May. 4, 2020
One of the most common questions I hear from small and even medium sized ISPs is “why should I run my own DNS resolver(s)?” The perception that DNS is hard, complicated, or even unnecessary is often cited as a reason to just farm it out to one of the “free” anycast resolver services available across the internet. Now, there are many reasons to be wary of DNS, both from the professional and the consumer side - it is a huge treasure trove of personal information about behavior, and is easily monitized by entities large enough to consume and process it.
Jan. 17, 2020
VPNs are a critically useful tool for gaining access to resources that cannot be exposed to the public internet for many different reasons, either policy or technical. VPNs can, however, be painful to install, difficult to troubleshoot, and in many cases (e.g. one time triage, single use instances) complete overkill. Providing encrypted access to this gooey center has never been easier, though, through the power of ease of sshuttle. sshuttle has some very usable capabilities.
Apr. 29, 2019
There is no shortage of network telemetry data that can be collected, recorded, graphed, and stored for cross reference and triage. Not one to be underestimated, latency at a can be incredibly powerful when leveraged for baseline and deviation notification. As I have eluded to in the past, there are many tools in this space.I have written about a few of them in detail and touched on others in passing. Regardless of the tool, the data is powerful and the instrumentation they provide will only serve to make your network more robust and easier to work on.
Dec. 10, 2018
In recent years, the nature of privacy on the internet has become a very important topic amongst those concerned with the now lack of net neutrality. The de-facto mechanism for dealing with privacy has been to "SSL all the things", which I am very much in favor of. What many do not realize, though, is that simply using SSL for the traffic that transits a given ISP still leaves a wealth of thick, rich, delicious personal data still easily available to your ISP to harvest, sell, and do with as they please.
Mar. 20, 2017
In the last few years I have moved all of my virtualization to proxmox and docker. Seeing as I like to look at packets because I am a closet security guy, and being as I have been working off-and-on on a security project in recent times, I wanted to be able to span a port not only from a hardware switch, but also within my software switches. I had been using linux bridge, which I am not a fan of, so when I started down this path I did not look hard to find a way to do so under that platform.
Feb. 27, 2016
The sixth [and arguably very overdue] installment of my NIX4NetEng series, this began as an overly complex diatribe about DNS. As it evolved, I realized that DNS is so complex and far reaching that it could never be contained in one meager post. DNS is a powerful tool. It has existed for so long that many that have never had the responsibility of running an authoritative or recursive resolver may take for granted the extensive reach of a tool so engrained in the fabric of the internet that it is frequently overlooked, much like a utility such as electricity or running water.
Jan. 19, 2015
VMWare is a powerful tool, and monitoring is a critical service. How does one monitor such an integral piece of infrastructure, and what do they monitor it with? There are powerful commercial ways of monitoring VMware, however, for those with existing SNMP based systems in place, specifically cacti, there are options. To that end, I'll set aside my strong distaste for SNMP [yet again], because those are for a larger, less useful series of posts.
Dec. 21, 2014
Sometimes in networking and security it becomes necessary to do lookups of location data on IP addresses and prefixes. On my Mac I use homebrew to manage packages, but most of these tools are available with thetypocal apt, yum and port package management systems. For this post, I’m going to shift gears and show the install on my mac: sliver:~ buraglio$ brew install geoip ==> Downloading https://downloads.sf.net/project/machomebrew/Bottles/geoip-1.6.3.mavericks.bottle.tar.gz ######################################################################## 100.0% ==> Pouring geoip-1.
Oct. 15, 2014
With the recent release of the POODLE SSLv3 vulnerability, folks are scrambling around trying to figure out what runs what and where. Running a handful of things that do SSL, I was obligated, both personally and professionally, to figure out an easy way to drill down and figure out what does what and then fix the vulnerable services. When there are a lot of devices, this can seem like a daunting task, and it is if you’re trying to do it manually.
Sep. 15, 2014
I know, I know, I’m always saying that you don’t need a firewall. That’s mostly to get your attention to push my agenda of sane security architecture, I do actually believe that firewalls are appropriate in a great many use cases and I’ve managed them big and small ranging from Juniper SRX 5800 clusters to tiny purpose built BSD distros on custom hardware. I even managed Checkpoint and gauntlet firewall back in the 1990s.
Jul. 26, 2014
IP addressing and subnetting is a common interview subject. I assert that memorizing these things is useful for learning the concepts but ultimately futile in that it is time consuming and inefficient use of engineering time when tools can be utilized to accomplish the same goals in less time with fewer errors. Honestly, I gave up doing this kind of work manually around 10 years ago and have never regretted it, and in actuality, I’d probably struggle to do it at this point because it’s a repetitive process better suited by code.
Jun. 7, 2014
I don’t care what your vendor alignment of choice is, Cisco, Juniper, Brocade, Alcatel….it doesn’t matter. At one point or another you’re going to need to bird dog an address to see where it’s coming from, who owns it, what it’s DNS name is or what path you’re taking to get to it. We’ve already talked about BGP tools, they’re a great choice for checking routes across the internet. Hunting down addresses is an interesting one, though, as address management and lookups can bleed into other aspects of networking like path selection, latency, jitter and many other things.
Apr. 30, 2014
Many network engineers are also tasked with maintaining systems that provide network services, those things that make the network easier to use such as DNS and DHCP or management systems that perform useful things like monitor the network, collect flow data or bestow access to the equipment by acting as bastion or jump hosts. In many instances, robust and high availability services run on UNIX, Linux or BSD systems for stability and reliability, so those that manage these systems need to be well versed system admins as well as whatever their other job functions are.
Apr. 20, 2014
I firmly believe that blending disciplines is the way of the future in IT. I’ve rambled about it here at other venues and I’m vocal (some would probably say brash) about it on the twitters. Be it Networking and System, Systems and Security, Programming and Networking, most of us that have been around any length of time already do it but now it’s happening out in the open and “DevOps”, a form of the hybrid IT worker, has seemingly become the BOTD (Buzzword of the day).
Mar. 10, 2014
I recently had the displeasure of dealing with a series of failed disks in my newly created ZFS based NAS. I had cobbled together roughly 12TB of disk space and jammed them into an old PC, stretching the limits of the platform when I decided to go with ZFS. I broke all of the rules, underpowered, single core PC, only a handful of GIG of non-ECC RAM, etc. I’m sure storage guys are having a coronary after reading that, but it works for me and has minimal issues since I just relatively redundant need bulk storage and it doesn’t need to be fast (the ethernet connection is only 100M).
Jan. 11, 2014
I am an absolutely huge fan of statistical and instrumentation data, especially when it comes to traffic analysis, visualization and baselining. I’ve rambled on about the importance of it at every opportunity. As a result of that, I have been doing work with netflow and netflow-like data for a fairly long time. My first collector was the OSU Flow tools based stuff back around 13 years ago. From there I played with all kinds of netflow tools, both commercial and open source, finally settling most of my focus on nfdump and nfsen.
Aug. 7, 2013
Working on some MX series routers recently I encountered a problem I’d never seen before, essentially preventing the configuration from being committed: buraglio@rtr# commit check re0: error: could not open configuration database (juniper.data+) This is a very annoying problem and is terribly inconvenient as you can probably imagine. So, my first instinct is to drop down to the shell and starting hacking at it UNIX style. buraglio@rtr>start shell From there I wanted to see the file system and check out the stats of what it thinks we have.
Jul. 5, 2013
I had the need to build a FlowVisor instance under CentOS. Since nearly all of the docs I could find were for debian, I threw this together. I utilized this GENI doc and the github docs as a simple reference. This is the quick and dirty method I used: Install the prerequisites: sudo yum -y install ant eclipse java-1.6.0-openjdk.x86_64 git sudo yum -y groupinstall “Development Tools” Create my standard directories: mkdir /services cd /services git clone git://github.
Jun. 30, 2013
One of my biggest complaints about VMware is that it is an enterprise application. It has historically catered to the masses, which I completely understand, but those of us that aren’t a fortune 500 company are figuratively and operationally shoved into a corner and forced to find hackish ways of doing things to work around the enterprise nature. One really, really good example of this is OS dependency. I hated architecture dependencies back in the old days (x86, SPARC, PPC) and I absolutely despise things that are OS platform dependent now.
Jun. 22, 2013
As much as I like to think I automate everything, I’m pretty bad at writing code to make my life easier since it tends to take me longer to write the code and it tends to make be a bit grumpy (this is eomthing I’m fixing by learning as much code dev as I can during my limited spare time). However, I like to think I can be fairly smart about working around my limited programming skills (think boba fett rather than jedi) by using the tools available to common folk.
May. 3, 2013
Jon Langemak has a great write up on building the OpenDaylight controller under CentOS. Since I’ll have to do this a bunch of times, I though tI’d take what he so generously put online and build a very rudimentary script for deploying ODC under CentOS. The prerequisites are that you already have an account and ssh key at the OpenDaylight GIT repo and that you disable SELinux. Here is the script: #!
Apr. 25, 2013
I had been working, off and on, on a how-to for building the daylight openflow controller under CentOS. Most openflow docs and dev are done under ubuntu or debian, and while those are both fantastic alternatives, there are a huge number of folks that will want or need to use RHEL or CentOS. So, seeing as that is the case, having someone be mindful of that is important. When I saw the write up by Jon Langemak, I scrapped my attempt at a how-to since his was so much better.
Mar. 1, 2013
I am a network engineer by profession, but with the proliferation of SDN and OpenFlow, I have had to spend a lot of time re-learning a lot of system admin skills that I’d shelved years ago. Now, I’ve been a virtualization user forever. From VMware (Fusion, ESX), VirtualBox, to Parallels, I’ve used them at least in testing if not in production environments. I’d not really spent any mentionable amount of time with XEN, qEMU or KVM, but some projects I was working on suggested it for the virtualization mechanism, so I figured I’d try to pick it up.
Feb. 15, 2013
It’s no secret that I’m a fan of the model Arista Networks is using to make gear and provide innovative services and products. In my opinion, they’re changing the landscape of campus and data center networking gear. I’m always a fan of the little guy trying to change the world and this falls under that category. For those that don’t know, Arista Networks is a “hardware” networking company that is using merchant silicon wrapped in their custom linux based operating system (which is very much like IOS).
Feb. 4, 2013
A bit of back history: I came from BSD land. I was a FreeBSD user from way back in the 1990s. BSD land is a land of secure boxes and very high uptimes. It’s also a land of arguably clunky package support, a lot of compiling by hand and these days, not nearly as encompassing package and network tuning support. I decided to move to Linux a while ago, reluctantly, and chose Debian as my flavor of choice.
Jan. 31, 2013
Starting from a base CentOS system with nothing configured, and referencing the CentOS wiki, here is how I like to set up a headless virtualbox environment: Disable selinux. It’s overly cumbersome and is enabled by default in CentOS. I like to permanently disable it even though the default is permissive. I ride the edge, I know. vi /etc/selinux/config and change SELINUX=enabled to SELINUX=disabled Then reboot. Using the methodology I originally found found here, I like to install the epel repo using this method: cat <<EOM >/etc/yum.
Jan. 24, 2013
If you are running a network and aren’t using RANCID, you should give it a serious look. RANCID is a cross platform configuration management toolkit for backing up router configurations and certain environmental and hardware information into version control. It’s been around for as long as I can remember and supports nearly every platform I can think of, including a few modules that I cobbled together myself. There is are a few nice web based front ends for CVS and SVN, I prefer to use ViewVC because I have a lot of experience with it, however, there may be cases where a web server isn’t a good option, unavailable or just too much work.
Jan. 4, 2013
It’s always annoying to me, being a convert from *BSD to Linux, that tools lke dig and host aren’t in the minimal base install. I realise that this makes me somewhat of a hypocrite, as I prefer an additive system rather than a subtractive base OS. Nevertheless, I’m continually surprised that “host” isn’t available after installing a minimal CentOS system without adding an additional package. So, since I always forget, here is a quick blog post to remind me and any other converts how to install those tools: yum -y install bind-utils That’s it.
Dec. 15, 2012
Securing SSH is a form or art. It’s often debated, much like blocking all ICMP packets (which I normally disagree with). If you need good proof, read these posts by Bob Plankers. There is a camp that likes to promote moving to a non-standard port. There is a faction that likes to block it completely except from a handful of hosts. Then there are those that like to leave it open all together.
Dec. 2, 2012
For a long time I ran a blog called tech.buraglio.com that was a self hosted wordpress site. After having kids and getting a bit busier at work, I decided to move everything that I had been hosting (images, scripts, hacks, blogs and DNS) to “the cloud”. I managed to do this for everything but my primary DNS resolver, which I had always intended to keep, and one wordpress blog that I hosted for someone else.
Nov. 24, 2012
Recently, there was a thread over at Packet Pushers about what folks use for their daily workflow. I quickly realized that my setup is pretty simple (as I like it) and relied on a large amount of terminal based tools, which makes sense since I have been a UNIX (or UNIX based) OS user since my migration from the original MacOS back in the 1990s. Anyway, Since I wrote most of this up already, I thought I’d post it here:
Oct. 27, 2012
I’m an awful sysadmin. Running services permanently isn’t really my forte, I tend to lean more on the “I’ll get this proof of concept all working, prove that it works or doesn’t, then roll it on for polishing by someone else” kinda guy. That final 15% is something I’m constantly working to refine and better myself at accomplishing. I’m decent at debugging network services, and can be handy in a “oh crap, it’s down!
Nov. 6, 2011
I’ve been looking at iMessage from time to time as my schedule permits, for some reason that I can’t really explain I’m fixated on it. So, just like I did with FaceTime, I started doing network sniffing to see just what it’s doing. The results were not terribly unexpected.
iPhone.buraglio.com.53140 > st11p01st-courier143-bz.push.apple.com.5223: Flags [R], cksum 0x5ec8 (correct), seq 4109691913, win 0, length 0
14:07:51.665485 IP (tos 0x20, ttl 49, id 11699, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->8fc7)!
Oct. 4, 2011
I have recently enabledDuo Security for many of my personal services, and I can’t recommend them enough. Personal two factor authentication is very useful and really powerful. It works on my iPhone and I have yet to run into any real issues….except for one. I can’t use automation to scp or sftp anything anymore and keep my two factor auth working in a way I’m comfortable with. Enter ftps. FTP is a terrible, yet immensely useful protocol.
Oct. 4, 2011
It’s no secret or ground breaking area to do black hole routing. ISPs and NSPs have been doing it forever to allow for a very low cost, very scriptable and very effective way to wholesale block a layer3 address. However, it can seem like a bit of a black box to anyone who has never done it. I recently did some work spinning this up in a good sized network that it didn’t currently exist, and remembered how monumentally useful (and simple) it actually is.
Sep. 7, 2011
Google has introduced a very powerful set of python based command line (CLI) tools called GoogleCL. This post was made using GoogleCL from my Mac. I highly recommend checking it out if you like to automate or script stuff.[[ This is a content summary only. Visit my website for full links, other content, and more! ]]
Aug. 6, 2011
I've recently decided that even though I love the BSD style MacPorts system, it can be too clunky to maintain and doesn't handle dependancies as well as I'd like (much like the actual BSD ports collection). So, in doing a little looking I found that Fink is still out of date, but Homebrew is very simple and also really elegant comparatively speaking. Since homebrew doesn't wrk well with other packge systems installed, and I already I'd like to know what I had installed since this system has been in use for 2+ years, so I do a list and send it to a txt file: touch ~/Documents/installed.
Jul. 30, 2011
I’m not a fan of IPv6 privacy addressing. I understand the logic behind it, I really doo, obfuscate the LLADDR (MAC address) of the host in question, but I really dont’t see the realistic purpose. If someone wanted to use my mac address, what good would that really get them, unless they’re on the same layer 2 segment? More importantly, if they;re on the same layer 2 segment, they have my MAC address anyway.
Jul. 26, 2011
It looks like MacOS 10.7 (Lion) has fully functioning DHCPv6. It’s about time.
Before:
After:
pfSense setup:
Using Internet Systems Consortium DHCP Server 4.2.1-P1 as the server (on my pfSense box) I am able to get not only a privacy address (via stateless autoconfigure) but also a normal EUI-64 address as well as an IPv6 address via dhcpv6.
I didn’t do anything except use the “Automatic” setting in the network control panel, so out of the box OSX 10.
Jun. 30, 2011
I did some minor tweaking to the Alcatel Lucent RANCID scripts and some modifications to make RANCID work under my pfsense environment (originally m0n0rancid code from John Skopis). Since I don’t really do much dev work and am not interested in maintaing a box do be an SVN server for the public, I threw it up onto google code. I’ll be adding a brief how-to on making RANCID work with pfSense as soon as I get some time.
Jun. 20, 2011
I’ve been a *BSD user since around 1997, when I installed NetBSD on a Mac SE 30 that I got for free. I was always intrigued with alternative operating systems like BeOS, *BSD, Plan9 and Linux so it made sense that I’d poke around with different systems.I’d gone back and forth from OpenBSD to FreeBSD but eventually settled on FreeBSD as my OS of choice. I ran it as a desktop before MacOS X came out and was generally happy with it.
Feb. 18, 2011
I have huge iPhoto and iTunes catalogs. This can present a problem for both loading the applications and for backup. I have learned to deal with the Application load times, but backups are very important to me.
I'd gone through the iPhoto backup process and restore more than once, and I didn't like the fact that I didn't have an offsite backup, so I paid for a flickr pro account ($24/yr, supports iPhoto export and RAW format).
Dec. 6, 2010
At the 2010 Supercomputing conference this year, one of my tasks was to get RANCID working on the Alcatel Lucent 77xx series. for some this may have been a simple task, but for me, a self taught and inefficient programmer, it was something that took some time. The Alcatel Lucent boxes were good performers, but their CLI is pretty awful. The prompt changes based on having unsaved configuration items, and can contain things liks an asterisk.
Oct. 13, 2010
Cross posted from my personal blog since it’s a technical subject
That is the million dollar question on many phone geeks minds. The iPhone is really a love it or hate it kind of device, much like Apple stuff in general. Android, on the other hand, is still new enough that some folks are still ignoring it. Well, I wanted to know which worked better for me, and so I set out to test them both.
Sep. 6, 2010
I know this is documented elsewhere, but this was a pain for me, so I wanted to take some notes. I have several Snow Leopard (MAcOS 10.6) Macs and a Netgear DNS-323. I want to mount the drive using NFS and any good UNIX admin would. Unlike older versions of the Mac OS, NFS mounts are now handled under the Disk Utility application (which seems odd to me, but whatever). So, to make this work right I had to do the following:
Sep. 3, 2010
I knew a tool like this had to exist, but I had never needed to look in the past. While debugging a RA problem, I come upon the need to view IPv6 router advertisements. How can one do this? tcpdump? Yeah, I guess that could work. It’s almost like using a bulldozer when a wheelbarrow is all you need, though. I could use ndpmon, I suppose, but that, too seems like overkill.