Networks

…or who needs them anyway today? there’s interesting article written down by one of Google employees, that perfectly describes how ineffective today standard bodies are, and how less and less influence they have on the market. cisco decided to spearhead new solutions without waiting for multi-year discussions, true to the ‘good description and working code’ motto. if we wouldn’t be doing that, there would be no PVLANs, FabricPath (TRILL) but also protocols like LDP or HSRP/VRRP/GLBP. ...

…supports BGP and it’s already out. do you like BGP on your firewalls? i don’t. should we have the tool in hand, just in case? well, sometimes it’s handy. but going back again - do you like BGP on your firewalls? ;)

all memory and CPU related features in IPv6 world is major challenge even for modern hardware. unfortunately this is emphasized with lack of best practices followed by developers writing code. i just noticed there’s Microsoft Windows problem with IPv6 RA. it seems that actual problem is not limited only to RA, but actually - to the whole networking stack when working with link-local addresses. under Microsoft Windows code is allocating memory pretty recklessly. ...

it will be unique opportunity in Poland and in this part of Europe. with group of my dear friends and design masters - Piotr Jabłoński, Sebastian Pasternacki and Piotr Matusiak i’ll be delivering bootcamp-type of training for CCDE. we’re starting on 5th of may - and you can find more details here.

it seems that GPUs can be reasonably well tasked to handle additional work that x86 CPUs simply can’t. i’m talking about network monitoring and NetFlow processing - good reading when travelling or before sleep.

on the upcoming thursday, 10th of october at 7pm i’ll do a short talk with Maciej Broniarz from Warsaw University about security from not-so-typical point of view. please register and see you in Leon Koźmiński Academy hall.

…are better at building TCP stacks than we are. i came across the track of an interesting project - RemyCC, providing greater efficiency and at the same time a better division and lower delays (on average). it is worth to look.

for a moment, let’s assume those are rumblings of man worn out by pulling couple of all-nighters in one row. we have to assume that security intelligence services will want to listen to everything and everywhere. that includes NSA sniffing all traffic in major interconnection points at largest service providers. and, obviously - we don’t like it. why we can’t get back to original idea, that all point to point communication should be protected by IPsec (ALL COMMUNICATION). widely deployed IPv6 with devices that will support it makes this possible. the fact that nowadays even small devices can encrypt traffic at very high speeds helps. one of the less known IPsec discussions before standarization, was idea that nodes using IPsec should constantly generate traffic - but not exceeding available link bandwidth (to avoid buffer bloat). service providers generally removed data caps (apart from mobile operators - which may change after migration to LTE). our sniffers can’t record all of this traffic, and decrypting IPsec traffic is unfeasible to say the least. you can’t also selectively record, as all is encrypted. will intelligence agencies have money and power to break AES? well, not now, but let’s say it will be possible in near future. but your idle device is anyway generating gigabytes of random connections to fill up the link (of course there’s question of how analytics and statistical traffic monitoring can help select only interesting pairs, but given programmers invention i bet it’s doable with some level of effort). ...

next thursday, april 11th, i’ll be visiting Warsaw University on invitation from Maciej Broniarz to have a chat about security from service provider point of view. note it will be mechnism and best practice related talk, not vendor pitch. i’ll mention blackholing as well ;) i may have some gadgets and freebies to give away - so please prepare good questions and see you there!

last CloudFlare DDoS demonstrated, that 300Gbps is no longer some magic barrier for attackers. given such throughput, you can easily drop country like Poland from Internet. of course, immediately such concepts like ‘critical infrastructure’, country financial stability come to mind. i’ll be one of the panelists of RIPE 66 meeting dedicated to BCP 38. it’s one of the things (implementing BCP38!) that you just have to do, to make sure internet is safer. of course closing open resolvers is another one. take care of your network hygiene! and big FIBs! and 100GE interfaces! ...