openssh and keys - secure ones

somewhere around 2013 (and precisely - for ‘small’ Santa Claus, so 6th of December), OpenSSH was extended to provide new way of storing keys. it’s important because the old format - MD5 hash - can be cracked veeeeery quickly. developers decide to use modification of bcrypt, that will slow down GPU-assisted cracking attempts in hashcat from gigahashes per second, to at most kilohashes. what you need to do to upgrade your defenses? first of all, take care of the keys themselves. i’m using 2048 bit long RSA keys, and because some of the older equipment can’t handle more, i have to stay with that. my private key looks like this today: ...

January 8, 2017 · Łukasz Bromirski

flexible netflow and CLI - part two

some time ago i’ve written a post about displaying live traffic that is going throught the router. also, i covered how it can be split based on autonomous system (with some sorting capabilities built in), thanks to Flexible NetFlow. recently, Flexible NetFlow was extended to use NBAR capabilities, and with that we have new options to sort traffic by application. with slightly modified flow record snippet, we can collect also the application name: ...

February 15, 2011 · Łukasz Bromirski

flexible netflow in service of statistics

if you’re peering with somebody else using one of available IXPs, prediction of traffic flow changes and optimization of paid services is crucial for proper traffic engineering. one of the more popular and easier tools, that is able to visualize traffic exchanged between ASes is AS-Stats. to properly doing its work, AS-Stats needs proper link definition in knownlinks file. NetFlow probes exported to collector will contain only the id and AS-Stats needs to match it. example file itself for my installation is simple: ...

September 19, 2010 · Łukasz Bromirski

4B ASNs, RIPE and IOS

during previous PLNOG we’ve had a broad discussion about apocalyptic vision of depleting IPv4 and 2-byte space. some time ago Cisco IOS 12.4(24)T was released, and it brings 4-byte ASN feature for ISR (1800/2800/3800) and 7200 routers. so if you’re using Cisco gear, you can request 4 byte ASN using RIPE form, and then advertising it properly (starting from 1st of January, 2009 RIPE will by default hand out 4 byte ASNs). i’m taking a peek into the global routing tables from time to time, while preparing for CONFidence presentation. ...

March 13, 2009 · Łukasz Bromirski