This week Andrew & Greg are joined Howard Marks whose abundance of commentary leads to a surfeit of opinions on the lack of anything happening at Mobile World Congress. Show Notes MWC - Wearable computing on the rise? Netflix and Comcast: Is this the first Network Neutrality domino to fall? Frontier customer complaints drop nearly 70 percent - Business - Charleston Daily Mail - West Virginia News and Sports Nearly four years after taking over Verizon’s West Virginia landline operations, Frontier Communications has expanded broadband access to roughly 176,000 households and seen consumer complaints drop by nearly 70 percent. Cars and Smartphones are not a good mix - Why your next Ford car may run on BlackBerry, not Microsoft, software

According to a report from the Bipartisan Policy Center (a Washington nonprofit group comprised of leading energy security experts), our national power grid is most definitely vulnerable to cyber attacks. Juniper’s own Nawaf Bitar, senior VP and general manager of the Security Business Unit, echoed this fact in his keynote at last week’s RSA conference in San Francisco.

 

 

In the first article of this series I mentioned from Inter AS VPN Option A only. This article will be about Option B , C and Carrier Supporting Carrier VPNs. I assume from the readers basic knowledge of these VPNs.Only design points will be highlighted here since my intended audiences are the network designers and […]

Author information

New to the OpenFlow/SDN discussions? Interested in the reality behind the ever-growing hype? Check out the OpenFlow 101 video recorded during the SDN, NFV and OpenFlow for Skeptics webinar.

  Collection of useful, relevant or just fun places on the Internets for 7th March 2014 and a bit commentary about what I’ve found interesting about them: The Definitive Guide to NSX Gateway Uses Cases – J-Net Community – I missed this earlier but it’s a good summary on NSX use cases from the launch. […]

The post Internets of Interest for 7th March 2014 appeared first on EtherealMind.

This press release from Huawei really grabbed my attention because it's an MPLS enabled router that is finger sized and built for carrier networks.

The post Response: Huawei Unveils the World’s Tiniest Atom Router appeared first on EtherealMind.

It’s always interesting to connect with enterprise security experts and IT peers alike. Last week was no exception at RSA 2014 when I was invited to join a panel discussion hosted by Trusted Computing Group and moderated by security expert Victor Wheatman. 

If you’re like me and work in high tech, explaining what you do to your non-high-tech friends and family can be a daunting task. And if you happen to work in IT or, say, for a networking and security company, the task can sometimes feel like mission impossible.

 

For months, I’ve tried to explain to my kids what I do for a living. Not only am I a hard-to-define marketing professional in the security industry, but I’m also competing against their friends’ parents whose professions are the less vague variety—like police officer, firefighter, teacher. Try as I might to describe the important role I play in their ever connected lives, I can’t seem to win against the Apple parents who arrive home with new iPads or iPhones. No, really. I live in Silicon Valley and we really do have those Apple parents in our schools!

 

So, you may be wondering, what changed on Monday, February 24?

 

The long and short of it: everything.

A common complaint about vendor certifications is that they don't prepare you for the real world. Well of course not. Neither did high school or college. And thinking about it, my University education wasn't much better.

The post Rant: Certification and Training Does Prepare You for the Real World appeared first on EtherealMind.

Dual 100G interface and 24 MILLION flow table entries for Open vSwitch ? And flow setup rates to match.

The post Response: Netronome 100GE Cards Target SDN | EE Times appeared first on EtherealMind.

Scary thought isn’t it? But it is a real danger facing the UK and its citizens and it’s taken as seriously by government agencies as conventional terrorism.

If you plan to attend the Troopers 2014 conference in two weeks, don’t forget to include my full-day SDN workshop on Tuesday in your agenda (the Troopers conference is sold out, but you can still register for the workshop). The topics of the workshop will include:

• Why do we need SDN and what is it?
• OpenFlow, its advantages, drawbacks and scalability challenges;
• Typical OpenFlow and SDN deployment considerations;
• Real-life SDN use cases, both OpenFlow- and non-OpenFlow ones;
• Network function virtualization;
• Software-defined data centers.

For more details, check out the workshop description; for other SDN-related materials visit my SDN Resources page.

(With the usual caveats that I am just a hick from Colorado, I don't know what I'm talking about, etc.)

I just read Pete Welcher's superb series on NSX, DFA, ACI, and other SDN stuff on the Chesapeake Netcraftsmen blog, and it helped me think more clearly about a problem that's been bothering me for a long time: how do we do realistically scalable packet capture in networks that make extensive use of ECMP and/or tunnels? Here's a sample network that Pete used:






Conventionally, we place packet capture devices at choke points in the network. But in medium-to-large data center designs, one of the main goals is to eliminate choke points: if we assume this is a relatively small standard ECMP leaf-spine design, each of the leaf switches has four equal-cost routed paths through the spine switches, and each spine switch has at least as many downlinks as there are leaf switches. The hypervisors each have two physical paths to the leaf switches, and in a high-density virtualization design we probably don't have a very good idea of what VM resides on what hypervisor at any point in time.

Now, add to that the tunneling features present in hypervisor-centric network virtualization schemes: traffic between two VMs attached to different hypervisors is tunneled inside VXLAN, GRE, or STT packets, depending on how you have things set up. The source and destination IP addresses of the "outer" hypervisor-to-hypervisor packet are not the sample as the "inner" VM-to-VM addresses, and presumably it's the latter that interest us. Thus, it's hard to even figure out which packets to capture. If we capture all of them (hard at any kind of scale; good 10G line-rate capture is still expensive and troublesome), we still have to filter for the inner tunnel headers to figure out what we're looking at.

What can we do? I see a few options:

1. Put a huge mirror/tap switch between the leaf and spine. Gigamon makes some big ones, with up to 64 x 40GE ports or 256 x 10GE ports. When you max those out, start putting them at the end of each row. They advertise the ability to pop all kinds of different tunnel headers in hardware, along with lots of cool filtering and load-balancing capabilities.
2. Buy or roll-your-own rack-mount packet capture appliances on commodity hardware, and run ad hoc SPAN sessions to them from the leaf switches.
3. Install hypervisor-based packet capture VMs on all your hypervisors and capture from promiscuous mode vSwitches. There are lots of commercial solutions here, or you could roll your own.
4. Make sure Wireshark, tshark, or tcpdump is installed on every VM.
5. Give up on intra-DC capture and focus only at the ingress/egress points.

Option 1 is the only one that really confronts both the network diversity and tunnel encapsulation head-on. Those boxes and their administrative overhead don't come cheap, but today this is probably the most fiddle-free option. The other options require a lot of customization and manual intervention that may or may not interfere with change-control procedures, and don't provide obvious solutions for de-obfuscating the tunneled traffic. Option 2 also suffers from serious scalability problems in ECMP designs. Option 5 just avoids the problem, but might work for some people.

However, the whole point of these designs is "SDN". What I *hope* is going to happen as SDN controllers start to become available is that the controller will be sufficiently aware of VM location that it can instruct the appropriate vSwitch OR leaf-switch OR spine switch to copy packets that meet a certain set of criteria to a particular destination port. Call it super-SPAN (can you tell I'm not headed for a new career in product naming?). It would be nice to be able to define the copied packets in different ways:

• Conventional L3/L4 5-tuple. This would be nice because it could be informed by NetFlow/IPFIX data, without the need for DPI on the flow-exporter.
• VM DNS name, port profile, or parent hypervisor.
• QoS class.
• "Application profile" -- it remains to be seen exactly what this means, but this is one of those SDN holy-grail things that allows more granular definition of traffic types.

Finally, it would be nice if the controller was smart enough to be able to load-balance the copied packets when necessary, so that the same capture target sees both sides of a given flow.

Again, I know nothing about plans for this stuff from any vendor. But I hope the powers-that-be in the SDN/etc world are thinking about at least some of these kinds of capabilities.

And... about the time they get that all figured out, we'll have to be dealing with a bunch of that traffic being encrypted between VMs or hypervisors...

As someone who knows that Amazon AWS is a really expensive method of buying compute & storage, I was much amused by the following slides from a presentation by Terry Wise, Director, Worldwide Partner Ecosystem during a recent conference. You might enjoy a good laugh too.

The post High Margin Business appeared first on EtherealMind.

The status quo approach to Networking is the biggest barrier to realizing the full potential of Virtualization and the private, public, or hybrid cloud.  We must re-think how Networking *Services* are delivered, in a way that comports with automation, decoupling, pooling, and abstractions.  I would argue, the solution is a more software-centric approach — Network […]

An increase in credit and debit card theft via Point of Sale (PoS) malware campaigns over the late 2013 holiday season has resulted in significant media attention and has likely emboldened threat actors as the success of past campaigns comes to light. Media attention has decreased since news of the Target breach and associated fallout, however threat actors targeting PoS systems are still engaged in active attacks.

Point of Sale Malware Overview

Certain malware, such as Dexter, Project Hook, Alina, ChewBacca, JackPoS and VSkimmer have been written specifically to compromise Point of Sale machines. Other malware not designed specifically for PoS attack, such as ever-popular Citadel, has the capability to exfiltrate data from the target organization. In short, any system that contains credit/debit card data in any clear-text form in memory or on disk or sends clear-text card data over the network is potentially at risk regardless of whether that machine is a PoS terminal or not.

In addition to Alina, Chewbacca, JackPoS and other Point of Sale malware, ASERT continues to track the Dexter and Project Hook PoS campaings we originally reported on in December of 2013.  Indicators  suggest that Dexter Revelation may have been in existence as early as April 2013. A new ASERT threat intelligence brief sited at the end of this post provides a significant amount of updated material about Dexter and Project Hook including:

• Additional actor insight
• Reverse Engineering information
• Potentially vulnerable Point of Sale solutions
• An extensive list of file and network indicators
• An analysis of possible attack vectors
• An updated infection map
• Mitigation suggestions

This information should prove valuable for incident responders and those responsible for protecting cardholder data environments. Additionally, since many of the network and file indicators have not been previously released, these indicators may be useful for identifying environments that are already compromised. The brief also provides scripts for decoding dump files that may help incident responders determine the scope of a compromise.

The following map shows Dexter and Project Hook infections as of January 24, 2014:

Continued PoS campaign activity suggests that organizations still need to be vigilant. This new ASERT intelligence brief will help. The full document is available here.

*Author credits: Curt Wilson, Dave Loftus, and Dennis Schwarz

The Cisco Product Security Incident Response Team (PSIRT) has published five important vulnerability advisories: Cisco Prime Infrastructure Command Execution Vulnerability Unauthorized Access Vulnerability in Cisco Unified SIP Phone 3905 Multiple Vulnerabilities in Cisco IPS Software  Cisco Firewall Services Module Cut-Through Proxy Denial of Service Vulnerability Cisco UCS Director Default Credentials Vulnerability Cisco Prime Infrastructure Command Execution Vulnerability A vulnerability in Cisco Prime Infrastructure could allow an authenticated, remote attacker to execute arbitrary commands with root-level privileges. Vulnerable Products Cisco Prime Infrastructure software versions 1.2, 1.3, 1.4, and 2.0 are affected by this vulnerability. Details A vulnerability in Cisco Prime Infrastructure […]

Draco made a valid comment to my Keep Your Failure Domain Small post:

What could a small ISP do to limit failure domains? Metro Ethernet and MPLS Virtual Private LAN service are all the rage, and offers customers the promise of being able to connect all their branch offices together, and use the same set of VLANs with free Layer 2 connectivity between their sites. It's either: extend the failure domains, or lose out in selling the service, b/c the customer will buy from another ISP.

Well, your customer’s failure domain doesn’t have to be yours.

Read more ...

In short, connectivity is now commodity and it is services that are hard. Understanding this point is key to understanding the SDN market. I take the view that SDN assumes that connectivity is a cheap, low cost and low value business function.

The post Understanding SDN: Connectivity Is Commodity, Services Are Valuable appeared first on EtherealMind.

  Collection of useful, relevant or just fun places on the Internets for 4th March 2014 and a bit commentary about what I’ve found interesting about them: Meetup HQ Blog • No doubt, this has been a tough weekend for… – Meetup.com talks about their handling of a DDOS shakedown with some very good points. […]

The post Internets of Interest for 4th March 2014 appeared first on EtherealMind.

On the very same day that I published the CLI is Not the Problem post I stumbled upon an interesting discussion on the v6ops mailing list. It all started with a crazy idea to modify BGP to use 128-bit router ID to help operators that think they can manually configure large IPv6-only networks without any centralized configuration/management authority that would assign 32 bit identifiers to their routers.

The discussion quickly deteriorated into you really need a provisioning system and in one of the responses Jared Mauch provided a link to a NANOG presentation by Shawn Morris from NTT.

Read more ...

Ever wonder how Juniper SecTeam decides what signatures to write?  

 

For the signatures they do write, why do they "Recommend" some but not others?  

 

And how do they determine the severity of those signatures, anyway?

 

Find all those questions answered and more...

When you mention Google+ to people, you tend to get a very pointed reaction. Outside of a select few influencers, I have yet to hear anyone say good things about it. This opinion isn’t helped by the recent moves by Google to make Google+ the backend authentication mechanism for their services. What’s Google’s aim here?

Google+ draws immediate comparisons to Facebook. Most people will tell you that Google+ is a poor implementation of the world’s most popular social media site. I would tend to agree for a few reasons. I find it hard to filter things in Google+. The lack of a real API means that I can’t interact with it via my preferred clients. I don’t want to log into a separate web interface simply to ingest endless streams of animated GIFs with the occasional nugget of information that was likely posted somewhere else in the first place.

It’s the Apps

One thing the Google of old was very good at doing was creating applications that people needed. GMail and Google Apps are things I use daily. Youtube gets visits all the time. I still use Google Maps to look things up when I’m away from my phone. Each of these apps represent a separate development train and unique way of looking at things. They were more integrated than some of the attempts I’ve seen to tie together applications at other vendors. They were missing one thing as far as Google was concerned: you.

Google+ isn’t a social network. It’s a database. It’s an identity store that Google uses to nail down exactly who you are. Every +1 tells them something about you. However, that’s not good enough. Google can only prosper if they can refine their algorithms.  Each discrete piece of information they gather needs to be augmented by more information.  In order to do that, they need to increase their database.  That means they need to drive adoption of their social network.  But they can’t force people to use Google+, right?

That’s where the plan to integrate Google+ as the backend authentication system makes nefarious sense. They’ve already gotten you hooked on their apps. You comment on Youtube or use Maps to figure out where the nearest Starbucks already. Google wants to know that. They want to figure out how to structure AdWords to show you more ads for local coffee shops or categorize your comments on music videos to sell you Google Play music subscriptions. Above all else, they can use that information as a product to advertisers.

Build It Before They Come

It’s devilishly simple. It’s also going to be more effective than Facebook’s approach. Ask yourself this: when’s the last time you used Facebook Mail? Facebook started out with the lofty goal of gathering all the information that it could about people. Then they realized the same thing that Google did: You have to collect information on what people are using to get the whole picture. Facebook couldn’t introduce a new system, so they had to start making apps.

Except people generally look at those apps and push them to the side. Mail is a perfect example. Even when Facebook tried to force people to use it as their primary communication method their users rebelled against the idea. Now, Facebook is being railroaded into using their data store as a backend authentication mechanism for third party sites. I know you’ve seen the “log In With Facebook” buttons already. I’ve even written about it recently. You probably figured out this is going to be less successful for a singular reason: control.

Unlike Google+ and the integration will all Google apps, third parties that utilize Facebook logins can choose to restrict the information that is shared with Facebook. Given the climate of privacy in the world today, it stands to reason that people are going to start being very selective about the information that is shared with these kinds of data sinks. Thanks to the Facebook login API, a significant portion of the collected information never has to be shared back to Facebook. On the other hand, Google+ is just making a simple backend authorization. Given that they’ve turned on Google+ identities for Youtube commenting without a second though, it does make you wonder what other data their collecting without really thinking about it.

---

Tom’s Take

I don’t use Google+. I post things there via API hacks. I do it because Google as a search engine is too valuable to ignore. However, I don’t actively choose to use Google+ or any of the apps that are now integrated into it. I won’t comment on Youtube. I doubt I’ll use the Google Maps functions that are integrated into Google+. I don’t like having a half-baked social media network forced on me. I like it even less when it’s a ham-handed attempt to gather even more data on me to sell to someone willing to pay to market to me. Rather than trying to be the anti-Facebook, Google should stand up for the rights of their product…uh, I mean customers.

When Apple launched the new release of iOS last autumn, networking gurus realized the new iOS uses MP-TCP, a recent development that allows a single TCP socket (as presented to the higher layers of the application stack) to use multiple parallel TCP sessions. Does that mean we’re getting closer to fixing the TCP/IP stack?

TL&DR summary: Unfortunately not.

Read more ...

100% utilisation means that you are a traffic jam in the workflow. Don't overcommit yourself.

The post 100 Percent Utilisation and Overcommitting Yourself appeared first on EtherealMind.

Thanks to God !! Finally all the effort to be Design Expert is paid off!
I really appreciate to Himawan for his knowledge and passion about CCDE mindset, insight and learning strategy to help my CCDE journey.
They are really enlightening and accelerating.
“Learn from the best to be the best” really works for me.
Thanks Him, great to have you as my mentor!!
All the best, brother :)
(Hinwoto – CCDE #2014::4 / CCIE #15026 RS & SP)

Thanks, Hinwoto, for the kind words.
And congratulations once again for your CCDE.

I can't make anyone to pass CCDE. And I don't think anyone can give promise that he or she can make you pass CCDE exam. The only person who can make you become CCDE is yourself. I, and all other CCDE study groups, training vendors, or individuals who spend time to help others to pass CCDE, can only help with knowledge and tips to prepare for the exam. You are the one who has to push yourself to continue learning. You have to gain experience and real design skills. You are the one who will make decision to get certified or not.

I can only show you the door, Neo. You're the one that has to walk through it.

And as much as I like to see people who can pass CCDE after taking my advices or attending DEW, I would like to see more real Design Expert Warriors like Hinwoto.
Not only more certified people.

Are you ready to take the red pill?

Software Defined Everything, NFV, OpenFlow, SDDC and Orchestrators are buzz words of DC networking. An interesting point would be to check whether these proposed solutions change our understanding of DC Networks? A good analogy to start with is chassis based switches (e.g Cisco’s Cat6500, Juniper’s EX8200). Regardless of how convoluted it may seem, any networking […]

Author information

At the 2014 SC Awards, Juniper was selected as a Reader Trust award winner in the Best Cloud Computing Security Solution (Firefly Host), Best Network Access Control Solution (Unified Access Control), and Best Unified Threat Management Security Solution (SRX Series Services Gateway for the Branch) categories.

Another pretty-down-to-Earth OpenFlow use case: service insertion. “Slightly” easier than playing with VLANs or PBR (can you tell how tired I am based on the enormous length of this intro?).

The first question I tried to answer (and probably failed to) in the SDN 101 webinar was: What exactly is SDN? Is it an architecture with physically separate centralized control plane, or is it more? Does separate control plane make sense, or is it better to program distributed devices? Watch the video recorded during the live webinar session and tell me whether you agree with my answers.

Traditionally, routing protocols running on a router will perform calculations to determine the best forwarding path. The RIB with be then populated with next-hop information. Ultimately, that information will be populated into the FIB (forwarding information base), the FIB taking the guesswork of how to get to the next hop and easing CPU utilization on routers in the case of recursive lookups. But what if there's some unusual forwarding requirement you have on your network? What if you want to do influence traffic direction beyond the normal scope of your routing protocols' computations? There are a number of ways to skirt routing protocol behavior - policy based routing, for instance. But how well do these workarounds scale? And in what ways can they be automated, or react to changing circumstances on the network? There is no scalable, ready solution in this space, and this is where I2RS comes in. I2RS is an IETF draft that stands for "Interface to the Routing System." The general idea is to provide a interface that shims in between routing protocols such BGP & OSPF and the RIB (routing information base) on a router, influencing the routing table in a programmatic way. Joel Halpern, Distinguished Engineer at Ericsson and Russ White, CiscoPress author and Principal Engineer also at Ericsson have been closely tied to the development of I2RS, and join hosts Ethan Banks & Greg Ferro in this discussion about I2RS. We explore just what I2RS hopes to accomplish, the drivers for I2RS, and some potential use cases. Links I2RS Problem Statement I2RS Traceability: Framework & Model Information I2RS Protocol Independent Use Cases I2RS Topology API Use Cases RIBs & FIBs (Ivan Pepelnjak)

The “Is CLI In My Way … or a Symptom of a Bigger Problem” post generated some interesting discussions on Twitter, including this one:

One would hope that we wouldn’t have to bring up this point in 2014 … but unfortunately some $vendors still don’t get it.

Read more ...

Once I decided for the CCDE exam I was thinking it is a hard challenge but surprisingly I will say it is not as much as you think.This is good news and you started to smile ? Hope once you finished the article you continue to it     Yes it is not since I […]

Author information

We live in interesting times, as security concerns take center stage.

 

Juniper Networks' keynote, "The Next World War Will be Fought in Silicon Valley," also took center stage at the RSA conference on Tuesday morning.

 

Nawaf Bitar, SVP and GM of Juniper's Security Business Unit, drew upon emotions and history to seek inspiration and solutions to privacy and cyber threat concerns. Calling upon the security community, he hopes creativity and innovation will be the industry's form of protest.

 

Watch the keynote replay.

Jeff Behl, Chief Network Architect with LogicMonitor, is our guest author for this post. Jeff has been in the IT industry for over 20 years.  He has an extensive background on architecting enterprise networks and data centers and brings real world knowledge around network operations from start-ups to enterprise companies. These companies range from UC […]

Author information

Renesys is headed to RightsCon next week, to bring some data to the discussions around evolving Internet localization, the economics of infrastructure diversification, and the role of the private sector in strengthening and stabilizing Internet service delivery worldwide.

When we talk to our customers about Internet instability (international service providers, multinational enterprises, cloud and content providers), we hear things that suggest that the interests of digital citizens and global enterprises are (in this case, at least) strongly aligned. Outside of a few special interests, nobody profits from unstable, unreliable Internet that’s subject to arbitrary political control, throttling, and shutdowns. Disruptions in Internet service make it more expensive for our customers to reliably deliver their global services to hundreds of millions of consumers worldwide.

How resilient the Internet actually is, of course, depends on where you look. Just within the last week, bloody crises in Syria, Ukraine, and Venezuela have all created conditions under which one might expect to see Internet outages emerge — and yet, the outcomes have been very different. Syria suffered another in its sequence of near-total national outages, while Venezuela’s outages were much more limited, consisting largely of slowdowns rather than outright cutoffs. Ukraine’s Internet managed to stay almost completely intact, delivering realtime video of the Euromaidan and other protest sites to viewers around the world without interruption for weeks on end.

What explains these different Internet outcomes?

To understand why some countries’ Internet is more fragile than others, it may help to revisit the Internet structural diversity model first described in our blog from November 2012, “Could it Happen in Your Country?” Today we’ll take a look at how the world’s Internet markets have grown and diversified, and see what we can learn from the evolution of that model over the last year, looking specifically at these three conflict regions.

Review of the model

Our model is based on direct observation of each nation’s contribution to the global Internet routing table, and creating a census of various kinds of providers within each country. We classified each of the Internet’s autonomous systems as “domestic” or “international,” based on a simple test of single-country customer concentration.

We then identified each country’s set of frontier service providers: the set of domestic autonomous systems that purchase international transit services directly from foreign providers.

Because an Internet shutdown order must be applied across a range of frontier service providers, to first approximation, “more is better” when it comes to keeping the Internet connected within a country.

Over time, we predict that

• diversity will increase (that is, that more and more ISPs within each country will demand direct access to international transit providers) and that
• as a result, vulnerability to Internet shutdown will decrease worldwide.

We divide the countries of the world into four tiers:

If you have only 1 or 2 companies at your international frontier, Renesys classifies your country as being at severe risk of Internet disconnection.	Examples: Syria, Turkmenistan, Ethiopia, Uzbekistan, Myanmar, Yemen.
If you have fewer than 10 service providers at your international frontier, your country is probably exposed to some moderate to significant risk of Internet disconnection. Ten providers also seems to be the threshold below which one finds significant additional risks from infrastructure sharing — there may be a single cable, or a single physical-layer provider who actually owns most of the infrastructure on which the various providers offer their services.	Examples: Oman, Rwanda, Pakistan, Armenia.
If you have at least 10 internationally-connected service providers, but no more than 40, your risk of disconnection is fairly low. Given a determined effort, it’s plausible that the Internet could be shut down over a period of days or weeks, but it would be hard to implement and even harder to maintain that state of blackout.	Examples: Bahrain, India, Israel, Vietnam, Turkey, Mexico.
Finally, if you have more than 40 providers at your frontier, your country is likely to be extremely resistant to Internet disconnection. There are just too many paths into and out of the country, too many independent providers who would have to be coerced or damaged, to make a rapid countrywide shutdown plausible to execute. A government might significantly impair Internet connectivity by shutting down large providers, but there would still be a deep pool of persistent paths to the global Internet.	Examples: United States, Russia, Canada, France, Germany.

  

Sanity-checking the model

td { padding: 10px;}

As we reported midway through 2013, the set of observed nationwide Internet outages did appear to correspond to countries we deemed to be at higher risk. There were also surprises, which revealed additional modes of single-point failure: Bangladesh (at the time, entirely reliant on a single submarine cable landing), and Lebanon (where Ogero’s retention of control over the newly-landed IMEWE cable greatly reduced the country’s existing provider diversity).

Since then, we’ve seen additional evidence of the protective effect of national provider diversity. As we continue to tweet about nation-scale Internet outages, the “severe risk” and “moderate risk” countries continue to be overrepresented (for example, Cuba, Uzbekistan, Libya, Syria, Sierra Leone, and Central African Republic, just within the last few months).

   

Internet at Risk: Updates for 2014

First, some hopeful news.

• Eight countries grew their international frontier beyond 2 providers, graduating from “severe risk” to “significant risk:” Guyana, Ivory Coast, Guinea, Somalia, South Sudan, Libya, and (believe it or not) Vatican City. Libya and South Sudan, in particular, have done well to achieve this level of diversification in the wake of significant unrest (cf. tweets here and here). Somalia is similar to Afghanistan in some respects, gaining diversity because of its inherent decentralization; Somaliland gained better connectivity through Djibouti since 2012, independent of existing routes to Southern Somalia.
• Three countries escaped the “moderate risk of disconnection” category by growing beyond 9 providers: El Salvador, the Dominican Republic, and the Democratic Republic of the Congo (where Internet service has been relatively stable despite the spillover of violence from the Central African Republic).
• Five countries were able to pass the 40 provider mark, promoting themselves to the least-risky tier.
  • China nearly doubled its frontier set, adding internationally-connected autonomous systems in Beijing and Shanghai, as well as in Hong Kong/Shenzhen.
  • Colombia increased its frontier set by 50%, with strong growth in Bogota thanks to new transit and new foreign investment in the telecommunications industry.
  • South Africa also grew by 50%, thanks to increased availability of international services from Tata, Level3, Cogent, NTT, Telecom Italia Sparkle, and PCCW.
  • Finally, Greece and Croatia both enjoyed modest single-digit growth, reaching 43 frontier ASNs apiece.

Not all the movements were positive.

• Neighboring countries Azerbaijan and Iran both slipped back below 10 providers at the international frontier, putting them at more significant risk of disconnection. Ironically, in this case the appearance of an extremely attractive Internet connectivity option (the EPEG terrestrial cable) may have resulted in the concentration of Internet transit in the hands of the controlling provider, triggering a reduction in diversity similar to that experienced by Lebanon in 2012.
• Martinique, New Caledonia, and the British Virgin Islands slipped below 3 providers at the frontier. Small island nations consistently pose the greatest risk of being accidentally disconnected from the Internet, for obvious reasons that have little to do with politics.

Worldwide, the majority of countries (56% of the 234 we surveyed) were stable; that is, their frontier set changed by no more than a single provider up or down since November 2012. Of the remainder, advances outnumbered declines by more than 2:1, suggesting that the global Internet is, indeed, moving toward greater diversity.

Comparing Internet outcomes across conflict regions

In this light, we can compare the specific impacts of last week’s violence in Syria, Venezuela, and Ukraine on their national Internet stability.

• Syria remains mired in the “at severe risk of disconnection” category, with only 2 internationally-connected domestic providers: the Syrian Telecommunications Establishment (AS29386), and the revived Syrian Computer Society (AS24814). Despite the on-again, off-again backup connectivity to Turkish providers through Aleppo, the Syrian national internet continues to be exceptionally fragile, suffering periodic nationwide outages. By contrast, regional neighbors Jordan, Iraq, and Lebanon each have more than 10 providers at their international frontiers.
• Venezuela is in a much better position, with 23 internationally-connected domestic providers (in our “low risk of disconnection” tier). Venezuela could stand to have more international diversity, compared to neighbors Colombia (42) or Brazil (279). But the total number of pathways in and out of the country includes direct foreign connectivity for Venezuelan providers such as CANTV, Inter, Net Uno, Digitel, Dayco, IFX, and CENIT.
  

  While we have seen evidence of periodic Internet slowdowns, as well as the blocking of specific websites such as Twitter, and credible reports of regional access disruptions, we haven’t yet seen an Egyptian-style national blackout in Venezuela. The country’s financial problems may be contributing to their Internet difficulties. Incumbent CANTV has experienced loss of transit through international providers Telefonica and Verizon Business in recent months (see transit shift plot at right), which may explain some of the emerging constraints on available international bandwidth.

• Ukraine has a strong and diverse Internet frontier, with more than 200 domestic autonomous systems purchasing direct international transit (out of a total of more than 1,650 domestic ASNs). The roads and railways of Ukraine are densely threaded with tens of thousands of miles of fiberoptic cable, connecting their neighbors to the south and east (including Russia) with European Internet markets. The country has a well-developed set of at least eight regional Internet exchanges, as well as direct connections over diverse physical paths to the major Western European exchanges. At this level of maturity, our model predicts that the chances of a successful single-event Internet shutdown are extremely low. And indeed, throughout the many weeks of Euromaidan protests, Renesys saw little or no evidence of significant Internet impairment.

Summary

We acknowledge the limitations of such a simple model in predicting complex events such as Internet shutdowns. Many factors can contribute to making countries more fragile than they appear at the surface (for example, shared physical infrastructure under the control of a central authority, or the physical limitations of a few shared fiberoptic connections to distant countries).

It’s also clear that hidden central points of failure can also be introduced at entirely different “layers” of the networking stack, as demonstrated by China’s Great DNS Failure, which made large numbers of popular domains unreachable, while leaving the routing infrastructure intact.

If there is a general lesson to be learned, we suspect that the best way to protect the Internet from throttling, terrorism, and disconnection is simply to build more of it — more autonomous systems, more physically diverse routes, more cable systems, more Internet exchange points, more peering, more interconnection in more buildings in more cities, every year. It’s only when a region is starved for diverse access (rural communities in the United States) or starved for diverse international connectivity (incumbent-dominated economies in emerging markets) or designed for centralized monitoring and control (China’s Great Firewall) that the Internet remains fragile and subject to broad-scale interruption.

Facebook’s purchase of WhatsApp is a timely economic reminder that the primary sources of online consumer growth for the next 10 years will be found outside the English-speaking world. Enterprises are only now coming to terms with the challenges of maintaining connectivity to that global population, across an Internet whose paths can have highly variable (indeed, often mysterious) performance. One at a time, each of the countries of the world is finding its way toward a level of physical- and logical-level connectivity that will make Internet kill switches a dim memory from the Internet’s troubled youth.

The post Syria, Venezuela, Ukraine: Internet Under Fire appeared first on Renesys.

The final installment of DEW trilogy will happen in Jakarta, 15-16 March 2014!

After the first Design Expert Weekend in Riyadh focusing on IPv4/IPv6 Routing Design, the second DEW in Dubai for MPLS/Tunneling Design, the third and last DEW will be held in Jakarta, Indonesia, for Service Provider Design.

Please note: this is NOT a free event. I'm going to visit several universities in Indonesia to share my knowledge and experience during the same week. The profits we make from this DEW will be used to fund my trip. If you have to fly from outside Indonesia to attend this, we will provide all the food and accommodation during the weekend.

What:
Design Expert Weekend in Jakarta on 15-16 March will focus on Service Provider Design. Agenda will cover:

- Physical Network Design
- Layer 2 Design
- IGP/MPLS/BGP/Multicast as Transport
- MPLS Based Services L3VPN, L2VPN
- Internet Services
- IPTV Services
- High Availability Design
- SP QoS Design
- Security and Management
- CCDE exam tips and tricks
- CCDE sample questions and scenario to practice ability to analyze design requirements, develop network designs, implement network design, validate and optimize network design

The other two DEW are held in separate session:
DEW:Routing Design (IGP IPv4/IPv6, BGP, scaling, inter-AS, HA, and include PIM, ASM, SSM Multicast)
DEW:MPLS/Tunneling Design (MPLS L2VPN, L3VPN, inter-provider, Tunnel protection/MPLS TE, other tunnelling include IPv6 over IPv4/MPLS)

Why:
To help network engineers to gain real design skills. DEW can help with CCDE exam preparation, and beyond.
Our main goal is not to make you certified. But to give the real knowledge. The real skills. Then to be certified or not it's your decision not ours.

Who:
Any network engineers/architects who want to learn design skills can join the workshop, even we prefer you to have several years of experience working with network devices.
Himawan Nugroho will be the mentor for this DEW. He holds three CCIE#8171 in R&S, Security, SP track and CCDE#20130018. Himawan has total 14 years experience in network design, with the last 7 years working for Cisco Advanced Services as Solutions Architect. He has worked in many design projects for Cisco important customers in Asia, Europe, Middle East and Africa.

Where:
Training room in Jakarta, Indonesia.

When:
Saturday-Sunday, 15-16 March 2014 from 8 am to 5 pm.

How:
2-day workshop to discuss design aspect of Service Provider technology in detail. The class will be small (4-6 max) to ensure lots of interaction. Expect to see heavy discussion on design options for each technology covered. There will be discussion of CCDE exam tips and tricks, sample questions and scenario. Materials used for this workshop will be public material (non-NDA). Anyone who joins the workshop will be part of DEW community that will be formed as follow up after the workshop.

For anyone interested with DEW for CCDE exam preparation, it's strongly recommended to go through "CCDE Experience" slides and webex recording prior to attend the event.

There is fee to attend each DEW that will be used to cover the expenses such as meeting room, wireless Internet, lunch, coffee break, effort to build workshop material. And after all the expenses, the remaining will be used to fund my organization.

The reservation is first come, first serve.
And your seat will be guaranteed only after you have completed the payment.
There is special discount for Indonesians who are willing to join this DEW.

Please send email to info@jawdat.com to get more detail information.

When describing Hyper-V Network Virtualization packet forwarding I briefly mentioned that the hypervisor switches create (an equivalent of) a host route for every VM they need to know about, prompting some readers to question the scalability of such an approach. As it turns out, layer-3 switches did the same thing under the hood for years.

Read more ...

Let me start by laying out this disclaimer:  This is in no way intended to devalue or criticize any vendor or vendor neutral certified folks or programs. Since the mid-1990s I’ve done many certification programs. In fact, I’ve actually lost track and  I can’t even remember them all, so this is not a commentary by someone […]

Author information

. He can best be reached via email (although email RTT sometimes experiences latency) and occasionally posts stuff on twitter @buraglio

We all know what Cisco Live is, right?  Networkers?  The Cisco users’ conference?  If not, then educate yourself, friend.  It takes place every year in different parts of the world.  I try my best to go every year to the US event and am lucky to be able to go this year.  It costs a bagillion dollars and a week of my time; why am I so excited about going?  Easy answers in no particular order.

• World of Solutions :  This is the big expo where all the vendors set up their booths to show their wares.  Besides getting cool swag in exchange for a bunch of marketing, it’s a great place to find a real solution for the real problems you may have.  Just last year, I found solutions for a least 4 different problems I was having.  Thanks to stopping by a few booths and talking to the vendors, I was able to justify the cost to my boss.  Win for everyone.
• Breakout Sessions : These are the bread and butter of the event.  We all pick a bunch of classes to take and sit down for an hour or two to a lecture on a topic of our choosing.  The sessions range from introductory to super-advanced and fall across all markets.  Want to run LISP in your enterprise?  How about learning about the different VPN technologies?  Some IPv6 stuff?  There’s a session for pretty much anything you need.
• Meet the Engineer / Technical Clinics : These are two separate programs that do practically the same thing.  The Meet the Engineer (part of the Meet the Expert curriculum) is a program where you schedule face-to-face time with a Cisco subject matter expert.  Last year, I was able to schedule an hour with Magnus Mortensen to discuss managing configurations on dozens of firewalls centrally.  The Technical Clinics are very informal talks with subject matter experts in front of a whiteboard in an open area.  You get people wandering by listening and contributing to your problem…maybe even the solution.  It’s a great program that I’m planning on using more this year. 
• Personal Networking : I don’t need to explain why knowing people is important, do I?  A whole bunch of big whigs will be at Cisco Live, and it’s always a good thing to shake hands with them.  I wouldn’t expect John Chambers to give a rat’s ass that he met you, but I imagine someone like Tom Hollingsworth would.  By shaking Tom’s hand, you now know someone who almost literally knows everybody else in the world.  This is a good thing.
• Comradery : With little to no exception, the people you meet at Cisco Live are fantastic.  Everyone happy, and there’s no hate.  It’s like our own little hippy commune.  If you throw in familiarity from Twitter, you have the makings of some great friendships.  Let me stop before I start to sound like an After School Special.  Hell, even Chris is friendly in person.
• Travel : I don’t travel very much for work.  When I do travel for fun, it’s usually some place local and rural.  Going to Cisco Live gives me a chance and excuse to go to a big city and take it in a bit.  Mind you, my wife gets more of this benefit than I do since she has her days free.

Send any excuses for not blogging for months questions my way.

Selecting shapes and connectors one-by-one in Visio can be tedious, especially when working with large or repetitive drawings. If you've been drawing for a while, you've probably gotten the hang of selecting just the right subset of shapes using the rectangular select tool, and employing the control key to add or remove any outliers as desired. This can be time-consuming though, especially when you want to pick out just a few connectors from a jumble of criss-crossing lines.

Here's a trick to try next time you find yourself excessively control-clicking: Identify each logical group of shapes or connectors that you'll likely want to tweak, and bundle them up into to their own layer. You can then use Visio's "select by layer" option to grab them all at once later. Take the drawing below, for instance.

Continue reading · 5 comments

Don’t get me wrong, firewalls have come a long way over the years. They are great security enforcement points based on what they do know, but there is so much more that is possible.

 

Juniper is focused on building high IQ networks and that includes high IQ security. Instead of focusing just on point solution intelligence, we’ve built an extended security intelligence framework that connects to the firewall. This framework delivers highly actionable intelligence from multiple sources so the firewall can enforce unique intelligence-based policies.

This is one of a multi-part series on the Ethernet switching landscape I’m writing in preparation for a 2-hour presentation at Interop Las Vegas 2014 (hour 1 & hour 2). Part 1 of this written series appeared on NetworkComputing.com. Search for the rest of this series.

One often quoted statistic in Ethernet switch specifications is latency. Latency figures are usually cited in microseconds or nanoseconds. With ever decreasing latency numbers as new switch platforms emerge, what is a networker to make of latency? Is latency a key measurement to focus on when evaluating Ethernet switches? The answer to that question comes in two parts. First, there needs to be a good understanding of what latency is. Second, there needs to be a business use-case where latency matters. For many consumers, once you understand what Ethernet switch latency is, you might decide it’s not a big factor in your buying decision.

What is latency?

Generally speaking, latency measures the time it takes for a frame to enter and then exit a switch. In other words, latency is a measure of how long it takes for the switch to do its job – that of “switching” a frame in one port and out another. Latency is sometimes described as “port-to-port” latency. Think of it as the amount of time a frame spends inside the switch. That’s a rough description (and not completely accurate), so let’s look a little closer.

According to Gary Lee of Fulcrum Microsystems, latency can be measured in a number of different ways.

“There are several ways to measure latency through a switch: first-bit-in to last-bit-out (FILO), last-bit-in to first-bit-out (LIFO), first-bit-in to first-bit-out (FIFO) and last-bit-in to last-bit-out (LILO). In each case, latency is measured at the switch ingress and egress ports.”

I only raise this point about the different measuring techniques only because as you Google around looking for information on switch latency, you run into this data. Various ways to measure switch latency might seem a concern. How do you know that the vendors you are comparing are using the same method when citing their latency specifications? Reality is that practically all modern switch architectures are cut-through (at least when it comes to low-latency forwarding), meaning that the switch is forwarding the frame before the entirety of the frame has been received. For low-latency operation, cut-through switching is expected. The alternative to cut-through is store-and-forward. In this mode, a frame must be received in its entirety before being forwarded, which notably increased the time it takes for a frame to be switched, as well as making it variable. The point is this. Assuming cut-through forwarding, the only accurate way to measure latency is either LILO or FIFO.  To quote Gary again,

“These methods [FIFO/LILO] are effectively the same and are the only way to properly measure the latency through a cut-through switch.”

Implicitly, then, I believe it’s safe to assume that when looking at latency numbers for cut-through switching operation, numbers from different vendors are directly comparable. If you can find a latency measurement reported by a vendor, it should indicate a FIFO/LILO measurement of a switch in cut-through mode.

How important is latency?

Let’s take a look at latency measurements as reported by their vendors for a few Ethernet switches. Note that this is not an “apples-to-apples” comparison. These switches have different ASICs, may have different host-facing physical ports, and likely first came to market in different years. I have a point, though – bear with me.

• Cisco Nexus 5000 - 3.2 microseconds
• Cisco Nexus 5500UP - ~1.8 microseconds
• Arista 7050S – 0.8 – 1.2 microseconds
• Juniper QFX5100 – as low as 0.55 microseconds
• Mellanox SX1036 – 0.22 (40Gbe) / 0.27 microseconds (10GbE)

These switches all have widely varying latency characteristics, which are market differentiators for them. But I believe that latency is only a differentiator to certain market segments. Unless you are building a network where nanoseconds count – such as high frequency trading – then the port-to-port latency of one Ethernet switch over another just isn’t going to make any appreciable difference in the performance of the applications running across your network.

Another consideration is that the Ethernet PHY (the physical Ethernet medium you use, as in the transceiver) will also impact latency. For example, 10GBase-T (10GbE over twisted-pair copper) PHYs introduces noticeable higher latency than SFP+ based PHYs. Paul Kish in the Belden Right Signals blog opines,

“With simplified electronics, SFP+ also offers better latency—typically about 0.3 microseconds per link. 10GBASE-T latency is about 2.6 microseconds per link due to more complex encoding schemes within the equipment.”

But again, the question comes back to one of business needs and application. 10GBASE-T has a use-case in top-of-rack (ToR) or end-of-row (EoR), considering 10GBASE-T server LAN-on-motherboard modules (LOMs) are coming to market. Should the higher latency of 10GBASE-T introduced by the PHY put you off? Only if microseconds matter.

Conclusion

Latency, low latency, ultra low latency and the rest are relevant terms that indicate how long it takes a switch to move traffic through itself. However, beyond the physical medium and switch architecture, many other things could impact application latency. At the end of the day, it might be fun to argue about microseconds and nanoseconds in the context of your switchs, but what difference will it make if you have bottlenecks in other places? Consider these elements of your IT engine that are far more likely to negatively impact your application performance than Ethernet switching latency.

• Underperforming storage reads & writes.
• A CPU or memory bound host.
• A congested network path.
• A slowly responding DNS service.
• Traversal of a long-distance WAN link.
• An overloaded proxy.
• Traversal of a DPI device.

These sorts of problems can introduce significant fractions of a second (or even whole seconds!) of latency into an application transaction. For most shops, these sorts of issues are where the performance battles need to be fought. Buying the lowest latency switch you can find just isn’t going to appreciably help, unless you’re one of the very few with that sort of application requirement. And you already know who you are.