October 23, 2020

Packet Pushers

Does Whitebox Screw Enterprises? – Video

Whitebox can be a risk in an enterprise network. But how much? Tom Hollingsworth was a guest on the Heavy Networking podcast to talk whitebox, disaggregration, and more. You can hear the full episode, Heavy Networking 542: Is Whitebox Too Risky For The Enterprise?, right here: https://packetpushers.net/podcast/heavy-networking-542-is-whitebox-too-risky-for-the-enterprise/   You can subscribe to the Packet Pushers’ […]

The post Does Whitebox Screw Enterprises? – Video appeared first on Packet Pushers.

by The Video Delivery at October 23, 2020 06:30 PM

The Networking Nerd

Do You Do What You’ve Always Done?

When I was an intern at IBM twenty something years ago, my job was deploying new laptops to people. The job was easy enough. Transfer their few hundred megabytes of data to the new machine and ensure their email was all setup correctly. There was a checklist that needed to be followed in order to ensure that it was done correctly.

When I arrived for my internship, one of my friends was there finishing his. He was supposed to train me in how to do the job before he went back to school. He helped me through the first day of deploying laptops following the procedure. The next day he handed me a different sheet with some of the same information but in a different order. He said, “I realized we had too many reboots in the process and this way cuts about twenty minutes off the deployment time.” I’m all about saving time so I jumped at the chance.

Everything went smashingly for the next month or so. My friend was back at school and I used his modified procedure to be as productive as possible. One day, my mentor wanted to shadow my deployment day to see how I was doing things. I invited him along and we did the first one. I pulled out my deployment docs and made sure to follow the procedure so I got a good grade. When we were done, my mentor pulled me aside and said, “I noticed you went pretty fast and did some things out of order. Why?” I mentioned that my friend and I had modified the deployment procedure a bit to make it easier and faster. That’s when my mentor hit me with a phrase that I’ve spent a lot of my career deconstructing:

“But this is the way we’ve always done it.”

You Do What You’ve Always Done

Process isn’t a bad thing. It makes jobs easy to break down into steps to assess timelines as well as being able to make a job repeatable. There’s nothing worse than a process that only lives inside the head of one person. If you can’t replicate your job you can’t ever stop doing it. Sure, it may be hard to write things down sometimes but you have to have a way to capture that data.

However, process all needs to make sense. If the process for starting my computer involves pushing the buttons in a certain order, there should be a reason for it. If the process for starting my computer also includes extra steps, such as getting a cup of coffee or banging on the monitor twice, there needs to be a reason for those too. Maybe the employee really likes coffee? Or maybe the startup process for the computer takes long enough that you can get a cup of coffee by the time the login is complete and if you try to do it earlier you’re going to run into slowness or indexing issues.

Documenting the steps is important. You also have to document the reasons behind the steps. Why must we tackle the project in this specific order? If you are doing Task A and then Task B why can’t you do the second task first? If you have no good justification then you should be able to do them in any order. But if Task B requires something from Task A to be able to be completed you need to document that. Otherwise people are going to do them out of order and miss steps.

Going back to our IBM deployment guide, why did there need to be so many reboots in the original document. Well, some of them were necessary. We needed to change the machine name before we joined it to the domain. We needed to log in with the username locally to create the profile before we logged in with the domain account so everything was created properly (this was NT4 domain days). Now, the instructions had us rebooting after every change, which added 3-4 minutes to every step along the way. My friend and I knew we could cut that down and do multiple changes for each reboot as long as they didn’t depend on the others being done first. But the original process was the “way it had always been done” and we had to prove it was better this way.

You’ll Always Get What You’ve Always Got

It’s not enough to challenge the process for no reason. Maybe your way is better. Or faster. Or just easier. But you have to prove it. You have to be willing to examine the process and ensure that what you’re doing is objectively better. It’s like taking a shortcut to work. It may feel faster for you. However if it takes 2 minutes longer on your drive is it really worth it? Or are you doing it because you don’t like driving or walking the other way?

Back to IBM and the laptop deployments. In order to get the revised process approved, I had to prove it was faster and provided the same output. I had to go into the lab and deploy using the old method and capture all the settings and data. Then erase the machine and deploy using the new settings and repeat the data capture process again to make sure the results are the same. Once I could prove that the new process resulted in the same output, we could move on to the second step.

Step Two involved timing the deployment. Now, in order to make sure I wasn’t juicing the numbers in either direction, we had our oldest, slowest laptop deployer use the new instructions. He would regularly take over an hour to setup a new machine with the old directions. We handed him the new page and told him to use this instead. Same steps, just in a different order. He went through them all cold twice and managed to average around 45 minutes for his deployment. He even remarked that our process was better.


Tom’s Take

Once we had it proven that it was faster and easier to do the things the new way we updated the deployment procedures before the next group of interns arrived. I had left my mark on things and proven that “this is what we’ve always done” isn’t always the best justification for things. But you do have to justify why your way is better. Facts beat opinion every day of the week. And if you aren’t willing to do the work to prove why you can make things better, you’ll always be where you are right now.

by networkingnerd at October 23, 2020 04:58 PM

ipSpace.net Blog (Ivan Pepelnjak)

Podcast: State of Multi-Cloud Networking

In mid-September Ethan Banks invited me to chat about multi-cloud networking in the Day Two Cloud podcast. It was just a few weeks after Corey Quinn published a fantastic Multi-Cloud is the Worst Practice rant, which perfectly matched my observations, so I came well prepared ;)

October 23, 2020 06:46 AM

Potaroo blog

Going Postal

Over the past few months I've had the opportunity at various network operator meetings to talk about BGP routing security. As usual, these presentations include an opportunity for questions from the audience. Here are a small collection of such questions and my efforts at trying to provide an answer.

October 23, 2020 04:50 AM

XKCD Comics

October 22, 2020

Honest Networker
Packet Pushers

Dell Technologies’ SmartFabric Services: Using vCenter To Dynamically Build A Network Fabric

SmartFabric Services from Dell Technologies is designed for VMware-based software-defined infrastructures through tight integration with vCenter. With fabric interconnects powered by SmartFabric Services, you can quickly and easily provision scale-out fabrics for compute, storage, and Hyperconverged Infrastructure solutions, and connect them back into the data center.

The post Dell Technologies’ SmartFabric Services: Using vCenter To Dynamically Build A Network Fabric appeared first on Packet Pushers.

by Sponsored Blog Posts at October 22, 2020 05:53 PM

Honest Networker
Packet Pushers

In 2 Years, Will Anyone Care About Multi-Cloud Networking? – Video

As more workloads get placed in the cloud, many IT vendors are offering solutions to build connections among different public cloud providers. In this excerpt from the Day Two Cloud podcast, guest Ivan Pepelnjak discusses whether connectivity will be a significant problem in the near future. You can listen to the full episode, Day Two […]

The post In 2 Years, Will Anyone Care About Multi-Cloud Networking? – Video appeared first on Packet Pushers.

by The Video Delivery at October 22, 2020 10:00 AM

ipSpace.net Blog (Ivan Pepelnjak)

Weird: Wrong Subnet Mask Causing Unicast Flooding

When I still cared about CCIE certification, I was always tripped up by the weird scenario with (A) mismatched ARP and MAC timeouts and (B) default gateway outside of the forwarding path. When done just right you could get persistent unicast flooding, and I’ve met someone who reported average unicast flooding reaching ~1 Gbps in his data center fabric.

One would hope that we wouldn’t experience similar problems in modern leaf-and-spine fabrics, but one of my readers managed to reproduce the problem within a single subnet in FabricPath with anycast gateway on spine switches when someone misconfigured a subnet mask in one of the servers.

October 22, 2020 07:36 AM

October 21, 2020

My Etherealmind

Whiteboards Don’t Remote Work

Its a mistake to think whiteboards are the only tool you have.

by Greg Ferro at October 21, 2020 09:22 AM

Packet Pushers

Do You Need Multi-Cloud Networking? – Video

If you’ve got workloads or resources in separate public clouds and you want to connect them, do you need special multi-cloud networking solutions to make it happen? Guest Ivan Pepelnjak has strong opinions on this subject, some of which he shares in this excerpt of the Day Two Cloud podcast. You can hear the full […]

The post Do You Need Multi-Cloud Networking? – Video appeared first on Packet Pushers.

by The Video Delivery at October 21, 2020 08:00 AM

ipSpace.net Blog (Ivan Pepelnjak)

Validate Ansible YAML Data with JSON Schema

When I published the Optimize Network Data Models series a long while ago, someone made an interesting comment along the lines of “You should use JSON Schema to validate the data model.

It took me ages to gather the willpower to tame that particular beast, but I finally got there. In the next installment of the Data Models saga I described how you can use JSON Schema to validate Ansible inventory data and your own YAML- or JSON-based data structures.

To learn more about data validation, error handling, unit- and system testing, and CI/CD pipelines in network automation, join our automation course.

October 21, 2020 06:25 AM

XKCD Comics

October 20, 2020

Packet Pushers

Do AWS Transit Gateway Or Azure Virtual WAN Matter? – Video

Ivan Pepelnjak drills into some of the networking complexity in public cloud networking services. This is an excerpt of a longer podcast, Day Two Cloud 070: The State Of Multi-Cloud Networking, which you can listen to by clicking this link: https://packetpushers.net/podcast/day-two-cloud-070-the-state-of-multi-cloud-networking/   You can subscribe to the Packet Pushers’ YouTube channel for more videos as […]

The post Do AWS Transit Gateway Or Azure Virtual WAN Matter? – Video appeared first on Packet Pushers.

by The Video Delivery at October 20, 2020 11:01 PM

Why Physical Infrastructure Never Goes Away

If you can do everything in the cloud, why bother keeping equipment on premises? James Quigley tackles this question with Ethan Banks and Ned Bellavance in this excerpt of the podcast Day Two Cloud 069: The Life Of A Site Reliability Engineer (SRE) You can listen to the full episode right here: https://packetpushers.net/podcast/day-two-cloud-069-the-life-of-a-site-reliability-engineer-sre/   You […]

The post Why Physical Infrastructure Never Goes Away appeared first on Packet Pushers.

by The Video Delivery at October 20, 2020 11:00 PM

Making The Case For Enterprise Whitebox – Video

Is a whitebox solution, in which you get switch hardware separate from a network OS, a good choice for the enterprise? Do the benefits outweigh the risks? Tom Hollingsworth weighs in on this question in this excerpt from the podcast Heavy Networking 542: Is Whitebox Too Risky For The Enterprise? You can listen to the […]

The post Making The Case For Enterprise Whitebox – Video appeared first on Packet Pushers.

by The Video Delivery at October 20, 2020 10:59 PM

Are Site Reliability Engineers Software Developers? – Video

SREs, or Site Reliability Engineers, have to work with software and create and maintain tools. Does that make them software developers? SRE James Quigley offers his take on this question in a podcast conversation with Ethan Banks and Ned Bellavance in Day Two Cloud 069: The Life Of A Site Reliability Engineer (SRE). You can […]

The post Are Site Reliability Engineers Software Developers? – Video appeared first on Packet Pushers.

by The Video Delivery at October 20, 2020 08:58 PM

Potaroo blog

Going Postal

The Internet was not the first communications system constructed as compound service, where the end-to-end service was built using the services provided by many individual service providers. International telephony was constructed in a similar manner, and predating the telephone was the international postal service. In this article I’d like to look at the Universal Postal Union's track record of trying to construct a fair and efficient way to allow each service provider to be compensated for their part in the construction of the delivered end-to-end service. As with the Internet, it all comes down to the choice of the framework for settlement and peering between providers.

October 20, 2020 09:00 AM

ipSpace.net Blog (Ivan Pepelnjak)

Worth Exploring: bgpstuff.net

Darren O’Connor put together a BGP looking glass with web GUI. Nothing fancy so far… but he also offers REST API interface (because REST API sounds so much better than HTTP).

The REST API calls return text results, so you can use them straight in a Bash script. For example, here’s a simple script to print a bunch of details about your current IP address:

October 20, 2020 06:31 AM

October 19, 2020

ipSpace.net Blog (Ivan Pepelnjak)

New on ipSpace.net: Virtualizing Network Devices Q&A

A few weeks ago we published an interesting discussion on network operating system details based on an excellent set of questions by James Miles.

Unfortunately we got so far into the weeds at that time that we answered only half of James' questions. In the second Q&A session Dinesh Dutt and myself addressed the rest of them including:

  • How hard is it to virtualize network devices?
  • What is the expected performance degradation?
  • Does it make sense to use containers to do that?
  • What are the operational implications of running virtual network devices?
  • What will be the impact on hardware vendors and networking engineers?

And of course we couldn’t avoid the famous last question: “Should network engineers program network devices?

You’ll need Standard or Expert ipSpace.net subscription to watch the videos.

October 19, 2020 06:04 AM

XKCD Comics

October 18, 2020

ipSpace.net Blog (Ivan Pepelnjak)

Worth Reading: Does your hammer own you?

My friend Marjan Bradeško wrote a great article describing how we tend to forget common sense and rely too much on technology. I would strongly recommend you read it and start thinking about the choices you make when building a network with magic software-intent-defined-intelligent technology from your preferred vendor.

October 18, 2020 07:57 AM

October 17, 2020

ipSpace.net Blog (Ivan Pepelnjak)

Zero-Touch Provisioning with Nornir

In early 2018 I described how Hans Verkerk implemented zero-touch provisioning with Ansible. Recently he rewrote his scripts as a Python-only solution using Nornir. Enjoy!

October 17, 2020 06:08 AM

October 16, 2020

Packet Pushers

If You Had To Chose One Programming Language… – Video

If all of your programming languages and tools were going to be taken away except one, which would you keep? Ethan Banks and Ned Bellavance pose this question to SRE James Quigley in a recent episode of the Day Two Cloud podcast. You can listen to the full episode right here: Day Two Cloud 069: […]

The post If You Had To Chose One Programming Language… – Video appeared first on Packet Pushers.

by The Video Delivery at October 16, 2020 09:53 PM

Do Switches Even Matter Anymore? – Video

Tom Hollingsworth was a guest on the Heavy Networking podcast to talk whitebox, disaggregration, and more. You can listen to the full episode here: Heavy Networking 542: Is Whitebox Too Risky For The Enterprise? Heavy Networking is part of the Packet Pushers network of technical podcasts, including Day Two Cloud, IPv6 Buzz, Full Stack Journey, […]

The post Do Switches Even Matter Anymore? – Video appeared first on Packet Pushers.

by The Video Delivery at October 16, 2020 09:52 PM

The Networking Nerd

Imposters Among Us

Have you been playing Among Us? If you haven’t, your kids definitely have. I found out about it a few weeks ago because my children suddenly became Batman-level detectives and knew how to ask the kinds of interview questions that would make the FBI proud. In short, the game is all about finding the imposters in your midst based on their behavior and voting them out of the group to win. Sometimes you get it right. Other times you get it wrong and vote out someone who was doing legitimate tasks. It’s all a matter of perception.

Now, let’s look at another situation where we see this kind of behavior in a different light. You probably guessed where this is going already. We’re going to talk about Imposter Syndrome in our non-gaming lives and how it affects us. We may even make reference to pop culture along the way.

Where You Need To Be

I was thinking about this because something I said a few years ago at Security Field Day 1 popped back up in my feed. I was giving a speech at the beginning of the first day to the delegates and I wanted them to know that I understood that they may feel like they didn’t deserve to be there. I wanted to reassure them that they were where they needed to be. So I said something along the lines of the following:

You are here in this position because you earned it and deserve to be here. It would be an insult to those above and around you to think otherwise. If you have doubt in yourself, trust in those around you that they know who is best for your role.

Thanks to Kori Younger for recalling that specific part of the speech. Imposter Syndrome is hard to overcome because we really do feel like everyone else around us knows what they’re doing and we’re the odd ones out. We feel like we don’t know how to proceed or what to do. And that feeling can be crippling at times.

The idea that we don’t know what we’re doing is really called “learning”. It’s something that we do all the time. We apply lessons and intuition to find new solutions to problems, even ones we don’t feel qualified to do. We feel more comfortable doing this in areas where we have more knowledge or feel more confident, but rest assured we apply it all over the place, especially when confronted with situations we don’t completely understand or feel comfortable working on.

Earlier this year I took a Wilderness First Aid course for an upcoming Scout high adventure trip. Now, I must admit that I’m a terrible doctor or medical professional. I don’t like the sight of blood and I tend to focus on things without having a big picture. WFA is all about what happens when you find yourself in the back country far away from a hospital and what to do to handle situations. After a while, the solutions all kind of started sounding the same. You need to assess, stabilize, and almost always evacuate when critical. Now, that whole process sounds fairly simple when boiled down. But considering the crazy amount of things they want us to know about, like Acute Altitude Sickness, Hypoglycemia, and even things like concussions that cause cerebrospinal fluid leakage, you can see how easy it is to quickly be overwhelmed. However, the training up to that point helps you understand what to do: assess, stabilize, and evacuate if needed.

Applying A Process

Training and baselines help us overcome imposter syndrome in real life. We do similar things in IT or in other lines of work. When we encounter something we don’t understand or we feel overwhelmed by, we repeat the same process.

  • Assess – What is going on? Does this look like something I’ve seen before? The more it looks like a previous experience the more knowledge I can apply. Trust what you know. Being wrong because you applied an incorrect lesson is better than being wrong because you did nothing. Your experience will always serve you well. Trust those instincts.
  • Stabilize – This is where we spend a lot of our time. How can I fix this problem? Or stop it from getting worse? How can I get back to point where things work well enough to be able to reassess or make a different decision? Stabilization is the work that goes on in a process. A problem that is 100% stable is fixed. A problem that is 25% stable is better than it was with room for improvement. We need to apply lessons and things from our experience here too. Seen OSPF fall over before? Let’s try some things to get the routing table stabilized. Seen someone slice open their finger with a pocket knife before? We know how to fix this so it won’t reopen.
  • Evacuate – This one is a little more tricky. Sometimes we can’t fix something. Or we don’t know what’s wrong. So what do we do? Sit there wringing our hands? Scream at the sky? No, we get help. In WFA, evacuation is all about getting better help, whether it’s a first responder at base camp or a doctor in a hospital. In a professional setting, evacuation is more about finding the right help to get past an issue. Asking a mentor or senior person about the issue. Calling the support line. Asking someone on Twitter if they’ve ever seen this before. These are all great examples of evacuation from a situation. There’s no harm in asking for help. But there is harm in not asking for help when you need it.

Remember that everyone else around you is doing the same things you’re doing above when you find yourself in a situation you don’t completely understand. Some look more expert because they have better knowledge to relate to the problem. It doesn’t mean they’re smarter than you or better than you. It means they’re more adept at this problem for this time. Some people are more suited for things than others.

To quote Einstein, “Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will spend its whole life believing it’s stupid.” If we only judge people harshly by their ability to adapt to unknown situations with a minimum of information and then spend hours in post-mortem meetings laying out why they didn’t do everything right, we’re going to make them feel like imposters. Instead, let’s cut them some slack and remind ourselves that we probably couldn’t do as well as they did in the same situation. And if we could have done better than they did, this is a time to step up to the plate and mentor them to make them better. Apply your knowledge to theirs and they will succeed next time. Hoard your knowledge and you will forever believe that they are the imposter.


Tom’s Take

Among Us is all about finding imposters in our midst based on their behavior and what tasks they’re doing. Real life is all about proving we aren’t imposters by doing things and showing our worth. As much fun as the game might be trying to figure out who the imposter is, our reality should be spent more on encouraging people to feel better and mentor them through the process of believing in themselves and applying their knowledge to a problem to have a successful outcome. We should be focusing on making everyone better and more confident. There’s nothing suspect about that.

by networkingnerd at October 16, 2020 03:20 PM

ipSpace.net Blog (Ivan Pepelnjak)

Video: Simplify Device Configurations with Cumulus Linux

The designers of Cumulus Linux CLI were always focused on simplifying network device configurations. One of the first features along these lines was BGP across unnumbered interfaces, then they introduced simplified EVPN configurations, and recently auto-MLAG and auto-BGP.

You can watch a short description of these features by Dinesh Dutt and Pete Lumbis in Simplify Network Configuration with Cumulus Linux and Smart Datacenter Defaults videos (part of Cumulus Linux section of Data Center Fabrics webinar).

You need Free ipSpace.net Subscription to watch the video.

October 16, 2020 06:49 AM

XKCD Comics

October 15, 2020

Packet Pushers

Say Yes To AIOps For Wi-Fi, Switching, And WAN

This guest blog post is by Trent Fierro, Senior Solutions Marketing Manager for AIOps at Aruba, a Hewlett Packard Enterprise company. We thank Aruba for being a sponsor. Over the last few months, I’ve spent a lot of time speaking with IT networking teams on how their roles have shifted due to COVID-19. There’s almost […]

The post Say Yes To AIOps For Wi-Fi, Switching, And WAN appeared first on Packet Pushers.

by Sponsored Blog Posts at October 15, 2020 09:58 PM

My Etherealmind

A Simple Map of 5G Functions. And Why You Don’t Care About 5G.

A common mistake about 5G is that is a single monolithic thing. In fact a 5G network is a diverse cluster of systems that interoperate to deliver 5G service. I want to share a simplified model of 5G network and use cases. I simplify 5G Use Cases to three categories: Human, Non-Human and False. Human/Smartphones […]

by Greg Ferro at October 15, 2020 12:23 PM

ipSpace.net Blog (Ivan Pepelnjak)

Automation Win: Recreating Cisco ACI Tenants in Public Cloud

This blog post was initially sent to the subscribers of our SDN and Network Automation mailing list. Subscribe here.

Most automation projects are gradual improvements of existing manual processes, but every now and then the stars align and you get a perfect storm, like what Adrian Giacommetti encountered during one of his automation projects.

The customer had well-defined security policies implemented in Cisco ACI environment with tenants, endpoint groups, and contracts. They wanted to recreate those tenants in a public cloud, but it took way too long as the only migration tool they had was an engineer chasing GUI screens on both platforms.

October 15, 2020 06:22 AM

SNOsoft Research Team

Inside the 2020 Ping of Death Vulnerability

What is the 2020 Ping of Death?

Ping of Death vulnerabilities are nothing new. These vulnerabilities arise from issues in memory allocation in the TCP/IP stack. If memory is improperly allocated and managed, a buffer overflow vulnerability can be created that leaves the application vulnerable to exploitation.

The original Ping of Death was discovered in 1997 and was the result of an implementation error in how operating systems handled IPv4 ICMP packets.    ICMP ECHO_REQUEST packets (aka ping) are intended to be 64 bytes, but this length was not enforced. Any ping packet with a length greater than 65536 bytes (the expected maximum value of the length field) would cause a system to crash.

In August 2011, Microsoft fixed another Denial of Service in its TCP/IP Stack that occurred when processing a sequence of specially crafted Internet Control Message Protocol (ICMP) messages

In August 2013, a third ping of death vulnerability was announced and patched in the Windows operating system. This time it was specific to the IPv6 protocol.

Yesterday (October 2020), Microsoft revealed its second IPv6 Ping of Death vulnerability as part of its October Patch Tuesday release. Exploitation of this vulnerability could allow an attacker to perform a Denial of Service attack against an application and potentially achieve remote code execution.

Inside the 2020 Ping of Death Vulnerability

2020 Ping of Death Technical Details

The Ping of Death vulnerability arises from an issue in how Microsoft’s tcpip.sys implements the Recursive DNS Server (RDNSS) option in IPv6 router advertisement packets. This option is intended to provide a list of available recursive DNS servers.

The issue that creates the Ping of Death vulnerability is that tcpip.sys does not properly handle the possibility that the router advertisement packet contains more data than it should. Microsoft’s implementation trusts the length field in the packet and allocates memory accordingly on the stack.

An unsafe copy of data into this allocated buffer creates the potential for a buffer overflow attack. This enables the attacker to overwrite other variables on the stack, including control flow information such as the program’s return address.

How the Vulnerability Can Be Exploited

In theory, the buffer overflow vulnerability can be exploited to achieve a couple of different goals:

  1. Denial of Service: Exploitation of the buffer overflow vulnerability enables “stack smashing” that can crash the application.
  2. Remote Code Execution: Using return-oriented programming, a buffer overflow exploit could cause a function to return to and execute attacker-provided shellcode.

In practice, a Denial of Service attack is the most likely use for this exploit. In order to perform a successful Denial of Service attack, all an attacker needs to do is attempt to write outside of the memory accessible to it (triggering a segmentation fault) or to overwrite a critical value within the program stack.

One of these key values is the stack canary, which is also one of the reasons why exploitation of this vulnerability is unlikely to allow RCE. A stack canary is a random value placed on the stack that is designed to detect attempts to overwrite the function return address via a buffer overflow attack. Before attempting to return from a function (by going to the location indicated by the return address), a protected program checks to see if the value of the stack canary is correct. If so, execution continues. If not, the program is terminated.

The existence of a stack canary makes it more difficult to exploit the vulnerability for RCE, and the use of Address Space Layout Randomization (ASLR), which makes functions useful to attackers harder to locate in memory, exacerbates this issue. However, it is possible to bypass both of these protections in certain cases, so an exploit may be developed that enables the 2020 version of the ping of death to be used for RCE. If this is the case, the repercussions could be severe as tcpip.sys is a kernel-level module within the Windows operating system.

Ping of Death in the Wild

A patch for this vulnerability was included in the October 2020 Patch Tuesday release of updates. At the time, the vulnerability was not publicly disclosed, meaning that (theoretically) no one knew about it previously and could develop an exploit.

Based on the Microsoft description of the vulnerability, a Proof of Concept for using it for a DoS attack has already been created. Additionally, the vulnerability has been given an exploitability value of 1, meaning that it is very likely to be exploited but has not yet been observed in the wild.

This means that we can expect to see DoS attacks using this vulnerability shortly, and the potential exists that an attacker will successfully create a RCE exploit using it as well. If this is the case, the wormability of the exploit makes it likely to be used to spread ransomware and similar malware (like Wannacry and EternalBlue).

Protecting Against the 2020 Ping of Death

The vulnerability in tcpip.sys was patched in an update included in the October 2020 Patch Tuesday release. Installing this update will fix the vulnerability and protect a system from exploitation.

Beyond installing the update, it is a good idea to minimize your attack surface by disabling unnecessary functionality. If you currently do not use the functionality, then disabling IPv6 in general or RDNSS in particular can eliminate the potential exploitability of this and any other vulnerabilities within the Microsoft implementation of this functionality. Instructions for doing so are included in Microsoft’s description of the vulnerability.

<style type="text/css">.fusion-fullwidth.fusion-builder-row-1 a:not(.fusion-button):not(.fusion-builder-module-control):not(.fusion-social-network-icon):not(.fb-icon-element):not(.fusion-countdown-link):not(.fusion-rollover-link):not(.fusion-rollover-gallery):not(.fusion-button-bar):not(.add_to_cart_button):not(.show_details_button):not(.product_type_external):not(.fusion-quick-view):not(.fusion-rollover-title-link):not(.fusion-breadcrumb-link) , .fusion-fullwidth.fusion-builder-row-1 a:not(.fusion-button):not(.fusion-builder-module-control):not(.fusion-social-network-icon):not(.fb-icon-element):not(.fusion-countdown-link):not(.fusion-rollover-link):not(.fusion-rollover-gallery):not(.fusion-button-bar):not(.add_to_cart_button):not(.show_details_button):not(.product_type_external):not(.fusion-quick-view):not(.fusion-rollover-title-link):not(.fusion-breadcrumb-link):before, .fusion-fullwidth.fusion-builder-row-1 a:not(.fusion-button):not(.fusion-builder-module-control):not(.fusion-social-network-icon):not(.fb-icon-element):not(.fusion-countdown-link):not(.fusion-rollover-link):not(.fusion-rollover-gallery):not(.fusion-button-bar):not(.add_to_cart_button):not(.show_details_button):not(.product_type_external):not(.fusion-quick-view):not(.fusion-rollover-title-link):not(.fusion-breadcrumb-link):after {color: #f2b310;}.fusion-fullwidth.fusion-builder-row-1 a:not(.fusion-button):not(.fusion-builder-module-control):not(.fusion-social-network-icon):not(.fb-icon-element):not(.fusion-countdown-link):not(.fusion-rollover-link):not(.fusion-rollover-gallery):not(.fusion-button-bar):not(.add_to_cart_button):not(.show_details_button):not(.product_type_external):not(.fusion-quick-view):not(.fusion-rollover-title-link):not(.fusion-breadcrumb-link):hover, .fusion-fullwidth.fusion-builder-row-1 a:not(.fusion-button):not(.fusion-builder-module-control):not(.fusion-social-network-icon):not(.fb-icon-element):not(.fusion-countdown-link):not(.fusion-rollover-link):not(.fusion-rollover-gallery):not(.fusion-button-bar):not(.add_to_cart_button):not(.show_details_button):not(.product_type_external):not(.fusion-quick-view):not(.fusion-rollover-title-link):not(.fusion-breadcrumb-link):hover:before, .fusion-fullwidth.fusion-builder-row-1 a:not(.fusion-button):not(.fusion-builder-module-control):not(.fusion-social-network-icon):not(.fb-icon-element):not(.fusion-countdown-link):not(.fusion-rollover-link):not(.fusion-rollover-gallery):not(.fusion-button-bar):not(.add_to_cart_button):not(.show_details_button):not(.product_type_external):not(.fusion-quick-view):not(.fusion-rollover-title-link):not(.fusion-breadcrumb-link):hover:after {color: #f2b310;}.fusion-fullwidth.fusion-builder-row-1 .pagination a.inactive:hover, .fusion-fullwidth.fusion-builder-row-1 .fusion-filters .fusion-filter.fusion-active a {border-color: #f2b310;}.fusion-fullwidth.fusion-builder-row-1 .pagination .current {border-color: #f2b310; background-color: #f2b310;}.fusion-fullwidth.fusion-builder-row-1 .fusion-filters .fusion-filter.fusion-active a, .fusion-fullwidth.fusion-builder-row-1 .fusion-date-and-formats .fusion-format-box, .fusion-fullwidth.fusion-builder-row-1 .fusion-popover, .fusion-fullwidth.fusion-builder-row-1 .tooltip-shortcode {color: #f2b310;}#main .fusion-fullwidth.fusion-builder-row-1 .post .blog-shortcode-post-title a:hover {color: #f2b310;}</style>

The post Inside the 2020 Ping of Death Vulnerability appeared first on Netragard.

by Adriel Desautels at October 15, 2020 12:43 AM

October 14, 2020

My Etherealmind

The 5G Problems

The Apple iPhone 12 has 5G but its not for customers. Its because the mobile co’s wanted it. And they indirectly paid Apple for it. While its true that 5G increases bandwidth and reduces latency, it more important that it reduces infrastructure costs. Alert: This twitter thread is a trial of the “blog post as […]

by Greg Ferro at October 14, 2020 09:50 AM

ipSpace.net Blog (Ivan Pepelnjak)

Must Read: Redistributing Full BGP Feed into OSPF

The idea of redistributing the full Internet routing table (840.000 routes at this moment) into OSPF sound as ridiculous as it is, but when fat fingers strike it should be relatively easy to recover, right? Just disable redistribution (assuming you can still log into the offending device) and move on.

Wrong. As Dmytro Shypovalov explained in an extensive blog post, you might have to restart all routers in your OSPF domain to recover.

And that, my friends, is why OSPF is a single failure domain, and why you should never run OSPF between your data center fabric and servers or VM appliances.

October 14, 2020 07:42 AM

XKCD Comics

October 13, 2020

ipSpace.net Blog (Ivan Pepelnjak)

Validating Data in GitOps-Based Automation

Anyone using text files as a poor man’s database eventually stumbles upon the challenge left as a comment in Automating Cisco ACI Environments blog post:

The biggest challenge we face is variable preparation and peer review process before committing variables to Git. I’d be particularly interested on how you overcome this challenge?

We spent hours describing potential solutions in Validation, Error Handling and Unit Tests part of Building Network Automation Solutions online course, but if you never built a network automation solution using Ansible YAML files as source-of-truth the above sentence might sound a lot like Latin, so let’s make it today’s task to define the problem.

October 13, 2020 06:31 AM

October 12, 2020

My Etherealmind
ipSpace.net Blog (Ivan Pepelnjak)

New: AWS Networking Update

In last week’s update session we covered the new features AWS introduced since the creation of AWS Networking webinar in 2019:

  • AWS Local Zones, Wavelengths, and Outposts
  • VPC Sharing
  • Bring Your Own Addresses
  • IP Multicast support
  • Managed Prefix Lists in security groups and route tables
  • VPC Traffic Mirroring
  • Web Application Firewall
  • AWS Shield
  • VPC Ingress Routing
  • Inter-region VPC peering with Transit Gateways

The videos are already online; you need Standard or Expert ipSpace.net subscription to watch them.

October 12, 2020 06:21 AM

XKCD Comics

October 11, 2020

ipSpace.net Blog (Ivan Pepelnjak)

Worth Reading: Don't Become A Developer, But Use Their Tools

I was telling you there’s no need to become a programmer over six years ago, but of course nobody ever listens to grumpy old engineers… which didn’t stop Ethan Banks from writing another excellent advice on the same theme: Don’t Become A Developer, But Use Their Tools.

October 11, 2020 07:43 AM

October 10, 2020

ipSpace.net Blog (Ivan Pepelnjak)

Worth Reading: IP Fragmentation Considered Fragile

We all knew it for a long time, now it’s finally official: IP fragmentation is broken, or as the ever-so-diplomatic IETF likes to call it, IP Fragmentation is Considered Fragile.

October 10, 2020 07:07 AM

October 09, 2020

The Networking Nerd

When Will You Need Wi-Fi 6E at Home?

The pandemic has really done a number on most of our office environments. For some, we went from being in a corporate enterprise with desks and coffee makers to being at home with a slightly different desk and perhaps a slightly better coffee maker. However, one thing that didn’t improve was our home network.

For the most part, the home network has been operating on a scale radically different from those of the average corporate environment. Taking away the discrepancies in Internet speed for a moment you would have a hard time arguing that most home wireless gear is as good or better than the equivalent enterprise solution. Most of us end up buying our equipment from the local big box store and are likely shopping as much on price as we are on features. As long as it supports our phones, gaming consoles, and the streaming box we picked up we’re happy. We don’t need QoS or rogue detection.

However, we now live in a world where the enterprise is our home. We live at work as much as we work where we live. Extended hours means we typically work past 5:00 pm or start earlier than 8:00 or 9:00. It means that we’re usually sending emails into the night or picking up that project to crack a hard problem when we can’t sleep. Why is that important? Well, one of the arguments for having separate enterprise and home networks for years was the usage cycle.

To your typical manager type in an organization, work is work and home is home and n’er the twain shall meet, unless they need you to work late. Need someone to jump on a Zoom call during dinner to solve an issue? Want someone to upload a video before bed? Those are reasonable requests. Mind if my home wireless network also supports the kids watching Netflix or playing Call of Duty? That’s a step too far!

The problem with enterprise networking gear is that it is focused on supporting the enterprise role. And having that gear available to serve a consumer role, even when our consumer office is also our enterprise office, make management types break out in hives.

Technology Marches In Place

Okay, so we know that no one wants to shell out money for good gear. I don’t want to pay for it out of my pocket. The company doesn’t want to pay for something that might accidentally be used to do something fun. So where does that leave the people that make enterprise wireless access points?

I’ll admit I’m a horrible reference to my friends when they ask me what kind of stuff to buy. I tend to get way too deep into things like coverage pattens and device types when I start asking what they want their network to look like. The answer they’re usually looking for is easy, cheap, and simple. I get way too involved in figuring out their needs as if they were an enterprise customer. So I know that most people don’t need band steering or MIMO support in the house. But I still ask the questions as if it were a warehouse or campus building.

Which is why I’m really starting to question how the planned rollout of technologies like Wi-Fi 6E is going to happen in the current environment. I’ll buy that Wi-Fi 6, also known as 802.11ax, is going to happen as soon as it’s supported by a mainstream consumer device or three. But elevating to the 6 GHz range is an entirely different solution looking for a problem. Right now, the costs of 6 GHz radios combined with the operating environment are going to slow adoption of Wi-Fi 6E drastically.

Home Is Where the Wi-Fi Connects

How hostile is the wireless environment in your house? Aside from the odd microwave, probably not too bad. Some of the smart utility services may be operating on a separate network for things like smart electric meters or whole-home DVR setups. Odds are much better that you’re probably in a nice clean radio island. You don’t have to worry about neighboring businesses monopolizing the air space. You don’t have to contend with an old scanner that has to operate on 802.11g speeds in an entirely separate network to prevent everything from slowing down drastically.

If your home is running just fine on a combination of 2.4 GHz for older devices or IoT setups and 5 GHz for modern devices like phones and laptops, what is the advantage of upgrading to 6 GHz? Let’s toss out the hardware argument right now. If you’re running on 802.11ac (Wi-Fi 5) Wave 2 hardware, you’re not upgrading any time soon. Your APs are new enough to not need a refresh. If you’re on something older, like Wi-Fi 5 Wave 1 or even 802.11n (Wi-Fi 4), you are going to look at upgrading soon to get some new features or better speeds now that everyone in your house is online and gobbling up bandwidth. Let’s say that you’ve even persuaded the boss to shell out some cash to help with your upgrade. Which AP will you pick?

Will you pick the current technology that has all the features you need in Wi-Fi 6? Or will you pay more for an AP with a feature set that you can’t even use yet? It’s a silly question that will probably answer itself. You pay for what you can use and you don’t try and break the boss’s bank. That means the likelihood of Wi-Fi 6E adoption is going to go down quickly if the new remote office has no need of the technology.

Does it mean that Wi-Fi 6E is dead in the water? Not really. What it does mean is that Wi-Fi 6E needs to find a compelling use case to drive adoption. This is a lesson that needs to be learned from other protocols like IPv6. If you can’t convince people to move to the new thing, they’re going to stay on the old thing as long as they can because it’s cheaper and more familiar. So you need to create a new device that is 6 GHz only. Or make 6 GHz super fast for things like media transfers. Or maybe even require it for certain content types. That’s how you’re going to drive adoption everywhere. And if you don’t you’re likely going to be relegated to the same junk pile as WiMAX and ATM LANE.


Tom’s Take

Wi-Fi 6E is the great solution for a problem that is around the corner. It has lots of available bandwidth and spectrum and is relatively free from interference. It’s also free from the need to adopt it right away. As we’re trying to drive people toward Wi-Fi 6 11ax infrastructure, we’re not going to be able to make them jump to both at once without a killer app or corner case requirement. Wi-Fi 6E is always going to be more expensive because of hardware and R&D costs. And given the chance, people will always vote with their wallet provided their basic needs are met.

by networkingnerd at October 09, 2020 08:51 PM

ipSpace.net Blog (Ivan Pepelnjak)

Faucet Deep Dive on Software Gone Wild

This podcast introduction was written by Nick Buraglio, the host of today’s podcast.

In the original days of this podcast, there were heavy, deep discussions about this new protocol called “OpenFlow”. Like many of our most creative innovations in the IT field, OpenFlow came from an academic research project that aimed to change the way that we as operators managed, configured, and even thought about networking fundamentals.

For the most part, this project did what it intended, but once the marketing machine realized the flexibility of the technology and its potential to completely change the way we think about vendors, networks, provisioning, and management of networking, they were off to the races.

We all know what happened next.

October 09, 2020 06:32 AM

XKCD Comics

October 08, 2020

ipSpace.net Blog (Ivan Pepelnjak)

Network Automation Products for Brownfield Deployments

Got this question from one of my long-time readers:

I am looking for commercial SDN solutions that can be deployed on top of brownfield networks built with traditional technologies (VPC/MLAG, STP, HSRP) on lower-cost networking gear, where a single API call could create a network-wide VLAN, or apply that VLAN to a set of ports. Gluware is one product aimed at this market. Are there others?

The two other solutions that come to mind are Apstra AOS and Cisco NSO. However, you probably won’t find a simple solution that would do what you want to do without heavy customization as every network tends to be a unique snowflake. 

October 08, 2020 06:44 AM

October 07, 2020

ipSpace.net Blog (Ivan Pepelnjak)

Fixing Firewall Ruleset Problem For Good

Before we start: if you’re new to my blog (or stumbled upon this blog post by incident) you might want to read the Considerations for Host-Based Firewalls for a brief overview of the challenge, and my explanation why flow-tracking tools cannot be used to auto-generate firewall policies.

As expected, the “you cannot do it” post on LinkedIn generated numerous comments, ranging from good ideas to borderline ridiculous attempts to fix a problem that has been proven to be unfixable (see also: perpetual motion).

October 07, 2020 06:05 AM

XKCD Comics

October 06, 2020

SNOsoft Research Team

Inside Zerologon

What is the Zerologon Vulnerability?

Zerologon is a vulnerability in the Windows netlogon protocol (on Windows Server version 2008 and later) discovered by Tom Tervoort of Secura during a security review of the protocol (which had not previously undergone such a review).  Due to cryptographic and implementation errors in the protocol, an attacker can falsely authenticate and elevate their privileges to Domain Admin.  This has a number of potential impacts including:

  • Full Network Control: With Domain Administrator access, the attacker has full control over the network.
  • Credential Compromise: Netlogon enables an attacker to extract user account credentials for offline password cracking.
  • Credential Stuffing: Passwords compromised via netlogon are likely to be used on other accounts, enabling an attacker to access bank accounts, social media, etc.
  • Initial Access: With the access provided by netlogon, an attacker could steal sensitive data, deploy ransomware, etc.
  • Denial of Service Attack: Zerologon enables an attacker to change a password in Active Directory but not in the registry or LSASS.  This means that services on a rebooted machine may no longer function.

Technical Details of Zerologon

Zerologon exploits a vulnerability in the netlogon authentication process, which is performed as follows:

  1. Server and client each generate and exchange a random 8-byte challenge
  2. The shared session key is generated as the first sixteen bytes of SHA256(MD4(domain password),challenges)
  3. Client verifies the session key by encrypting and sending the original challenge that they generated encrypted with the new session key.

The zerologon vulnerability arises due to the fact that Windows netlogon uses an insecure variant of the cipher feedback (CFB) block cipher mode of operation with AES.

Normally, CFB mode is designed to encrypt 16-byte chunks of the plaintext (as shown above).  This enables the encryption or decryption of data longer than the standard 16-byte AES block size.  It starts by taking a random initialization vector, encrypting it, and XORing it with the plaintext of a block to create the ciphertext for that block.  This ciphertext is used as the input to encryption for the next block, and so on.

Zerologon

(via Secura)

The vulnerable version of CFB mode used in Windows netlogon (called CFB8) performs encryption one byte at a time.  To do so, it takes the following steps:

  1. The initialization vector (yellow) is encrypted using AES
  2. The first byte of the result (pink) is XORed with the first byte of plaintext (blue)
  3. The resulting byte of ciphertext is appended to the end of the IV
  4. The first byte of the IV is dropped
    1. The result is the same length as the original IV (yellow and pink above)
  5. Steps 1-4 are repeated until the entire plaintext is encrypted

While the use of a non-standard encryption algorithm is bad enough, the netlogon protocol made another critical error.  The initialization vector is hard-coded to zero, not random like it should be.

This creates a vulnerability if the first byte of encryption produces a ciphertext byte of zero (which occurs with 1/256 probability).  If this is the case, then the result of encryption will always be all zeros.  This is because the input to the encryption algorithm will always be the same (since the IV is all zeros and the value appended to the end during each round of encryption is a zero).

This makes it possible for an attacker to authenticate via netlogon with no knowledge of the domain password.  By trying to authenticate repeatedly to the system with an all-zero challenge, the attacker can trigger the 1/256 chance that the shared secret (that they don’t know) encrypts the first byte of the challenge to a zero.  They can then trivially generate the encrypted challenge (step 3 in the netlogon authentication process) since it is all zeros.

How Zerologon Can Be Exploited

The Zerologon vulnerability, by itself, only enables an attacker to successfully authenticate to the domain controller and encrypt all-zero plaintexts.  However, this is enough to successfully call the NetrServerPasswordSet2 function, which is designed to change the server password.  This function takes the following parameters:

  • Original client challenge plus the current time in POSIX notation
  • Random data
  • New password
  • New password length

Of these the original client challenge, the random data, and the new password are easily set to all zeros.  In theory, the server should verify the current time and disallow a zero-length password.  However, this is not the case, making it possible to set the domain controller’s password to empty.

While changing this password does not enable the attacker to log into the machine, it does enable them to access the Domain Replication Service Protocol.  This enables them to extract the password hashes of domain administrator accounts, enabling them to generate Kerberos golden tickets.  Additionally, these hashes could be used in a pass-the-hash attack to log into the Domain Controller and as Domain Administrator and reset the password manually.  This provides the attacker with full access and control over the network.

However, this is not even the only way to exploit the Netlogon vulnerability.  A writeup by Dirk-jan Mollema describes another method that takes advantage of the NTLM protocol to gain Domain Administrator access without changing a password (which can crash services).  However, this version of the exploit requires two vulnerable domain controllers, an available domain user account, and a print spooler service running on a DC and accessible from the network (default domain controller configuration).

Zerologon Exploitation in the Wild

The patch for Zerologon was released in August 2020, and the details of the vulnerability weren’t publicly announced until September 2020.  In theory, this provided organizations with ample opportunity to apply the patch and eliminate the vulnerability.

In practice, many organizations have not applied the patch, leaving them vulnerable to exploitation.  Microsoft publicly announced that they have detected active exploitation of the vulnerability, and the Department of Homeland Security (DHS) issued a directive on September 18th requiring federal agencies to patch the issue by September 21st (i.e. the following Monday).

This is due to the fact that the vulnerability was expected to be actively exploited by cybercriminals.  This belief is backed up by a report by Tenable that multiple different exploit executables were uploaded to Virustotal.

Protecting Against Zerologon

The Zerologon vulnerability is patched in the August 2020 set of Windows updates, and is blocked by some endpoint security solutions.  Microsoft recommends taking the following steps to fix the issue:

  1. Update Domain Controllers with the patch released in August 2020.
  2. Monitor patched Domain Controller logs for event IDs 5829, 5828, and 5829.  These events indicate a client that is using a vulnerable netlogon secure channel connection and require either a Windows or manufacturer update.
  3. Enable Domain Controller Enforcement Mode for additional visibility and protection.

After patching known domain controllers and other known affected systems, it might be wise to undergo a penetration test to discover other potentially vulnerable devices.  The vulnerability affects most versions of Windows Server, which can be deployed in a number of different environments and contexts.

<style type="text/css">.fusion-fullwidth.fusion-builder-row-2 a:not(.fusion-button):not(.fusion-builder-module-control):not(.fusion-social-network-icon):not(.fb-icon-element):not(.fusion-countdown-link):not(.fusion-rollover-link):not(.fusion-rollover-gallery):not(.fusion-button-bar):not(.add_to_cart_button):not(.show_details_button):not(.product_type_external):not(.fusion-quick-view):not(.fusion-rollover-title-link):not(.fusion-breadcrumb-link) , .fusion-fullwidth.fusion-builder-row-2 a:not(.fusion-button):not(.fusion-builder-module-control):not(.fusion-social-network-icon):not(.fb-icon-element):not(.fusion-countdown-link):not(.fusion-rollover-link):not(.fusion-rollover-gallery):not(.fusion-button-bar):not(.add_to_cart_button):not(.show_details_button):not(.product_type_external):not(.fusion-quick-view):not(.fusion-rollover-title-link):not(.fusion-breadcrumb-link):before, .fusion-fullwidth.fusion-builder-row-2 a:not(.fusion-button):not(.fusion-builder-module-control):not(.fusion-social-network-icon):not(.fb-icon-element):not(.fusion-countdown-link):not(.fusion-rollover-link):not(.fusion-rollover-gallery):not(.fusion-button-bar):not(.add_to_cart_button):not(.show_details_button):not(.product_type_external):not(.fusion-quick-view):not(.fusion-rollover-title-link):not(.fusion-breadcrumb-link):after {color: #f2b310;}.fusion-fullwidth.fusion-builder-row-2 a:not(.fusion-button):not(.fusion-builder-module-control):not(.fusion-social-network-icon):not(.fb-icon-element):not(.fusion-countdown-link):not(.fusion-rollover-link):not(.fusion-rollover-gallery):not(.fusion-button-bar):not(.add_to_cart_button):not(.show_details_button):not(.product_type_external):not(.fusion-quick-view):not(.fusion-rollover-title-link):not(.fusion-breadcrumb-link):hover, .fusion-fullwidth.fusion-builder-row-2 a:not(.fusion-button):not(.fusion-builder-module-control):not(.fusion-social-network-icon):not(.fb-icon-element):not(.fusion-countdown-link):not(.fusion-rollover-link):not(.fusion-rollover-gallery):not(.fusion-button-bar):not(.add_to_cart_button):not(.show_details_button):not(.product_type_external):not(.fusion-quick-view):not(.fusion-rollover-title-link):not(.fusion-breadcrumb-link):hover:before, .fusion-fullwidth.fusion-builder-row-2 a:not(.fusion-button):not(.fusion-builder-module-control):not(.fusion-social-network-icon):not(.fb-icon-element):not(.fusion-countdown-link):not(.fusion-rollover-link):not(.fusion-rollover-gallery):not(.fusion-button-bar):not(.add_to_cart_button):not(.show_details_button):not(.product_type_external):not(.fusion-quick-view):not(.fusion-rollover-title-link):not(.fusion-breadcrumb-link):hover:after {color: #f2b310;}.fusion-fullwidth.fusion-builder-row-2 .pagination a.inactive:hover, .fusion-fullwidth.fusion-builder-row-2 .fusion-filters .fusion-filter.fusion-active a {border-color: #f2b310;}.fusion-fullwidth.fusion-builder-row-2 .pagination .current {border-color: #f2b310; background-color: #f2b310;}.fusion-fullwidth.fusion-builder-row-2 .fusion-filters .fusion-filter.fusion-active a, .fusion-fullwidth.fusion-builder-row-2 .fusion-date-and-formats .fusion-format-box, .fusion-fullwidth.fusion-builder-row-2 .fusion-popover, .fusion-fullwidth.fusion-builder-row-2 .tooltip-shortcode {color: #f2b310;}#main .fusion-fullwidth.fusion-builder-row-2 .post .blog-shortcode-post-title a:hover {color: #f2b310;}</style>

The post Inside Zerologon appeared first on Netragard.

by Adriel Desautels at October 06, 2020 02:22 PM

ipSpace.net Blog (Ivan Pepelnjak)

EVPN Control Plane in Infrastructure Cloud Networking

One of my readers sent me this question (probably after stumbling upon a remark I made in the AWS Networking webinar):

You had mentioned that AWS is probably not using EVPN for their overlay control-plane because it doesn’t work for their scale. Can you elaborate please? I’m going through an EVPN PoC and curious to learn more.

It’s safe to assume AWS uses some sort of overlay virtual networking (like every other sane large-scale cloud provider). We don’t know any details; AWS never felt the need to use conferences as recruitment drives, and what little they told us at re:Invent described the system mostly from the customer perspective.

October 06, 2020 06:36 AM