Mar. 5, 2020
Today more than ever, networking has fundamental similarities. The days of routing IPX/SPX, AppleTalk, Banyan Vines or provisioning ATM and Frame Relay links are moving into the past. Most networks are now based on ethernet*. Most run at least IPv4 as a routed protocol. They leverage similar connectivity techniques such as an interior gateway protocol, a layer2 mechanism such as VLANs or VPLS, and an identifiable border (e.g. an autonomous system).
Jan. 27, 2020
I was originally going to be inflammatory and title this “Details don’t matter”, but at the last minute I walked it back. This topic is consistently a pile of hot garbage. Why? Many reasons. Because technical people are, in general, extremely detail focused, and often binary minded (right/wrong, black/white, yes/no, 1⁄0). Because of this, a great many times we as technical people can hyper-focus on the details, especially when change is on the table.
Jun. 29, 2019
BGP. It’s that magical protocol that runs the internet. For for as much as BGP is a fundamental, critical, irreplaceable part of the core functioning of the internet, it is a protocol that has not aged well as far as security is concerned. See, BGP was born when the internet was really still an academic experiment. Handshakes and loose agreements were totally fine for connecting a new site.
Then came the awakening.
Mar. 31, 2019
Over the last few days there has been a huge amount of FUD and panic surrounding two as-yet-to-be-published CVEs (found here and here) related to Mikrotik’s IPv6 implementation.It is my opinion that this entire process has been poorly handled, and that the community involved tends to be fairly sensitive to issues such as, and the cloak and dagger nature of the two issues has only exacerbated it. Mikrotik, as a company, is well known for being terse in their responses and tight lipped with their internal workings and dealings with these kinds of issues.
Nov. 5, 2018
Remember OpenFlow? It was the media and marketing darling for the better part of 5 years as “the machine” conflated OpenFlow with SDN and SDN with - almost literally - everything. “Still Does Nothing” was a common phrase uttered around those of us that had run large scale, complex networks for a long time. Quietly, and mostly, out of the fickle media and blogosphere eye, a scrappy little SDN project called faucet has been diligently plugging away– making easy to use, production quality, well documented, and very stable code that runs OpenFlow networks quite happily in production and at scale.
Nov. 1, 2018
As an often-security-engineer and an individual that has been working on large networks for quite a while, dealing with DDoS, or the threat of DDoS is a well traveled path. Recently I was invited to discuss some of the basics of DDoS mitigation on the Network Collective Podcast. This was a really fun and insightful chat with a wealth of great information for engineers and operators of any skill level. Ep38 - DDoS Mitigation from Network Collective on Vimeo.
Oct. 18, 2018
Recently, the venerable Ivan Pepelnjak published a very insightful article aboutautomation becoming such a popular topic that was spawned by an email from one of his readers. I found this article to be spot on, and wanted to add a bit of my own opinion into the automation pie, as I have been spending a lot of time on automation as it related to existing networks as well as into SDN based environments.
Dec. 7, 2017
I have my +100 hat of irreverence on today so it’s time for a soapbox post. Having recently read a several posts and articles on what seems to be the never-ending cavalcade of assertions that “networking people will be out of jobs and you’d better learn to be a programmer” - or more succinctly put: the “dramatic changes in IT networking”. To this I respond simply: via GIPHY The scorched earth, “there’s a hole in the boat, we’re all going to die!
Oct. 3, 2017
Configuration management is a critical part of successfully and efficiently run any network. From the early days of networking there have been options for doing configuration backup. Several projects have been around for literally decades, enabling the backup of a myriad of critical network devices and providing historical archives. Many of these projects and platforms require a reasonable amount of unix experience and perhaps some development skills. I’m going to give a quick synopsis of my three favorites, these a all very different in execution but provide the same types of services - configuration backup, diff, and archive (and not much else).
Mar. 25, 2017
Taking politics and putting them aside, what the new administration has been attempting to change with regard to internet privacy is something we should all be informed about. Wether you have a tin foil hat or don’t care, “knowing is half the battle”. The other half is doing - which I will also lend some brief insight to (sorta). What’s changing? Nothing yet (as of the time of this writing). What will likely change?
Jan. 18, 2016
I'm way overdue for a soapbox session -- I found this one in my drafts and thought it was something I needed to put out there. It's already dated in terminology but that actually helps make the point - it's hard to keep up. Lets throw this out there: social media can be exhausting. Do not misunderstand me, it’s a great tool for communication, obtaining and disseminating information as well as standard goofing around.
Nov. 5, 2015
A few years ago I wrote some text on interdomain SDN. Years later, work is being done, smart people are thinking about it and building ways to make it a reality. Not being one to give up on an idea, I gave this presentation in may at ChiNOG on what my take on what that architecture should be. I (we) propose that the use of existing protocols such as BGP FlowSpec will make this realistically deployable and maintainable given some simple, pluggable middleware.
Mar. 28, 2015
Since Network Field Day 9, I have spent more and more time mentally grinding on what Brocade is doing. I have been a pretty vocal critic of the foundry hardware and software platform since my first experience with it years and years ago. I found it to be lacking in completed features, Layer 3 functionality and general stability.
This is one reason that anyone reading this should take pause and think about the background this post is sourcing from and how much of a shift it is.
Mar. 19, 2015
For those that run BGP networks, BGPmon is often a tool they turn to for some really unique and hard to find information. Remember back in February 2008 when Pakistan Telecom "blocked" Youtube? That one was a really, really public example of something that BGPMon caught. BGPmon has been around for a long, long time. Quietly watching prefixes. Silently noting changes and reporting them to the ones lucky enough to know of its existence.
Sep. 8, 2014
I admit that the title was meant to be inflammatory. However, there are use cases that aren’t terribly uncommon where an in-line security appliance is just not the correct tool for the job. Someone once told me “a firewall protects a network like a fuse protects an electrical circuit”, and it’s mostly a correct statement. Firewall vendors will probably argue this and enterprise folks may discount this as heresy and call for burning me at the stake.
Aug. 12, 2014
I’ve blathered on about BGP forever. Say what you will about the venerable protocol, it runs the interwebs, is reliable, extendable and well documented. I’ve also espoused ad nauseam about IPv6, so none of this [admitted] rant should really be a surprise coming from me. As of 8/12/2014, according to the CIRD report (and many mailing lists), thedefault free global ipv4 routing table has reached 512k routes. This is a milestone from many perspectives, but more importantly, it solidifies the fact that there is a great deal of equipment in critical points in the internet that is out of date and cannot perform as intended in its current configuration or function.
Jun. 23, 2014
With the recent announcement of Cisco Systems intent to purchase tail-f, proponents of a multi-vendor environment are waiting with baited breath to see how the networking giant will deal with support of competitor hardware and CLIs. Yang is here to stay, there is no doubt about that. As is netconf. Both of these are good things for the industry as a whole, having a standard way to communicate with network hardware [that isn’t openflow] is necessary and immeasurably useful.
May. 17, 2014
Many regular internet users are extremely upset about the recent proposed changes the FCC has opened for comments about the delivery and provisioning of internet services. Watch this video if you’re unaware of the high emotions it has evoked: While these are proposed rules and are not in any way finalized, there is real concern that they may become law. Where this is problematic is that it opens up the possibility of some real misuse, abuse or simple misunderstanding of needs and services.
Jan. 4, 2014
The buzz as of late around the security and networking communities has been about the NSA and their catalog or spy toolkit. I’ve spent time in my career thinking about and doing infosec and I did a brief stint working for the FBI in a project called NCDIR. I like to think that I can provide at least a peripherally competent commentary about it [take it with a grain of salt].
Dec. 7, 2013
About a year ago I did a brief review of the “new Sonicwall”, specifically a smaller branch office device that was said should have had all of the features of the larger devices. I proposed that it had some significant limitations (much to the disagreement of a great deal of folks). However, I stand by my statements. If you ignore the fact that firewalls often cause more problems than they solve, that NAT is a nightmarish kludge (and not a security mechanism), andwill likely be phased out for better options eventually, the SonicOS I tested was pretty limited as far as what I believe should be features.
Nov. 9, 2013
My personal background in computing (specifically networking) is atypical. I have a bachelors in visual arts and only took a handful of computing classes in my relatively long tenure in college. However, I did learn one valuable lesson that has served me pretty well over the 15 or so years I have been doing networking and I’d bet money any good network engineer that has more than 10 years of experience will nod their head at this and agree.
Sep. 21, 2013
Let me be clear, when I say “single vendor” I’m talking about being “single vendor” in what you work on, not necessarily what you install (although one basically forces the other) and what I really mean is multilingual. I’ll explain after a brief history of why I am the way I am. I’m idealistic but I’m also realistic. I generally propose solutions that I think are best even if it is non-standard or out of current comfort level along with an alternative or two.
Aug. 5, 2013
I have been learning and using IPv6 for a quite a while, even before I worked in research and education, back in the ISP days. I thought I should learn it because, frankly, I figured we’d all be converted to it by now, already whole hog using it like it was the layer 3 addressing mechanism that it is. Flashback: My first IPv6 access was via a tunnel to HE a long, long time ago and before that I was reading what I could about it.