Posts

for a moment, let’s assume those are rumblings of man worn out by pulling couple of all-nighters in one row. we have to assume that security intelligence services will want to listen to everything and everywhere. that includes NSA sniffing all traffic in major interconnection points at largest service providers. and, obviously - we don’t like it. why we can’t get back to original idea, that all point to point communication should be protected by IPsec (ALL COMMUNICATION)....

Maciej Broniarz invited us to take part in new security focused conference. Aegis (just like Aegis - American integrated naval weapons system) will take place on 2nd and 3rd July at University of Warsaw. i hope that most of you will decide to take part of it, as judging from agenda. together with Maciej we’d like to also have a panel on DDoS attacks, and then we’ll deliver session together - ‘security by duct tape’....

…a book by Steve Davies is a very interesting coverage of USA pilots testing Russian Soviet-era MiG 15s, 17s, 19s, 21s and 23s at Tonopah range. the same that was used to test Lockheed F-117 and launch to simulated sorties with F-4, F-14, F-15, F-16 and F-18s coming in from Nellis AFB as part of Top Gun training. there’s next book on the same topic waiting for me in stack. recently, i was digging through a lot of air combat material, mainly because of getting hold of Osprey Combat Aircraft series....

you could meet me sometimes during late night hours on Call of Duty Modern Warfare 2 multiplayer servers. now, i decided to change environment a bit and return to love of my life - flight simulators. i dusted off CD with Microprose Falcon 4.0 and i’m downloading BMS patches while reading about Allied Force (CD is already on my way from one of the Amazon warehouses). i’m still using Saitek Fly 5 but if i’ll be able to find more time to fly - there are couple of better sticks out there....

…you have to get back to good old CLI. i’m trying to export VM from very remote VMware vSphere 5.1 to OVA. unfortunately, packing 40GB is not apparently easy, as the whole process fails at different stages with error called by VMware simply timeout (yeah, kudos for brevity). so you have to enable SSH and then copy whole directory with SCP. for optimal transfer from remote location it make sense to use additional parameters: -C and -o CompressionLevel=9 to get locally fully functional and packed OVA: scp -C -o CompressionLevel=9 xyz@zdalne_IP:/vmfs/volumes/very-long-uuid-string/vm_name/\* ....

next thursday, april 11th, i’ll be visiting Warsaw University on invitation from Maciej Broniarz to have a chat about security from service provider point of view. note it will be mechnism and best practice related talk, not vendor pitch. i’ll mention blackholing as well ;) i may have some gadgets and freebies to give away - so please prepare good questions and see you there!

last CloudFlare DDoS demonstrated, that 300Gbps is no longer some magic barrier for attackers. given such throughput, you can easily drop country like Poland from Internet. of course, immediately such concepts like ‘critical infrastructure’, country financial stability come to mind. i’ll be one of the panelists of RIPE 66 meeting dedicated to BCP 38. it’s one of the things (implementing BCP38!) that you just have to do, to make sure internet is safer....

i’ve just stumbled upon this gem - it’s hard to find these days such well aggregated and summarized information.

as you probably know already, next, jubilee edition of PLNOG is just around the corner. apart from stand and presentations, we’re be there with extended team to discuss our new products and solutions. and traditionally, we’ll also conduct couple of workshops for people interested in Cisco solutions: Advanced BGP workshops Deploying IPv6 MPLS basics one novelty we’ll offer is first of a kind offering in Poland - service provider design workshop....

i’ve stumbled upon an article of Michael Leonard from Juniper. he decided to take a stab at LISP. i usually call such articles with the title of this post, and the article mentioned is all about it. while we’re discussing in open forums with engineers and architects from Juniper, and in most of them we actually do cooperate - including in LISP, which author doesn’t seem to even know about - it’s sad to look at people who believe attacking competition is everything they should do in life....

it seems that EU has made a reasonable choice to oppose ITU’s taking control over internet. consequences of handing over real control over future of internet to entity that’s slowly sliding into oblivion and has hardly any real influence on the development of technology are not hard to imagine.

amazing sweet photo. you can watch this until you drop dead, looking for all details. and this landscape in the background…

if you haven’t noticed by now, in the IOS 15M line we introduced IOS shell. firing it up is just as easy as doing: C2#conf t C2(config)#shell processing full now you have new, UNIX-like commands and options to chain them, including nested grep. C2#sh running-config | wc -l 163 C2#sh running-config | grep ip | grep 2001 ipv6 address 2001:DB8:10::10:254/64 ipv6 route ::/0 2001:DB8:10::10:1 if you by now are fun of such capabilities, having been working with IOS XR - it’s a nice touch :)

we’re back with Cisco security focused conference in the fall. during Cisco SECURE 2012 we’ll try to demonstrate you the whole security architecture. during two full days of presentations, we’ll try to showcase you all interesting bits and pieces from our portfolio. we already have agenda up, and i’ll be happy to present along Gaweł our security solutions for cloud and data centers - including CSR 1000v, ASAv and other interesting products....

…how tightly coupled should it be? i can’t help to think about it. i’m writing this post on construction that was defended to his last days by Steve Jobs. according to his belief, only software tightly integrated with software can be effective and predictable. independently of what Steve believed, there are other examples of such thinking in the world. let’s take for an example company i work for - Cisco. most of our solutions are based on software integrated with hardware without ability to add questionable “apps” to the mix....

very interesting experiment (it’s worth looking other from the series!). it basically shows how people react to very tricky move while walking freely on the street. i bet in Poland the behavior observed would be different… or maybe i’m wrong? will you try? :) (by the way, can you point to movie from which title of this post comes from without looking at google?)

i highly recommend this article from Wired. while we have to live with situation where such wealthy people like Kaspersky himself can influence ITU decisions, we still can stand up and work to make internet free and independent. it’s kind of naive of course, but consequences of having too much money and power - frighten me again every day.

using our new blogging platform, i just published short piece about just announced onePK. i’m watching live discussions for over two years now about network control capabilities. i was one of those distanced guys when it comes to OpenFlow “explosion” in popularity. and as time did show - I was right. today even hardware vendors suddenly slowed down a bit and distance themselves from new standard versions, and development tempo also falls down....

there’s a lot of wisdom in books, presentations and trainings covering “how to achieve success” (however we choose to define it). this can be applied to working with people, managing them - or companies. one of great books helps reader achieve the success by simply structuring it in a simple, three-step program: decide what you want to achieve prepare plan, that will help you achieving what you want execute the plan simple, isn’t it?...

i just made a short post describing a bit behavior and characteristics of new Sup720-10GE switching matrix that can be installed in Catalyst 6500 - for cisco-nsp@ folks: In old Sup720 design, the Supervisor itself is connected to the fabric using one channel. This channel is used by Hyperion ASIC to provide for bus interface, and multicast/SPAN features. Because there’s no other way to connect the uplinks on the Sup itself, the Hyperion has it’s interface also terminating the uplinks (2xGE) thus limiting effective throughput/etc....

interesting enhancement to transport traffic in HTTP sessions proposed by Google is starting to gain popularity and traction. while i don’t use Chrome browser, in Firefox starting from version 11 you can turn the protocol on (about:config -> network.http.spdy.enable=true). on the server side you should run mod_spdy if you’re running Apache server. it also makes sense to install Firefox extension signalling SPDY work. the end effect? SPDY gets the traffic faster (usually), as multiple sessions are initiated at the same time....

…and inside, you’ll find a lot of completely new features overall (MediaTrace 2.0, IPv6 for GETVPN data plane, new IPv6 IP SLA extensions, LISP extensions), or for the first time available on software routing platforms like ISR G2s (BGP PIC Edge and Core, BGP route-server, Multicast Live-Live). everything can be found here. simultaneously, IOS_XE 3.6S came out, along with bunch of features that are catching up with traditional IOS releases - things like CGNAT or hardware support for BFD....

i’ve had a opportunity today to take the CCDE exam in London again. accompanied by two fellow SEs and one of the engineers working for Cisco Partner in Poland, we’ve took our chances. and it’s definitely better - feedback works. out of 6 scenarios you work only with 4, split statically by 2 for before and after the lunch. questions are more to the point, and there’s less of text to look for information from....

i highly recommend reading this good article about moving network stacks forward. it’s great addendum to network hardware bible. and yes, let’s stop ACTA - we’re not deploying IPv6 just to make our governments to force upon us adoption of poor technical standards. instead of deploying IPv6, fly to stars - we’re drowning in proposals like SOPA, PIPA, ACTA and - generally speaking - attacking each other.

FreeBSD 9.0 did an unannounced appearance lately. it introduces a bunch of different features, two of which are of great interest to me. firstly, we can select different mechanisms to fight traffic congestion for TCP. to do that, you need to change sysctl net.inet.tcp.cc.algorithm from the list available under net.inet.tcp.cc.available. NewRENO, the default one, works quite OK, but in some specific configurations you can select others and check if they’d behave better....

if you visit Western portals or if you look into English-language wikipedia from time to time, you have noticed a significant protest happening today against the two legal acts US advocates want to introduce. the way it unfolds, leads to strong belief controlling everything and everything (due to - of course - money) is true goal. it presents interesting point of view in a discussion on cloud technologies and their real application - take a look here to get some feeling about scale of the games happening at an international level....

a year ago, the idea was to test the wide range of different IPv6 implementations and solutions. this year, we’re gathering together to turn on IPv6 - in the devices, on the portals - and let it be on forever. the idea is World IPv6 launch - worth reading about and obviously joining yourself. cisco is part of the initiative and again the first vendor to join it.

I just finished reading two books of the author mentioned in the title of the post. Fermat’s Last Theorem Code Book highly recommend reading both of them during break from work :)

there’s a lot of discussions around the net neutrality, as obviously the subject is currently still pretty hot. from the one side we have enormous amount of money from advertising business, spend in interesting, devious and - tempting way. from the other side, we have the ideal information society, in which all information are free from filtering, and available for all willing to read. we point to China, Iran or Saudi Arabia as bad examples, filtering all that their citizens can view using the Internet - but we all use google....

I’ve took a CCDE practical earlier today, and for the second time I’m pretty clueless how it went, however I have a strong feeling that it was similar to my first take: no go. this time I’ve spent 7 hours, not 5, to do the test, however most of the time I was trying to answer questions based on the small set of information provided. again I’m under strong feeling, that the set of information was not enough to judge on some of the questions, not to mention the effect Russ White describes as “you’d be confused for the whole time”....