Networks

working remotely on Windows via Remote Desktop if you’re hanging off GRPS or 3G connectivity somewhere in the mountains (for example) isn’t optimal. as I had to access some such servers remotely. you can find cygwin useful (there’s also VanDyke V-Shell, a bit pricey and for non-commercial use). cygwin package installs UNIX environment, and that - yes - may include OpenSSH plus some tools (like scp for example) you just need to download, and then run installation, selecting cygrunsrv and openssh....

traditionally for last couple of years engineering team at Cisco Poland is taking care of securing infrastructure for Wielkia Orkiestra Świątecznej Pomocy. this year i decided to launch experimental support for IPv6 - while we were not allowed to move all infrastructure to IPv6, it should be possible next year. everyone that has IPv6 access can point browser to ipv6.wosp.org.pl. everything works based on reverse-proxy provided by Apache, FreeBSD and Cisco MCS server :)...

long, long time ago, playing with BGP was reserved for secret group of people, that somewhat alike Lems Trurl and Klapaucjusz were laughing from mere mortals but didn’t share the knowledge. then, a lot of things changed, trainings, certifications appeared, and then bootcamps and finally massive, open-for-all intro courses. and now, BGP is everywhere and is configured by anyone - you’ll find typical home wives running it as well, as without it they couldn’t upload new contact via bluetooth it seems....

i was stubborn - and while from the very first moment we’ve had a lot of challenges with the hotel infrastructure, i was able to run xTR routers during last PLNOG for LISP. no, it’s not about programming Cisco routers with LISP, but about new concept of Location/ID Split, that is new concept enabling you to treat traffic engineering in internet differently. in short - we still serve traffic like we always did (backward compatibility), but by assigning users and companies IPv4 and IPv6 addressing from special pools, we can treat this traffic in a different manner....

if you’re peering with somebody else using one of available IXPs, prediction of traffic flow changes and optimization of paid services is crucial for proper traffic engineering. one of the more popular and easier tools, that is able to visualize traffic exchanged between ASes is AS-Stats. to properly doing its work, AS-Stats needs proper link definition in knownlinks file. NetFlow probes exported to collector will contain only the id and AS-Stats needs to match it....

it seems that more and more things are landing in our homes. couple of people that created nTop project with cooperation with Intel, built a device driver for Linux that can forward traffic using Intel X520 directly with 32 thousands of rules applied. 32 thousands is quite a number to serve real-life aggregation or core router, but at the same time it’s more than needed to serve as home firewall. similar things were done in the past in NVidia nForce chipset....

I wrote about such ideas over two years ago. it seems the concept of offloading packet forwarding from CPU to GPU may have some merits, and if you’re interested in that - take a look at packetshader. still however, hardware config needed to achieve that kind of performance feat is quite expensive. it demonstrates however that GPU, next to FPGA experiments, can also be viable way of forwarding in high-performance packet forwarding/routing based on PCs....

everybody talks about IPv6 and still too few of us take it seriously. on polish mailing list dedicated to implementing IPv6 we get steady series of IPv6 prefix announcements, but real services available over this protocol is low. as a proof of concept for upcoming PLNOG, I just launched full network stack (Cisco 7200VXR with NPE-G1, ASA 5500-X, Catalyst 3750) and service (FreeBSD) for dual stack operation. IPv6 should be preferred, and while there’s still some things to tune down (like for example, DNS resolver in Windows XP), it should work....

…doesn’t have to be totally banal. it’s much more performant (300kpps, around the NPE300 performance from 7200!), so i upgraded my home 1803w to 1941w. as there are no readily available examples for complete config of the router (wired + WLAN), I decided to take the case in my hands and produce some examples. you may find them here.

plnog, plnog and… gone. it looks like we have actually grown into the most serious and largest independent conference dedicated to people working on service provider networks in Poland - though I’m not going to fight anyone on the number of participants, this additional 100 people on each subsequent edition of PLNOG (we counted 395 participants this time!) speaks for itself. to the point that I’ve met many people for the first time in my life :)...

…tool for documenting and mapping networks. also, short piece on deconfliction. Google to enlist NSA to help in the cyberdefence, and short brief on efficient meetings from great blog (read it!) winter break… aaand it’s gone.

there’s really almost nothing much simpler than starting to use IPv6. first of all, all major OS support IPv6 today. most of them are running it out of the box. second of all, tunnel brokers are available everywhere, so while i haven’t had luck with sixxs (they didn’t respond after weeks of waiting), using Hurricane Electric was easy and took like seconds. friendly “wizard” will walk you through and then even show example of configuration for your device....

…as described by Claudio Jeker during last AsiaBSDCon can be found here and here for whitepaper. Henning Brauer, on the other hand, gave a very good packet filtering session and OpenBSD network stack in general during DC BSDCon 2009. video can be found here and slides here.

i came back yesterday from Brussels and today at 5:30am the verdict came in - definitely “PASS” :) so… let me share some advice and tips for those of you preparing to take CCIE SP practical exam (without breaking NDA of course). first of all - if you have that luxury of training on any software version - please try to check with the current Cisco page and align. software is quite “specific”, and you may be hit with interesting behavior that may be a little bit different from mainline versions....

on the network throughput front, we’re fighting (albeit in distributed manner) for getting throughput from commodity PC hardware on par with dedicated, hardware routing platforms. with OSes like Linux and BSD. to that end, recent document published after last Linux Congress in Hamburg shows that while it’s important to select proper multi-core CPU and motherboard to do fast traffic forwarding, we’re still hitting bottleneck at around 1Mpps. curiously enough, on one of the slides you can spot information, that large FIB in Linux doesn’t impact performance too much....

for all those of you concerned with vanishing of BGP blackholing PL project page - please calm down. we’re moving. current page is here. in other news, i’ll host discussion panel on upcoming PLNOG 2009. we’ll touch on blackholingu and other best practices to increase security of internet infrastructure. i’ll be joined by Konrad Plich from TP SA and polish CERT representatives.

in a month from now, we’ll be launching first edition of PLNOG conference. we’re working to deliver a lot of interesting sessions. apart from many abroad presenters, we’ll host also our own, polish specialists. you’ll have a chance to meet Wojtek Apel (3S), Tomasz Paszkowski (nasza-klasa.pl) and Marcin Mazurek (Allegro.pl). somewhere in the agenda there’s also my session about MPLS Traffic Engineering. before that, on Saturday and Sunday, I’ll deliver hands-on workshops on BGP and MPLS....

summer holidays are in full swing - starting from 26th of July i’ll be running Cisco Academy courses at PROIDEA for CCNP. everyone who’s eager to have a good time learning and discussing technologies (way outside of official curriculum) should immediately contact academy reception. independently of that, we have two large conferences coming. at Cisco Expo 2008 i will deliver sessions on network architecture that minimizes the chances of becoming a victim of a DDoS attack and becoming part of botnet....

my article on defending networks from DDoS attacks was just published in online version of NetWorld magazine.

during upcoming CONFidence 2008 conference, i’ll be delivering hands-on workshop about Cisco router security. of course you’re more than welcome :) video recording from SecureCON 2007 was published here.

we just finished Cisco Expo, and there’s a lot of feedback and comments all around the internet - on ccie.pl or for example at barni.LOG. next week i should be able to present at SecureCON (well, if this time i’ll be able to get there in the first place :) ). i’ll be delivering a session about attacking and defending computer networks.

i’ll be presenting soon on following events: Noc Linuksozerców, in Kraków, 25-26 February FreeCON 2006 in Wrocław, 22-23 April CONFidence 2006 in Kraków, 13-14 May if you’d like to hear something specific during the sessions with regards to routing or security, please send me an email.

for all of those that are starting to make first steps with VoIP, or believe know everything - i’d like to highly recommend my fathers book that was just published via BTC publishing house. it covers both H.323 and SIP protocols, along with all auxiliary topics - like integration, and signaling over middleboxes like packet filters and stateful firewalls: Telefonia VoIP. Multimedialne sieci IP, Marek Bromirski, ISBN: 83-60233-07-1

IANA announced on 3rd of november, that it passed over 80/8, 81/8, 82/8, 83/8 and 84/8 control over to RIPE. thats nice, but the problem is lazy network and security admins obviously didn’t yet update their ACLs and firewall rules, which means new Neostrada+ TP S.A. users have problems reaching anything in the internet from 83.0.0.0/11 address space. do your job, admins! missing such announcement for over 90 days doesn’t look good!...