Networks

…or who needs them anyway today? there’s interesting article written down by one of Google employees, that perfectly describes how ineffective today standard bodies are, and how less and less influence they have on the market. cisco decided to spearhead new solutions without waiting for multi-year discussions, true to the ‘good description and working code’ motto. if we wouldn’t be doing that, there would be no PVLANs, FabricPath (TRILL) but also protocols like LDP or HSRP/VRRP/GLBP....

…supports BGP and it’s already out. do you like BGP on your firewalls? i don’t. should we have the tool in hand, just in case? well, sometimes it’s handy. but going back again - do you like BGP on your firewalls? ;)

all memory and CPU related features in IPv6 world is major challenge even for modern hardware. unfortunately this is emphasized with lack of best practices followed by developers writing code. i just noticed there’s Microsoft Windows problem with IPv6 RA. it seems that actual problem is not limited only to RA, but actually - to the whole networking stack when working with link-local addresses. under Microsoft Windows code is allocating memory pretty recklessly....

it will be unique opportunity in Poland and in this part of Europe. with group of my dear friends and design masters - Piotr Jabłoński, Sebastian Pasternacki and Piotr Matusiak i’ll be delivering bootcamp-type of training for CCDE. we’re starting on 5th of may - and you can find more details here.

it seems that GPUs can be reasonably well tasked to handle additional work that x86 CPUs simply can’t. i’m talking about network monitoring and NetFlow processing - good reading when travelling or before sleep.

on the upcoming thursday, 10th of october at 7pm i’ll do a short talk with Maciej Broniarz from Warsaw University about security from not-so-typical point of view. please register and see you in Leon Koźmiński Academy hall.

…are better at building TCP stacks than we are. i came across the track of an interesting project - RemyCC, providing greater efficiency and at the same time a better division and lower delays (on average). it is worth to look.

for a moment, let’s assume those are rumblings of man worn out by pulling couple of all-nighters in one row. we have to assume that security intelligence services will want to listen to everything and everywhere. that includes NSA sniffing all traffic in major interconnection points at largest service providers. and, obviously - we don’t like it. why we can’t get back to original idea, that all point to point communication should be protected by IPsec (ALL COMMUNICATION)....

next thursday, april 11th, i’ll be visiting Warsaw University on invitation from Maciej Broniarz to have a chat about security from service provider point of view. note it will be mechnism and best practice related talk, not vendor pitch. i’ll mention blackholing as well ;) i may have some gadgets and freebies to give away - so please prepare good questions and see you there!

last CloudFlare DDoS demonstrated, that 300Gbps is no longer some magic barrier for attackers. given such throughput, you can easily drop country like Poland from Internet. of course, immediately such concepts like ‘critical infrastructure’, country financial stability come to mind. i’ll be one of the panelists of RIPE 66 meeting dedicated to BCP 38. it’s one of the things (implementing BCP38!) that you just have to do, to make sure internet is safer....

i’ve just stumbled upon this gem - it’s hard to find these days such well aggregated and summarized information.

i’ve stumbled upon an article of Michael Leonard from Juniper. he decided to take a stab at LISP. i usually call such articles with the title of this post, and the article mentioned is all about it. while we’re discussing in open forums with engineers and architects from Juniper, and in most of them we actually do cooperate - including in LISP, which author doesn’t seem to even know about - it’s sad to look at people who believe attacking competition is everything they should do in life....

it seems that EU has made a reasonable choice to oppose ITU’s taking control over internet. consequences of handing over real control over future of internet to entity that’s slowly sliding into oblivion and has hardly any real influence on the development of technology are not hard to imagine.

we’re back with Cisco security focused conference in the fall. during Cisco SECURE 2012 we’ll try to demonstrate you the whole security architecture. during two full days of presentations, we’ll try to showcase you all interesting bits and pieces from our portfolio. we already have agenda up, and i’ll be happy to present along Gaweł our security solutions for cloud and data centers - including CSR 1000v, ASAv and other interesting products....

using our new blogging platform, i just published short piece about just announced onePK. i’m watching live discussions for over two years now about network control capabilities. i was one of those distanced guys when it comes to OpenFlow “explosion” in popularity. and as time did show - I was right. today even hardware vendors suddenly slowed down a bit and distance themselves from new standard versions, and development tempo also falls down....

i just made a short post describing a bit behavior and characteristics of new Sup720-10GE switching matrix that can be installed in Catalyst 6500 - for cisco-nsp@ folks: In old Sup720 design, the Supervisor itself is connected to the fabric using one channel. This channel is used by Hyperion ASIC to provide for bus interface, and multicast/SPAN features. Because there’s no other way to connect the uplinks on the Sup itself, the Hyperion has it’s interface also terminating the uplinks (2xGE) thus limiting effective throughput/etc....

interesting enhancement to transport traffic in HTTP sessions proposed by Google is starting to gain popularity and traction. while i don’t use Chrome browser, in Firefox starting from version 11 you can turn the protocol on (about:config -> network.http.spdy.enable=true). on the server side you should run mod_spdy if you’re running Apache server. it also makes sense to install Firefox extension signalling SPDY work. the end effect? SPDY gets the traffic faster (usually), as multiple sessions are initiated at the same time....

…and inside, you’ll find a lot of completely new features overall (MediaTrace 2.0, IPv6 for GETVPN data plane, new IPv6 IP SLA extensions, LISP extensions), or for the first time available on software routing platforms like ISR G2s (BGP PIC Edge and Core, BGP route-server, Multicast Live-Live). everything can be found here. simultaneously, IOS_XE 3.6S came out, along with bunch of features that are catching up with traditional IOS releases - things like CGNAT or hardware support for BFD....

i highly recommend reading this good article about moving network stacks forward. it’s great addendum to network hardware bible. and yes, let’s stop ACTA - we’re not deploying IPv6 just to make our governments to force upon us adoption of poor technical standards. instead of deploying IPv6, fly to stars - we’re drowning in proposals like SOPA, PIPA, ACTA and - generally speaking - attacking each other.

FreeBSD 9.0 did an unannounced appearance lately. it introduces a bunch of different features, two of which are of great interest to me. firstly, we can select different mechanisms to fight traffic congestion for TCP. to do that, you need to change sysctl net.inet.tcp.cc.algorithm from the list available under net.inet.tcp.cc.available. NewRENO, the default one, works quite OK, but in some specific configurations you can select others and check if they’d behave better....

if you visit Western portals or if you look into English-language wikipedia from time to time, you have noticed a significant protest happening today against the two legal acts US advocates want to introduce. the way it unfolds, leads to strong belief controlling everything and everything (due to - of course - money) is true goal. it presents interesting point of view in a discussion on cloud technologies and their real application - take a look here to get some feeling about scale of the games happening at an international level....

all interesting and worth reading. as usual during summer holidays i’ve tried to catch up with my reading queue - it’s been interesting two weeks: rework - great book for every company owner and destined for big things - previous version of the book - getting real can be read online managing humans - of Rands in Repose blog author; a lot of useful observations and tips for dealing with humans in IT world; you can however skip being geek - most of the content can be found either in ‘managing humans’ or in blog; Stephen Greys Operation Snakebite, Gregory Feifers The Great Gamble, Doug Beatties Task Force Helmand and finally Bing Wests No true Glory - bunch of good books about Iraq and Afghanistan; it’s unbelievable how people tend to make the same mistakes even when previous generations documented them very clearly; Metro 2033 and Metro 2034 - great reading, each of them took me just one day and night; Scott Berkuns Myths of Innovation - wonderful; Born standing Up - Steve Martins biography, tells compelling story about Steve himself, but also about world and America; Richard Wisemans 59 seconds - very practical book worth reading and applying to your daily routines - follow up can be found on You’re not so smart blog; well....

“Cisco eats in own dog food” or as you may elite-write-it: c15c0 d06 f00d. we announced participation in ISOC IPv6 day as a first vendor. some parts of our infrastructure serve IPv6 natively, but that’s a great opportunity to test it at scale - including hardware and software for systems that’s used for our internal and Customer services. among other things we’re testing AnyConnect 3.0 with native IPv6 support (public version is going to be available in couple of months), ACE 3....

as you can see, 1GE share in overall switching market started to rise only recently (mainly thanks to cheap NICs and onboard integrations done by Realtek, Marvell, Broadcom and Intel). on the other hand, hunger for bandwidth grows as well - full HD movies from NAS need a lot of it, and if you’re planning to do something in addition to that sourced from the same NAS - it’s even worse (it seems everyone streams nowadays video content to different mobile devices around their homes over WLAN)....

some time ago i’ve written a post about displaying live traffic that is going throught the router. also, i covered how it can be split based on autonomous system (with some sorting capabilities built in), thanks to Flexible NetFlow. recently, Flexible NetFlow was extended to use NBAR capabilities, and with that we have new options to sort traffic by application. with slightly modified flow record snippet, we can collect also the application name:...

good people at RIPE did some testing and it turns out it’s pretty quick!

…hit me again (in a positive way). i was experimenting in my lab and wanted to define a lot of queues (and i mean a lot of them) in ALTQ. unfortunately, very quickly during parsing of pf.conf pfctl barked out following information: pfctl: DIOCADDALTQ: Cannot allocate memory to overcome the problem, you only need to modify those three files: /usr/include/altq/altq_hfsc.h /usr/src/sbin/pfctl/missing/altq/altq_hfsc.h /usr/src/sys/contrib/altq/altq/altq_hfsc.h where #define HFSC_MAX_CLASSES 64 is defined - to requested value....

it seems Google decided to reach out to wider community and use the freely available network stack for it’s own MPLS prototyping. the effect is complete MPLS LSR prototype described during recent NANOG 50 talk that’s also available as video. of course it’s quite interesting to see Google experimenting with that kind of solutions - maybe it will be connected to OpenFlow as non-academic exercise? will it become mainstay of new service provider networks?...

for some time Jim Gettys on his blog is writing a lot about problems caused by buffers, queues and other congestion avoidance mechanisms. you should really read about them. especially, if you’re in this group that believes big buffers solve all of the problems, and dropping traffic is absolute evil. nowadays it should be treated as absolutely normal thing - in most of the real life cases. on the upcoming, sixth PLNOG we may be able to tackle this problem (if there will be space in agenda), and have a shot at myths and legends related to network QoS....

while the experiment was a success, effects were rather modest :) during the entire 9th, if we dismiss connections from bots connecting from University of Pennsylvania (greetings!) and China (really interesting URL mangling techniques), we’ve had 20 unique users and 1145 sessions. late evening, after grand finale additional 80 users visited us, and session counter increased to over 4500. i definitely didn’t do good job of marketing IPv6 availability for WOŚP, or IPv6 geeks were far away from IPv6-enabled internet that day....