a chatbot into Slack and issue automation commands to the chatbot from the Slack interface. This is desirable from a business workflow perspective, because it means actions are logged in an observable Slack channel, keeping the other humans I work with in the loop as to what automated work is being done.

by Ethan Banks at January 14, 2019 07:12 PM

Moving Packets

Orange Matter: Silo-Busting and Dream-Dashing

<figure class="wp-block-image">Orange Matter Logo</figure>

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. I love automation, but it seems that dreams of a smooth customer experience can be destroyed by the persistence of engineering silos in many organizations.

This post appeared on Orange Matter as “Silo-Busting and Dream-Dashing; More Fun With Automation“, but I’m also linking to the version posted on Thwack, mainly because that format allowed me to use more images and be slightly more irreverent. Actually, quite a lot more irreverent in this particular case…

<figure class="wp-block-image">Silo Busting Automation</figure>

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Silo-Busting and Dream-Dashing and give me a share/like. Thank you!

by John Herbert at January 14, 2019 03:57 PM

My Etherealmind

Tools: Dropping and Shaping Packets with iptables and tc on Linux

You can drop packets using iptables on a Linux host with some level of randomness. iptables -A INPUT -m statistic --mode random --probability 0.8 -s example.com -p icmp -j DROP I also did not know that Linux has a traffic control tool for packet shaping ‘tc’: tc qdisc change dev eth0 root netem loss 5% […]

The post Tools: Dropping and Shaping Packets with iptables and tc on Linux appeared first on EtherealMind.

by Greg Ferro at January 14, 2019 12:42 PM

ipSpace.net Blog (Ivan Pepelnjak)

What Is Continuous Integration?

In spring 2019 Building Network Automation Solutions course we’ll have Kristian Larsson diving into continuous integration and his virtual networking lab product (you might want to listen to the Software Gone Wild episode we did with him to get a taste of what he’ll be talking about). Christoph Jaggi did a short interview with him starting with the obvious question:

What is CI testing and how does it differ from other testing methods?

CI is short for Continuous Integration and refers to a way of developing software where changes written by individual developers are frequently (or "continuously") integrated together into a master branch/trunk, thus continuous integration.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 14, 2019 07:34 AM

XKCD Comics

January 13, 2019

My Etherealmind

QNA: Breakouts Cables Are Not Splitters

Question on Reddit Ok, this is a weird question and I’ll probably get some flak for this, but is there any real proof that an SFP (1000BASE) transceiver cannot be at the end of a QSFP+ breakout? Afaik QSA type adapters are just splitters but leave the other 3 out as evidenced by how they […]

The post QNA: Breakouts Cables Are Not Splitters appeared first on EtherealMind.

by Greg Ferro at January 13, 2019 04:30 PM

January 11, 2019

My Etherealmind

Why Would Cisco Buy Luxtera ?

Cisco announced it is buying Luxtera for $660M.  Luxtera make SFP modules for Ethernet switches including the critical laser components.  Interesting Things Just before the Christmas break when fewer people are watching. Background of US/China trade problems Cisco get control of part of the supply chain Silicon photonics is about using existing silicon manufacturing processes […]

The post Why Would Cisco Buy Luxtera ? appeared first on EtherealMind.

by Greg Ferro at January 11, 2019 04:02 PM

Moving Packets

Orange Matter: Automation Paralysis

<figure class="wp-block-image">Orange Matter Logo</figure>

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. This post examines how it’s easy to get so focused on automating the small stuff we have difficulty turning that into the more cohesive automation solution that we’d like to have.

This post appeared on Orange Matter as “Automation Paralysis: Why We Get Stuck Automating The Small Stuff“, but I’m also linking to the version posted on Thwack, mainly because that format allowed me to use more images and be slightly more irreverent. Irreverent? Moi? Of course.

<figure class="wp-block-image">Automation Paralysis</figure>

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Automation Paralysis and give me a share/like. Thank you!

by John Herbert at January 11, 2019 03:41 PM

ipSpace.net Blog (Ivan Pepelnjak)

Firewall Ruleset Automation with CI Pipeline

One of my readers sent me a description of their automation system that manages firewall rulesets on Fortigate firewalls using NAPALM to manage device configurations.

In his own words:

We are now managing thousands of address objects, services and firewall policies using David Barroso’s FortiOS Napalm module. This works very well and with a few caveats (such as finding a way to enforce the ordering of firewall policies) we are able to manage all the configuration of our firewalls from a single Ansible playbook.

The did the right thing and implemented an abstracted data model using GitOps to manage it:

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 11, 2019 07:38 AM

XKCD Comics

January 10, 2019

My Etherealmind

Geo IP Databases are Highly Inaccurate

Lots of network monitoring platforms use GeoIP databases to track/monitor sources. These databases are, perhaps, 75% accurate (for some definition of accurate). This is your regular reminder to have a sense of caution about location based on public IP address. John S. and his mother Ann live in the house, which is in Pretoria, the […]

The post Geo IP Databases are Highly Inaccurate appeared first on EtherealMind.

by Greg Ferro at January 10, 2019 03:36 PM

Honest Networker

nanog-l these days

<video controls="true" dir="ltr" height="400" id="v-EYdx5Dhm-1-video" lang="en" poster="https://videos.files.wordpress.com/EYdx5Dhm/1yixe4n-imgur_dvd.original.jpg" preload="metadata" width="640"><source avc1.64001e="avc1.64001E" src="https://videos.files.wordpress.com/EYdx5Dhm/1yixe4n-imgur_hd.mp4" type="video/mp4; codecs=">
1yixe4n – imgur

</video>

 

1yixe4n – imgur

by ohseuch4aeji4xar at January 10, 2019 12:50 PM

ipSpace.net Blog (Ivan Pepelnjak)

Webinars Plans for 2019

You might have noticed that our Winter 2019 webinar schedule got crazily busy with seven live sessions in the first two months of the year (another first)… but that’s not all, there are two more live sessions that we haven’t announced yet as we always schedule a single live session of a particular webinar.

Wondering what’s coming during the rest of 2019? Starting with committed ideas:

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at January 10, 2019 07:29 AM

January 09, 2019

Moving Packets

Orange Matter: Where is Your Configuration Source of Truth?

<figure class="wp-block-image">Orange Matter Logo</figure>

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. The post linked here looks at where we define our source of truth for device configurations; is it the device itself? Should it be? This is a key question when looking at automation, and one we should all be asking ourselves.

This post appeared on Orange Matter as “Where Is Your Config Source of Truth?“, but I’m also linking to the version posted on Thwack, mainly because that format allowed me to use more images and be slightly more irreverent, which is perhaps a bit more in character.

<figure class="wp-block-image">Where Is Your Config Source of Truth?</figure>

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Where is Your Configuration Source of Truth? and give me a share/like. Thank you!

by John Herbert at January 09, 2019 03:17 PM

ipSpace.net Blog (Ivan Pepelnjak)

SD-WAN Reality Gap

Here’s some feedback I got from a subscriber who got pulled into an SD-WAN project:

I realized (thanks to you) that it’s really important to understand the basics of how things work. It helped me for example at my work when my boss came with the idea “we’ll start selling SD-WAN and this is the customer wish list”. Looked like business-as-usual until I realized I’ve never seen so big a difference between reality, customer wishes and what was promised to customer by sales guys I never met. And the networking engineers are supposed to save the day afterwards…

How did your first SD-WAN deployment go? Please write a comment!

by Ivan Pepelnjak (noreply@blogger.com) at January 09, 2019 07:35 AM

The Networking Nerd

What Makes IoT A Security Risk?

IoT security is a pretty hot topic in today’s world. That’s because the increasing number of smart devices is causing issues with security professionals everywhere. Consumer IoT devices are expected to top 20 billion by 2020. And each of these smart devices represents an attack surface. Or does it?

Hello, Dave

Adding intelligence to a device increases the number of ways that it can compromised. Take a simple thermostat, for example. The most basic themostat is about as dumb as you can get. It uses the expansion properties of metal to trigger switches inside of the housing. You set a dial or a switch and it takes care of the rest. Once you start adding things like programmability or cloud connection, you increase the number of ways that you can access the device. Maybe it’s a webpage or an app. Maybe you can access it via wireless or Bluetooth. No matter how you do it, it’s more available than the simple version of the thermostat.

What about industrial IoT devices? The same rule applies. In this case, we’re often adding remote access to Supervisory Control And Data Acquistion (SCADA) systems. There’s a big market from enterprise IT providers to create secured equipment that allows access to existing industrial equipment from centralized control dashboards. It makes these devices “smart” and allows you to make them easier to manage.

Industrial IoT has the same kind of issues that consumer devices do. We’re increasing the number of access avenues to these devices. But does that mean they’re a security risk? The question could be as simple as asking if the devices are any easier to hack than their dumb counterparts. If that is our only yardstick, then the answer is most assuredly yes they are a security risk. My fridge does not have the ability for me to access it over the internet. By installing an operating system and connecting it to the wireless network in my house I’m increasing the attack surface.

Another good example of this increasing attack surface is in home devices that aren’t consumer focused. Let’s take a look at the electrical grid. Our homes are slowly being upgraded with so-called “smart” electrical meters that allow us to have more control over power usage in our homes. It also allows the electric companies to monitor the devices more closely and read the electric meters remotely instead of needing to dispatch humans to read those meters. These smart meters often operate on Wi-Fi networks for ease-of-access. If all we do is add the meters to a wireless network, are we really creating security issues?

Bigfoot-Sized Footprints

No matter how intelligent the device, increasing access avenues to the device creates security access issues. A good example of this is the “hidden” diagnostic port on the original Apple Watch. Even though the port had no real use beyond internal diagnostics at Apple, it was a tempting target for people to try and get access to the system. Sometimes these hidden ports can dump hidden data or give low-level access to areas of the system that aren’t normally available. While the Apple Watch port didn’t have this kind of access, other devices can offer it.

Giving access to any device allows you to attack it in a way that can gain you access that can get you into data that you’re not supposed to have. Sure, a smart speaker is a very simple device. But what if someone found a way to remotely access the data and capture the data stream? Or the recording buffer? Most smart speakers are monitoring audio data listening for their trigger word to take commands. Normally this data stream is dumped. But what if someone found a way to reconstruct it? Do you think that could qualify as a hack? All it takes is an enterprising person to figure out how to get low-level access. And before you say it’s impossible, remember that we allow access to these devices in other ways. It’s only a matter of time before someone finds a hole.

As for industrial machines, these are even more tempting. By gaining access to the master control systems, you can cause some pretty credible havoc with their programming. You can shut down all manner of industrial devices. Stuxnet was a great example of writing a very specific piece of malware that was designed to cause problems for a specific kind of industrial equipment. Because of the nature of the program it was very difficult to figure out exactly what was causing the issues. All it took was access to the systems, which was reportedly caused by hiding the program on USB drives and seeding them in parking lots where they would be picked up and installed in the target facilities.

IoT devices, whether consumer or enterprise, represent potential threat vectors. You can’t simply assume that a simple device is safe because there isn’t much to hack. The Mirai bonnet exploited bad password hygiene in devices to allow them to be easily hacked. It wasn’t a complicated silicon-level hack or a coordinated nation state effort. It was the result of someone cracking a hard-coded password and exploiting that for their own needs. Smart devices can be made to make dumb decisions when used improperly.


Tom’s Take

IoT security is both simple and hard at the same time. Securing these devices is a priority for your organization. You may never have the compromised, but you have to treat them just like you would any other device that could potentially be hacked and turned against you. Zero-trust security models are a great way to account for this, but you need to make sure you’re not overlooking IoT when you build that model. Because the invisible devices helping us get our daily work done could quickly become the vector for hacking attacks that bring our day to a grinding halt.

by networkingnerd at January 09, 2019 04:42 AM

XKCD Comics

January 08, 2019

Dyn Research (Was Renesys Blog)

Cuba’s New 3G Service, Six Years After ALBA-1

Last month, ETECSA (Cuba’s state telecom) activated national 3G mobile service.  For the first time in the nation’s history, a very modest level of internet service is now available to anyone on the island with a 3G-capable device and the funds to pay for it (i.e., 45cuc per month or almost twice the monthly salary of a Cuban state worker).

The development was announced in a tweet from Cuba’s new president Miguel Díaz-Canel and came almost six years since the activation of the ALBA-1 submarine cable connecting Cuba to the global internet via Venezuela.

<script async="async" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>

The activation of Cuba’s mobile internet service appeared in our Internet Intelligence Map as a dramatic increase in the number of authoritative DNS queries handled by Dyn’s servers, as we tweeted below.

<script async="async" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>

When we zoom out to the first half of December, we can see two phases of increase in DNS queries (pictured below) as the new mobile service was rolled out in stages.  A small increase can be observed beginning on 3 December (the day before President Díaz-Canel’s tweet), and then a larger and more sustained increase beginning on 6 December.

Unlike our other metrics (available BGP routes and completing traceroutes), DNS query volume follows a diurnal pattern due to the fact that DNS lookups are primarily a by-product of human interaction with the internet.  In this context, it is safe to conclude that the material increase in DNS query volume is due to more Cubans accessing and using the internet than ever before.

Before permanently launching their 3G service last month, ETECSA ran tests of the service in August and September, which we reported on here and here, and also appeared as temporary surges in the DNS queries from Cuba.

Years of incremental steps for the Cuban internet

It was six years ago this month, we broke the news of the activation of the ALBA-1 submarine cable — the first fiber optic cable connecting Cuba to the global Internet. The discovery received widespread media attention and the Cuban government even confirmed our report in the local communist party newspaper.

In an interview with PRI’s The World in 2014 (audio clip below), I suggested that the fastest way to extend service to the local population would be to allow international telecoms to bid for mobile licenses, as we saw in Myanmar, and bring the internet to the Cuban people via wireless technology.

<iframe frameborder="0" height="50" src="https://www.pri.org/node/71169/embedded" width="100%"></iframe>

While Cuba decided against leveraging private enterprise to build their national telecommunications infrastructure, its move to make mobile internet service nationally available is the biggest change to date to improve the levels of internet access in the country.

by Doug Madory at January 08, 2019 02:18 PM

IPEngineer.net

NAE: Automation and Time

Time is the enemy of everything in the field of IT. It doesn’t matter whether you are a designer or operator. Time is your sworn enemy.

In all the training and certifications I’ve ever done, all that is missing is a knighting ceremony in which a sword is laid on your shoulders and you’re sworn in to be an enemy of the phenomena.

Time

Time is a speculative investment, time is relative, highly subjective and makes us emotional. It offers us unsolvable yet predictable challenges. We only ever hear "we need more time". Managers demand it and engineers beg for it. Everything costs time and nothing will give us time back. Given that last statement, high return time investments are key.

In software, we’ve moved to agile, which lets us split software releases up in to super tiny chunks. Instead of a huge development cycle followed by huge deployment and troubleshooting window, we’ve moved to a tiny slice model, in which we do a tiny amount of design, a tiny amount of coding and a tiny amount of deployment and troubleshooting. This move allows us to target the highest priorities quicker and target more accurately, which results in appearing to be more reactive to business needs. Blobs of time for each phase are still consumed, but because we consume them in smaller doses, it doesn’t feel so bad does it? We might have saved a bit of time, but the real gain here is agility and the ability to react to changing needs. Not all requirements will ever be met and items rapidly are pushed on and pushed off a list.

A point I’m trying to make here is that good design and approach, whilst it takes time, can smooth out and reduce either big blog or tiny slice allocations of time. It’s an investment and returns positive results and cannot be swept to one-side in the name of Agile or DevOps.

Moving along to automation in the networking space and kaboom. Maturity is still low, design is immature to non-existent and the idea of allocating time to do experiments so we can gain experience is abrasive. Let 2019 be the year of sensible actions and an awakening to the fact that engineering takes design, experimentation and solid recording of outcomes and results. Once the methodologies are known and the design style and parlance is adopted, then we can ask for a reduction in task time. If you’re not prepared to invest to accumulate, then you’re asking for miracles and encouraging guess work.

Close

Engineering in any field is both scientific and an art. It takes creativity, calculations, analysis and retrospectives. Time is an element in all of these and investing it wisely can reduce the quantity of it spent elsewhere.

Good luck and good fortune for 2019!

The post NAE: Automation and Time appeared first on ipengineer.net.

by David Gee at January 08, 2019 10:58 AM

January 07, 2019

My Etherealmind

Percentage of HTTPS (TLS) Encrypted Traffic on the Internet ?

Reviewing a Threat report from Fortinet Networks suggests that 73% of internet traffic is now encrypted. Thats a substantial change in five years for a network protocol. More than I expected but good news that the status quo CAN be changed. I wonder what happened to telcos that were selling data extracted from capturing HTTP […]

The post Percentage of HTTPS (TLS) Encrypted Traffic on the Internet ? appeared first on EtherealMind.

by Greg Ferro at January 07, 2019 08:41 PM

Moving Packets

New Year, New Post, NFDx!

You may be thinking “Wait, he hasn’t posted in ages.. how lazy is he?” but thankfully I haven’t been entirely slothful for the last seven months. Most recently I authored a series of six posts related to SDN and automation on the Solarwinds Orange Matter blog. I can’t republish that content here, but I will be sharing links to the posts in the coming days and I hope you’ll find them interesting and thought-provoking.

Cisco SP – Networking Field Day Exclusive!

More immediately, I’m preparing to start the new year with a quick trip to see Cisco’s Service Provider group at a Networking Field Day Exclusive event. I’ve seen the proposed agenda, and it looks like it’s going to be an intense day filled with the kind of topics that I know my readers will appreciate. As always, I’ll be posting about some of the topics covered (maybe even all of them…who knows?), but it’s even better if you can take part too.

The event takes place on Tuesday, January 15th, 2019. If you can, I recommend hopping on the live stream on Tech Field Day and then using the #TFDx hashtag on Twitter to join in the conversation and ask questions (the delegates keep an eye out for questions we can ask the presenters on your behalf ).

With a start like this, I think it’s going to be a good one. Stay tuned, and I hope you have a great 2019!

If you liked this post, please do click through to the source at New Year, New Post, NFDx! and give me a share/like. Thank you!

by John Herbert at January 07, 2019 06:36 PM

My Etherealmind

Windstream sells EarthLink consumer internet business

Another nail in the “telco cannot provide customised services” folder. Windstream sells its consumer business: “This transaction enables us to divest a non-core segment and focus exclusively on our two largest business units. In addition, it improves our credit profile and metrics in 2019 and beyond,” said Tony Thomas, president and CEO of Windstream. As […]

The post Windstream sells EarthLink consumer internet business appeared first on EtherealMind.

by Greg Ferro at January 07, 2019 06:00 PM