Your DNS might stop in February. Are you DNS & IPAMs updated ?

The post Tech Notes: DNS Flag Day – February 1, 2019 appeared first on EtherealMind.

One of the attendees of the Building Next-Generation Data Center online course solved the build small data center fabric challenge with Virtual Chassis Fabric (VCF). I pointed out that I would prefer not to use VCF as it uses centralized control plane and is thus a single failure domain.

In case you’re interested in data center fabric architecture options, check out this section in the Data Center Fabric Architectures webinar.

Here are his arguments for using VCF:

The Networking Field Day Exclusive one-day event with Cisco’s Service Provider business unit definitely exceeded my expectations, and I believe showcased a different approach to technology and their customers than we might have seen from the Cisco Systems of four or five years ago.

Segment Routing

The topic-du-jour was definitely Segment Routing, and Cisco delivered great presentations on both SR-TE (Segment Routing – Tunnel Engineering) with SR Flexible Algorithm, and SRv6 (Segment Routing for IPv6). 

SR FlexAlgo

SR FlexAlgo effectively allows a network to calculate metric- and constraint-based primary and backup paths on demand and in a distributed fashion. For example, a policy might be that traffic to a given prefix should follow the lowest latency path using only MACSEC encrypted links, or perhaps the lowest cost path while staying within a particular geographical region. Cool stuff, and while it won’t fix every problem, conceptually I can see this as a relatively accessible way into Segment Routing, and one which could deliver tunnel engineering in a way that would be highly complex or impossible using RSVP-TE and a constraint-based IGP calculation.

SRv6

I had not looked at SRv6 before, and it’s a fascinatingly different beast to regular IPv4-based Segment Routing, finally putting the extensible IPv6 header to good use. SRv6 offers some very interesting use cases including using the internet (or any other third party network) as a segment, even though it is unaware that it’s a segment and doesn’t run Segment Routing. Additionally, SRv6 opened up an option to enable service chaining, and the demonstration of this in real time was pretty impressive.

EVPN

EVPN was also highlighted as a solution which can offer a fairly broad range of applications including, ultimately, replacing vPC, VSS, and HSRP/VRRP in the network. This is a protocol with much more to it than the standard context of VXLAN + BGP EVPN as a fabric, and one which deserves more attention.

Zero Touch Provisioning

I am a big fan of ZTP, and it’s good to see it in IOS XR as well. I’ve written about my positive experience with NXOS ZTP, and the IOS XR ZTP follows a very similar mechanism. Now, however, the on-box capabilities have been expanded to support multiple scripting languages as well as to take advantage of the root access given on the devices to permit container creation and other script/executable functions. A more recent addition is the idea of Golden ISO concept where software image downloaded to the device already has key elements like RPM installation and a base configuration already completed, minimizing the number of steps that have to be taken during the ZTP boot process.

Trusted Platforms

One of the questions that ZTP raises is who and what you can trust when booting a newly-installed device, and Cisco’s Dan Backman led us down Paranoia Lane from the network operating system all the way down to the CPU and BIOS in order to try and figure out whether we trusted the people who made each component, and the impact that penetration of a low-level component can have. This concept sounded familiar to me as I had previously written about Skyport Systems, a company whose aim was to provide a trusted compute platform. Guess who Cisco bought last year, and where Mr Backman was working at that time? The relevance to Cisco is the Hardware-Anchored Secure Boot architecture which attempts to protect Cisco hardware from low-level compromise.

gNMI/gRPC/OpenConfig

Just as I thought OpenConfig was going totally dark (perhaps the 3-year-out-of-date website is partly to blame for that opinion), Cisco presented all the fun stuff that can be done on the IOS XR platform using gRPC. I discussed OpenConfig on this site about three years ago, and had great hopes for it as a means of configuration, monitoring and telemetry. It seems that it is beginning to do exactly that, using gNMI (gRPC Network Management Interface) as a means to monitor and subscribe to telemetry streaming on IOS XR devices. I am super-excited to see this is getting traction, and looking forward to hearing about more in this area.

Fabrics, Fabrics, Fabrics

Everybody loves a good network fabric, and Cisco’s Phil Bedard looked at three kinds: metro fabric, core fabric and peering fabric, all guided by the concept of simplifying the network, making it scalable, secure and automatable. For a relatively simple topic, this presentation covered a lot of ground and will be worth another watch when the video is posted.

Thoughts

The theme I got through this event was of a consistent support for the ideas of making things easier, making them more accessible, and of support where possible for open standards. Cisco is even providing some support for IOS XR on whitebox (for a limited few customers, currently) which may lead to good things for a wider audience in the future. Automation, visibility, openness and operational simplicity came up time and time again throughout the presentations.

I had expected GoodNotes things from NFDx with Cisco’s Service Provider BU, but they really did deliver more than I had expected and I think on the whole the presenters did an outstanding job. I have a lot to think about, and I will be posting more in the coming weeks, and will provide links to the  videos when they have been posted.

This was really a very good one-day event and I’m delighted that I could be here to take part.

If you liked this post, please do click through to the source at Cisco SP Nails It at NFDx and give me a share/like. Thank you!

After giving a two-days training to a customer on multicast technology, I take the opportunity to have my lab and the configurations ready to share with you a suite of five different multicast configurations examples. And, how to make some tests and troubleshooting. These examples are based on the labs I used to practice the CCIE R&S practical exam. Content of the posts Any-source multicast (ASM) with static RP Any-source multicast (ASM) with auto-RP Any-source multicast (ASM) with anycast RP Any-source multicast (ASM) with bootstrap router (aka PIMv2) Source-specific multicast (SSM)…

The post Multicast lab 5: Source-Specific Multicast (SSM) appeared first on AboutNetworks.net.

After giving a two-days training to a customer on multicast technology, I take the opportunity to have my lab and the configurations ready to share with you a suite of five different multicast configurations examples. And, how to make some tests and troubleshooting. These examples are based on the labs I used to practice the CCIE R&S practical exam. Content of the posts Any-source multicast (ASM) with static RP Any-source multicast (ASM) with auto-RP Any-source multicast (ASM) with anycast RP Any-source multicast (ASM) with bootstrap router (aka PIMv2) Source-specific multicast (SSM)…

The post Multicast lab 4: Any-Source Multicast with Bootstrap Router (BSR) appeared first on AboutNetworks.net.

After giving a two-days training to a customer on multicast technology, I take the opportunity to have my lab and the configurations ready to share with you a suite of five different multicast configurations examples. And, how to make some tests and troubleshooting. These examples are based on the labs I used to practice the CCIE R&S practical exam. Content of the posts Any-source multicast (ASM) with static RP Any-source multicast (ASM) with auto-RP Any-source multicast (ASM) with anycast RP Any-source multicast (ASM) with bootstrap router (aka PIMv2) Source-specific multicast (SSM)…

The post Multicast lab 3: Any-Source Multicast with anycast RP appeared first on AboutNetworks.net.

After giving a two-days training to a customer on multicast technology, I take the opportunity to have my lab and the configurations ready to share with you a suite of five different multicast configurations examples. And, how to make some tests and troubleshooting. These examples are based on the labs I used to practice the CCIE R&S practical exam. Content of the posts Any-source multicast (ASM) with static RP Any-source multicast (ASM) with auto-RP Any-source multicast (ASM) with anycast RP Any-source multicast (ASM) with bootstrap router (aka PIMv2) Source-specific multicast (SSM)…

The post Multicast lab 2: Any-Source Multicast with auto RP appeared first on AboutNetworks.net.

After giving a two-days training to a customer on multicast technology, I take the opportunity to have my lab and the configurations ready to share with you a suite of five different multicast configurations examples. And, how to make some tests and troubleshooting. These examples are based on the labs I used to practice the CCIE R&S practical exam. Content of the posts Any-source multicast (ASM) with static RP Any-source multicast (ASM) with auto-RP Any-source multicast (ASM) with anycast RP Any-source multicast (ASM) with bootstrap router (aka PIMv2) Source-specific multicast (SSM)…

The post Multicast lab 1: Any-Source Multicast with static RP appeared first on AboutNetworks.net.

Every now and then someone tells me I should write more about the basic networking concepts like I did years ago when I started blogging. I’m probably too old (and too grumpy) for that, but fortunately I’m no longer on my own.

Over the years ipSpace.net slowly grew into a small community of networking experts, and we got to a point where you’ll see regular blog posts from other community members, starting with Using BGP as High-Availability protocol written by Nicola Modena, member of ExpertExpress team.

I read a curious story this weekend based on a supposed leak about the next iPhone, currently dubbed the iPhone 11¹. There’s a report that the next iPhone will have support for the forthcoming 802.11ax standard. The article refers to 802.11ax as Wi-Fi 6, which is a catch branding exercise that absolutely no one in the tech community is going to adhere to.

In case you aren’t familiar with 802.11ax, it’s essentially an upgrade of the existing wireless protocols to support better client performance and management across both 2.4GHz and 5GHz. Unlike 802.11ac, which was rebranded to be called Wi-Fi 5 or 802.11n, which curiously wasn’t rebranded as Wi-Fi 4, 802.11ax works in both bands. There’s a lot of great things on the drawing board for 11ax coming soon.

Why did I say soon? Because, as of this writing, 11ax isn’t a ratified standard. According to this FAQ from Aerohive, the standard isn’t set to be voted on for final ratification until Q3 of 2019. And if anyone wants to see the standard pushed along faster it would be Aerohive. They were one of, if not the, first company to bring a 802.11ax access point to the market. So they want to see a standard piece of equipment for sure.

Making pre-standard access points isn’t anything new to the market. Manufacturers have been trying to get ahead of the trends for a while now. I can distinctly remember being involved in IT when 802.11n was still in the pre-standard days. One of our employees brought in a Belkin Pre-N AP and client card and wanted us to get it working because, in his words, “It will cover my whole house with Wi-Fi!”

Sadly, we ended up having to ditch this device once the 802.11n standard was finalized. Why? Because Belkin had rushed it to the market and tried to capitalize on the fervor of people wanting fast connection speeds. The AP only worked with the PCMCIA client card sold by Belkin. Once you started to see ratified 802.11n devices they were incompatible with the Belkin AP and fell back to 802.11g speeds.

Belkin wasn’t the only manufacturer that was trying to get ahead of the curve. Cisco also pushed out the Aironet 1250, which had detachable lobes that could be pulled off and replaced. Why? Because they were shipping a draft 802.11n piece of hardware. They claimed that anyone purchasing the draft spec hardware could send in the lobes and get an upgrade to ratified hardware as soon as it was finalized. Except, as a rushed product the 1250 also consumed lots of power, ran hot, and generally had very low performance compared to the APs that came out after the ratification process was completed.

We’re seeing the same rush again with 802.11ax. Everyone wants to have something new when the next refresh cycle comes up. Instead of pushing people toward the stable performance of 802.11ac Wave 2 with proper design they are going out on a limb. Manufacturers are betting on the fact that their designs are going to be software-upgradable in the end. Which assumes there won’t be any major changes during the ratification process.

Cupertino Doesn’t Guess

One of the major criticism points of 802.11ax is that there is not any widespread adoption of clients out there to push us to need 802.11ax APs. The client vs. infrastructure argument is always a tough one. Do you make the client adapter and hope that someone will eventually come out with hardware to support it? Or do you choose to instead wait for the infrastructure to jump up in speed and then buy a client adapter to support it?

I’m usually one revision behind in most cases. My home hardware is running 802.11ac Wave 2 currently, but my devices were 11ac capable long before I installed any Meraki or Ubiquiti equipment. So my infrastructure was playing catchup with my clients. But not everyone runs the same gear that I do.

One of the areas where this is more apparent is not in the Wi-Fi realm but instead in the carrier space. We’re starting to hear that carriers like AT&T are deploying 5G in many cities even though there aren’t many 5G capable handsets. And, even when the first 5G handsets start hitting the market, the smart money says to avoid the first generation. Because the first generation is almost always hot, power hungry, and low performing. Sound familiar?

You want to know who doesn’t bet on non-standard technology? Apple. Time and again, Apple has chosen to take a very conservative approach to introducing new chipsets into their devices. And while their Wi-Fi chipsets often seen upgrades long before their cellular modems do, you can guarantee that they aren’t going to make a bet on non-standard technology that could potentially hamper adoption of their flagship mobile device.

A Logical Approach

Let’s look at it logically for a moment. Let’s assume that the standards bodies get off their laurels and kick into high gear to get 802.11ax ratified at the end of Q2. That’s just after Apple’s WWDC. Do you think Apple is going to wait until post-WWDC to decide what chipsets are going to be in the new iPhone? You bet your sweet bandwidth they aren’t!

The chipset decisions for the iPhone 11 are being made right now in Q1. They want to know they can get sufficient quantities of SoCs and modems by the time manufacturing has to ramp up to have them ready for stores in October. That means you can’t guess whether or not a standard is going to be approved in time for launch. Q3 2019 is during the iPhone announcement season. Apple is the most conservative manufacturer out there. They aren’t going to stake their connectivity on an unproven standard.

So, let’s just state it emphatically for the search engines: The iPhone 11 will not have 802.11ax, or Wi-Fi 6, support. And anyone trying to tell you differently is trying to sell you a load of marketing.

The Future of Connectivity

So, what about the iPhone XII or whatever we call it? That’s a more interesting discussion. And it hinges on something I heard in a recent episode of a new wireless podcast. The Contention Window was started by my friends Tauni Odia and Scott Lester. In Episode 1, they have their big 2019 predictions. Tauni predicted that 802.11ax won’t be ratified in 2019. I agree with her assessment. Despite the optimism of the working group these things tend to take longer than expected. Which means Q4 2019 or perhaps even Q1 2020.

If 802.11ax ratification slips into 2020 you’ll see Apple taking the same conservative approach to adoption. This is especially true if the majority of deployed infrastructure APs are still pre-standard. Apple would rather take an extra year to get things right and know they won’t have any bugs than to rush something to the market in the hopes of selling a few corner-case techies on something that doesn’t have much of an impact on speeds in the long run.

However, if the standards bodies prove us all wrong and push 11ax ratification through we should see it in the iPhone X+2. A mature technology with proper support should be seen as a winner. But you should see them move telegraphed far in advance with adoption of the 11ax radios in the MacBook Pro first. Once the bigger flagship computing devices get support it will trickle down. This is just an economic concern. The MacBook has more room in the case for a first-gen 11ax chip. Looser thermal tolerances and space considerations means more room to make mistakes.

In short: Don’t expect an 11ax (or Wi-Fi 6) chip before 2020. And if you’re betting the farm on the iPhone, you may be waiting a long time.

Tom’s Take

I like the predictions of professionals with knowledge over leaks with dubious marketing value. The Contention Window has lots of good information about why 802.11ax won’t be ratified any time soon. A report about a leaked report that may or may not be accurate holds a lot less value. Don’t listen to the hype. Listen to the people who know what they’re talking about, like Scott and Tauni for example. And don’t stress about having the newest, fastest wireless devices in your house. Odds are way better that you’re going to have to buy a new AP for Christmas this year than the hope of your next iPhone support 802.11ax. But the one thing we can all agree on: Wi-Fi 6 is a terrible branding decision!

Getting work done is hindered by logistics. Logistics is work about work. It’s the work you do so that you can get something else done.

For example, there’s a workflow I use to create a podcast. Most of that work is logistical: creating a collaborative script document from a template, inviting guests to a recording channel, scheduling the recording, coordinating sponsor content, updating the production calendar, editing the episode, writing a blog post about the episode, and promoting the episode on social media.

Relatively little of the workflow is what I consider the meat of podcast creation: researching the topic and guests, writing interview questions, and recording the actual show.

I draw the line between logistics and meat by considering what I can delegate vs. what I need to do uniquely myself. Most tasks can be divided along this line.

Solving The Logistics Problem With Delegation

One way to boost productivity is to delegate logistics. Delegation frees up your time to focus on the remaining tasks requiring your unique skills.

Delegation comes in at least three forms.

1. Humans.
2. Software.
3. Automation.

Some tasks can be delegated to other humans. In my case, I delegate many tasks in my business to consultants, contractors, employees, and my personal assistant. I still have to manage those relationships, and I have to compensate people for their time. Delegation doesn’t absolve me of task responsibility.

Delegating to other humans is challenging, creating process and interpersonal debt. You might welcome such a difficulty, but find that you aren’t in a position to delegate other humans. You still have delegation options.

In the digital age, delegating to software is self-explanatory–we all do this. As an aside, while I believe in delegating to software, I also believe in delegating software infrastructure. In my business, there is no advantage to be gained by hosting software myself. I delegate software hosting to a mix of SaaS and IaaS infrastructure providers.

Automation steps in where humans shouldn’t and software can’t. Tedious, repetitive tasks are best done by carefully programmed robots.

Software can’t predict all business workflows–businesses are unique, meaning software has limited task granularity out of the box. Software designers can’t create an overly specific product and still retain mass appeal. This is where automation steps in. Automation is the workflow layer on top of software that performs repetitive tasks quickly and predictably.

Delegating To Automation

In my own workflows, I’ve identified automation as the weak link. I’ve passed off as many tasks to other humans as appropriate. I continually review and revise my software tools. However, I don’t automate.

For instance, to prepare for a podcast recording, two of the steps are to create a Google document from a template, build a Slack channel, and invite the guests to both. Accomplishing this is a lot of predictable clicking and typing.

Google Drive has an API. Slack has an API. Why am I interfacing with Google Drive and Slack using the clicky-clicky GUI? Because it’s what I know. It’s easy. It’s time-consuming and error prone, but it gets the job done.

Automating these tasks seems too painful, because I don’t know how to write the code off the top of my head. I’ll have to read documentation, write some code, experiment, and fuss.

Will automating those document and channel creation tasks be worth it? The answer to that question comes in the form of time saved. How long does it take me to clicky-clicky and get these tasks done? Let’s say it’s twenty minutes. I don’t know exactly how long the actual clicking takes, and the reason is that there’s more time to account for than the click time.

There is also distraction time.

When I go into the standard Google Drive UI to create a document, I see a myriad of other folders and documents related to projects I’m working on. I’m reminded of other tasks I need to complete. The temptation to move orthogonally into another task is significant when my to-do list is long.

The same distraction exists when looking at Slack. Even though I squelch almost all notifications, opening the Slack interface to work on channel creation and invitations can take me far afield.

Because of distractions, twenty minutes becomes thirty or forty. Distractions eat the day away. Distractions cut into productivity. Therefore, automation isn’t simply about making clicks go faster. Automation is also about retaining focus by reducing distractions.

A script that gathers a bit of information from me can handle Google doc and Slack channel creation with a single command, instead of me performing a bunch of distractable clicking. Creating the script will be hard, but the result will be time saved and focus retained.

What about IFTTT or Zapier Instead Of Code?

What if I don’t want to read API documentation and write code? Might trigger-based tools like IFTTT or Zapier help? I believe the answer is “yes,” but there’s homework to do to know how much.

Historically, I’ve used both IFTTT and Zapier to automate straightforward tasks like posting to social media based on a RSS feed trigger. However, I’ve found both Zapier and IFTTT, powerful though they are, to be constrained. I can only execute the actions that they support, and the entirety of an platform’s API is unlikely to be exposed to an IFTTT recipe or Zapier zap.

Therefore, I’m leaning toward Python as a programming tool with comparatively infinite flexibility. With learning time invested in APIs, I can write Python scripts to do any action I need.

Writing my own code offers another interesting possibility: chatbots. That is, I can log a chatbot into Slack and issue automation commands to the chatbot from the Slack interface. This is desirable from a business workflow perspective, because it means actions are logged in an observable Slack channel, keeping the other humans I work with in the loop as to what automated work is being done.

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. I love automation, but it seems that dreams of a smooth customer experience can be destroyed by the persistence of engineering silos in many organizations.

This post appeared on Orange Matter as “Silo-Busting and Dream-Dashing; More Fun With Automation“, but I’m also linking to the version posted on Thwack, mainly because that format allowed me to use more images and be slightly more irreverent. Actually, quite a lot more irreverent in this particular case…

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Silo-Busting and Dream-Dashing and give me a share/like. Thank you!

You can drop packets using iptables on a Linux host with some level of randomness. iptables -A INPUT -m statistic --mode random --probability 0.8 -s example.com -p icmp -j DROP I also did not know that Linux has a traffic control tool for packet shaping ‘tc’: tc qdisc change dev eth0 root netem loss 5% […]

The post Tools: Dropping and Shaping Packets with iptables and tc on Linux appeared first on EtherealMind.

In spring 2019 Building Network Automation Solutions course we’ll have Kristian Larsson diving into continuous integration and his virtual networking lab product (you might want to listen to the Software Gone Wild episode we did with him to get a taste of what he’ll be talking about). Christoph Jaggi did a short interview with him starting with the obvious question:

What is CI testing and how does it differ from other testing methods?

CI is short for Continuous Integration and refers to a way of developing software where changes written by individual developers are frequently (or "continuously") integrated together into a master branch/trunk, thus continuous integration.

Question on Reddit Ok, this is a weird question and I’ll probably get some flak for this, but is there any real proof that an SFP (1000BASE) transceiver cannot be at the end of a QSFP+ breakout? Afaik QSA type adapters are just splitters but leave the other 3 out as evidenced by how they […]

The post QNA: Breakouts Cables Are Not Splitters appeared first on EtherealMind.

Define the term 'Greyfield'

The post Network Dictionary: Greyfield appeared first on EtherealMind.

Cisco announced it is buying Luxtera for $660M.  Luxtera make SFP modules for Ethernet switches including the critical laser components.  Interesting Things Just before the Christmas break when fewer people are watching. Background of US/China trade problems Cisco get control of part of the supply chain Silicon photonics is about using existing silicon manufacturing processes […]

The post Why Would Cisco Buy Luxtera ? appeared first on EtherealMind.

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. This post examines how it’s easy to get so focused on automating the small stuff we have difficulty turning that into the more cohesive automation solution that we’d like to have.

This post appeared on Orange Matter as “Automation Paralysis: Why We Get Stuck Automating The Small Stuff“, but I’m also linking to the version posted on Thwack, mainly because that format allowed me to use more images and be slightly more irreverent. Irreverent? Moi? Of course.

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Automation Paralysis and give me a share/like. Thank you!

One of my readers sent me a description of their automation system that manages firewall rulesets on Fortigate firewalls using NAPALM to manage device configurations.

In his own words:

We are now managing thousands of address objects, services and firewall policies using David Barroso’s FortiOS Napalm module. This works very well and with a few caveats (such as finding a way to enforce the ordering of firewall policies) we are able to manage all the configuration of our firewalls from a single Ansible playbook.

The did the right thing and implemented an abstracted data model using GitOps to manage it:

Lots of network monitoring platforms use GeoIP databases to track/monitor sources. These databases are, perhaps, 75% accurate (for some definition of accurate). This is your regular reminder to have a sense of caution about location based on public IP address. John S. and his mother Ann live in the house, which is in Pretoria, the […]

The post Geo IP Databases are Highly Inaccurate appeared first on EtherealMind.

You might have noticed that our Winter 2019 webinar schedule got crazily busy with seven live sessions in the first two months of the year (another first)… but that’s not all, there are two more live sessions that we haven’t announced yet as we always schedule a single live session of a particular webinar.

Wondering what’s coming during the rest of 2019? Starting with committed ideas:

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. The post linked here looks at where we define our source of truth for device configurations; is it the device itself? Should it be? This is a key question when looking at automation, and one we should all be asking ourselves.

This post appeared on Orange Matter as “Where Is Your Config Source of Truth?“, but I’m also linking to the version posted on Thwack, mainly because that format allowed me to use more images and be slightly more irreverent, which is perhaps a bit more in character.

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Where is Your Configuration Source of Truth? and give me a share/like. Thank you!

Here’s some feedback I got from a subscriber who got pulled into an SD-WAN project:

I realized (thanks to you) that it’s really important to understand the basics of how things work. It helped me for example at my work when my boss came with the idea “we’ll start selling SD-WAN and this is the customer wish list”. Looked like business-as-usual until I realized I’ve never seen so big a difference between reality, customer wishes and what was promised to customer by sales guys I never met. And the networking engineers are supposed to save the day afterwards…

How did your first SD-WAN deployment go? Please write a comment!

IoT security is a pretty hot topic in today’s world. That’s because the increasing number of smart devices is causing issues with security professionals everywhere. Consumer IoT devices are expected to top 20 billion by 2020. And each of these smart devices represents an attack surface. Or does it?

Hello, Dave

Adding intelligence to a device increases the number of ways that it can compromised. Take a simple thermostat, for example. The most basic themostat is about as dumb as you can get. It uses the expansion properties of metal to trigger switches inside of the housing. You set a dial or a switch and it takes care of the rest. Once you start adding things like programmability or cloud connection, you increase the number of ways that you can access the device. Maybe it’s a webpage or an app. Maybe you can access it via wireless or Bluetooth. No matter how you do it, it’s more available than the simple version of the thermostat.

What about industrial IoT devices? The same rule applies. In this case, we’re often adding remote access to Supervisory Control And Data Acquistion (SCADA) systems. There’s a big market from enterprise IT providers to create secured equipment that allows access to existing industrial equipment from centralized control dashboards. It makes these devices “smart” and allows you to make them easier to manage.

Industrial IoT has the same kind of issues that consumer devices do. We’re increasing the number of access avenues to these devices. But does that mean they’re a security risk? The question could be as simple as asking if the devices are any easier to hack than their dumb counterparts. If that is our only yardstick, then the answer is most assuredly yes they are a security risk. My fridge does not have the ability for me to access it over the internet. By installing an operating system and connecting it to the wireless network in my house I’m increasing the attack surface.

Another good example of this increasing attack surface is in home devices that aren’t consumer focused. Let’s take a look at the electrical grid. Our homes are slowly being upgraded with so-called “smart” electrical meters that allow us to have more control over power usage in our homes. It also allows the electric companies to monitor the devices more closely and read the electric meters remotely instead of needing to dispatch humans to read those meters. These smart meters often operate on Wi-Fi networks for ease-of-access. If all we do is add the meters to a wireless network, are we really creating security issues?

Bigfoot-Sized Footprints

No matter how intelligent the device, increasing access avenues to the device creates security access issues. A good example of this is the “hidden” diagnostic port on the original Apple Watch. Even though the port had no real use beyond internal diagnostics at Apple, it was a tempting target for people to try and get access to the system. Sometimes these hidden ports can dump hidden data or give low-level access to areas of the system that aren’t normally available. While the Apple Watch port didn’t have this kind of access, other devices can offer it.

Giving access to any device allows you to attack it in a way that can gain you access that can get you into data that you’re not supposed to have. Sure, a smart speaker is a very simple device. But what if someone found a way to remotely access the data and capture the data stream? Or the recording buffer? Most smart speakers are monitoring audio data listening for their trigger word to take commands. Normally this data stream is dumped. But what if someone found a way to reconstruct it? Do you think that could qualify as a hack? All it takes is an enterprising person to figure out how to get low-level access. And before you say it’s impossible, remember that we allow access to these devices in other ways. It’s only a matter of time before someone finds a hole.

As for industrial machines, these are even more tempting. By gaining access to the master control systems, you can cause some pretty credible havoc with their programming. You can shut down all manner of industrial devices. Stuxnet was a great example of writing a very specific piece of malware that was designed to cause problems for a specific kind of industrial equipment. Because of the nature of the program it was very difficult to figure out exactly what was causing the issues. All it took was access to the systems, which was reportedly caused by hiding the program on USB drives and seeding them in parking lots where they would be picked up and installed in the target facilities.

IoT devices, whether consumer or enterprise, represent potential threat vectors. You can’t simply assume that a simple device is safe because there isn’t much to hack. The Mirai bonnet exploited bad password hygiene in devices to allow them to be easily hacked. It wasn’t a complicated silicon-level hack or a coordinated nation state effort. It was the result of someone cracking a hard-coded password and exploiting that for their own needs. Smart devices can be made to make dumb decisions when used improperly.

Tom’s Take

IoT security is both simple and hard at the same time. Securing these devices is a priority for your organization. You may never have the compromised, but you have to treat them just like you would any other device that could potentially be hacked and turned against you. Zero-trust security models are a great way to account for this, but you need to make sure you’re not overlooking IoT when you build that model. Because the invisible devices helping us get our daily work done could quickly become the vector for hacking attacks that bring our day to a grinding halt.

Time is the enemy of everything in the field of IT. It doesn’t matter whether you are a designer or operator. Time is your sworn enemy.

In all the training and certifications I’ve ever done, all that is missing is a knighting ceremony in which a sword is laid on your shoulders and you’re sworn in to be an enemy of the phenomena.

Time

Time is a speculative investment, time is relative, highly subjective and makes us emotional. It offers us unsolvable yet predictable challenges. We only ever hear "we need more time". Managers demand it and engineers beg for it. Everything costs time and nothing will give us time back. Given that last statement, high return time investments are key.

In software, we’ve moved to agile, which lets us split software releases up in to super tiny chunks. Instead of a huge development cycle followed by huge deployment and troubleshooting window, we’ve moved to a tiny slice model, in which we do a tiny amount of design, a tiny amount of coding and a tiny amount of deployment and troubleshooting. This move allows us to target the highest priorities quicker and target more accurately, which results in appearing to be more reactive to business needs. Blobs of time for each phase are still consumed, but because we consume them in smaller doses, it doesn’t feel so bad does it? We might have saved a bit of time, but the real gain here is agility and the ability to react to changing needs. Not all requirements will ever be met and items rapidly are pushed on and pushed off a list.

A point I’m trying to make here is that good design and approach, whilst it takes time, can smooth out and reduce either big blog or tiny slice allocations of time. It’s an investment and returns positive results and cannot be swept to one-side in the name of Agile or DevOps.

Moving along to automation in the networking space and kaboom. Maturity is still low, design is immature to non-existent and the idea of allocating time to do experiments so we can gain experience is abrasive. Let 2019 be the year of sensible actions and an awakening to the fact that engineering takes design, experimentation and solid recording of outcomes and results. Once the methodologies are known and the design style and parlance is adopted, then we can ask for a reduction in task time. If you’re not prepared to invest to accumulate, then you’re asking for miracles and encouraging guess work.

Close

Engineering in any field is both scientific and an art. It takes creativity, calculations, analysis and retrospectives. Time is an element in all of these and investing it wisely can reduce the quantity of it spent elsewhere.

Good luck and good fortune for 2019!

The post NAE: Automation and Time appeared first on ipengineer.net.

One of the attendees of my Building Network Automation Solutions online course sent me this suggestion:

Stick to JUST Ansible - no GitHub, Vagrant, Docker or even Python - all of which come with their own significant learning curves.

While I understand how overwhelming the full-blown network automation landscape is to someone who never touched programming, you have to make a hard choice when you decide to start the learning process: do you want to master a single tool, or understand a whole new technology area and be able to select the best tool for the job on as-needed basis.

Reviewing a Threat report from Fortinet Networks suggests that 73% of internet traffic is now encrypted. Thats a substantial change in five years for a network protocol. More than I expected but good news that the status quo CAN be changed. I wonder what happened to telcos that were selling data extracted from capturing HTTP […]

The post Percentage of HTTPS (TLS) Encrypted Traffic on the Internet ? appeared first on EtherealMind.

You may be thinking “Wait, he hasn’t posted in ages.. how lazy is he?” but thankfully I haven’t been entirely slothful for the last seven months. Most recently I authored a series of six posts related to SDN and automation on the Solarwinds Orange Matter blog. I can’t republish that content here, but I will be sharing links to the posts in the coming days and I hope you’ll find them interesting and thought-provoking.

Cisco SP – Networking Field Day Exclusive!

More immediately, I’m preparing to start the new year with a quick trip to see Cisco’s Service Provider group at a Networking Field Day Exclusive event. I’ve seen the proposed agenda, and it looks like it’s going to be an intense day filled with the kind of topics that I know my readers will appreciate. As always, I’ll be posting about some of the topics covered (maybe even all of them…who knows?), but it’s even better if you can take part too.

The event takes place on Tuesday, January 15th, 2019. If you can, I recommend hopping on the live stream on Tech Field Day and then using the #TFDx hashtag on Twitter to join in the conversation and ask questions (the delegates keep an eye out for questions we can ask the presenters on your behalf ).

With a start like this, I think it’s going to be a good one. Stay tuned, and I hope you have a great 2019!

If you liked this post, please do click through to the source at New Year, New Post, NFDx! and give me a share/like. Thank you!

Another nail in the “telco cannot provide customised services” folder. Windstream sells its consumer business: “This transaction enables us to divest a non-core segment and focus exclusively on our two largest business units. In addition, it improves our credit profile and metrics in 2019 and beyond,” said Tony Thomas, president and CEO of Windstream. As […]

The post Windstream sells EarthLink consumer internet business appeared first on EtherealMind.

In January 2019, Packet Pushers Weekly Podcast will rebrand to Heavy Networking.

The post Announcing Heavy Networking <= Packet Pushers Weekly appeared first on EtherealMind.

I started January 2018 blogging with a major service provider failure. Why should 2019 be any different? Here’s what Century Link claimed was causing two-day outage (more comments here).

Supposedly it was a problem with the management network used by their optical gear, but it looks a lot like a layer-2 network spanning 15 data centers and no control-plane policing on the managed devices… proving yet again that large-scale layer-2 networks are a really bad idea.

Peering AS4812 without filters.

Related: https://bgpstream.com/event/171779

2018 is done! I wanted to share what I have done during the last year.   During 2018, probably the biggest decision for me was establishing a company in Turkey.   This photo was taken during a CCDE Bootcamp 10 days after I opened my office in Istanbul. Before I established an Office, I was …

Continue reading "2018 was a good and busy year ! Things I have done during the last year"

The post 2018 was a good and busy year ! Things I have done during the last year appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

BGP Implicit and Explicit Withdraw are important BGP messages. Understanding these two mechanisms not only help for understanding BGP convergence but also helps for BGP path diversity.    While I was explaining BGP Add-Path in my Instructor Led CCDE course, I used the term ‘BGP Implicit Withdraw’ Then someone asked what is ‘ BGP Explicit …

Continue reading "BGP Implicit and Explicit Withdraw"

The post BGP Implicit and Explicit Withdraw appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

This video was presented at the 35C3 conference in Germany last week. The presenter is highly credible on the topic. Hardware implants and supply chain attacks have been in the news recently, but how feasible are they and what can we do about them? In this talk we’ll examine the design of a proof of […]

The post Response: Modchips, Hardware Implants and Bloomberg falsehoods appeared first on EtherealMind.

AT&T has finally found a buyer for its colocation business. AT&T Inc announced today that it has completed the sale of its data center colocation operations and assets to Brookfield Infrastructure and its institutional partners (“Brookfield”). The company previously announced a strategic alliance with Brookfield that included the transfer of these operations and assets. Why […]

The post AT&T Sells Its Colocation Data Centres appeared first on EtherealMind.

2018 was a year full of excitement and fun. And for me, it was a year full of writing quite a bit. Not only did keep up my writing here for my audience but I also wrote quite a few posts for GestaltIT.com. You can find a list of all the stuff I wrote right here. I took a lot of briefings from up-and-coming companies as well as talking to some other great companies and writing a couple of series about SD-WAN.

It was also a big year for the Gestalt IT Rundown. My co-host with most Rich Stroffolino (@MrAnthropology) and I had a lot of fun looking at news from enterprise IT and some other fun chipset and cryptocurrency news. And I’ve probably burned my last few bridges with Larry Ellison and Mark Zuckerberg to boot. I look forward to recording these episodes every Wednesday and I hope that some of you will join us on the Gestalt IT Facebook page at 12:30 EST as well.

Content Coming Your Way

So, what does that leave in store for 2019? Well, since I hate predictions on an industry scale, that means taking a look at what I plan on doing for the next year. For the coming 365 days, that means creating a lot of content for sure. You already know that I’m going to be busy with a variety of fun things like Networking Field Day, Mobility Field Day, and Security Field Day. That’s in addition to all the things that I’m going to be doing with Tech Field Day Extra at Cisco Live Europe and Cisco Live US in San Diego.

I’m also going to keep writing both here and at Gestalt IT. You probably saw my post last week about how hard it is to hit your deadlines. Well, it’s going to be a lot of writing coming out in both places thanks to coverage of briefings that I’m taking about industry companies as well as a few think pieces about bigger trends going on in the industry.

I’m also going to experiment more with video. One of the inspirations that I’m looking at is none other than my good friend Ethan Banks (@ECBanks). He’s had some amazing videos series that he’s been cranking out on his daily walks. He’s been collecting some of them in the Brain Spasms playlist. It’s a really good listen and he’s tackling some fun topics so far. I think I’m going to try my hand at some solo video content in the future at Gestalt IT. This blog is going to stay written for the time being.

Creating Content Quickly

One of the other things that I’m playing around with is the idea of being able to create content much more quickly and on the spot versus sitting down for long form discussions. You may recall from a post in 2015 that I’ve embraced using Markdown. I’ve been writing pretty consistently in Markdown for the past three years and it’s become second nature to me. That’s a good thing for sure. But for 2019, I’m going to branch out a bit.

The biggest change is that I’m going to try to do the majority of my writing on an iPad instead of my laptop. This means that I can just grab a tablet and type out some words quickly. It also means that I can take notes on my iPad and then immediately translate them into thoughts and words. I’m going to do this using iA Writer as my content creation tool. It’s going to help me with my Markdown as well as helping me keep all the content I’m going to write organized. I’m going to force myself to use this new combination unless there’s no way I can pull it off, such as with my Cisco Live Twitter list. That whole process still relies quite a bit on code and not on Markdown.

As I mentioned in my deadline post, I’m also going to try to move my posting dates back from Friday to Wednesday or Thursday at the latest. That gives me some time to play around with ideas and still have a cushion before I’m late with a post. On the big days I may still have an extra post here or there to talk about some big news that’s breaking. I’m hoping this allows me to get some great content out there and keep the creative juices flowing.

Tom’s Take

2019 is going to be a full year. But it allows me to concentrate on the things that I love and am really good at doing: Writing and leading Tech Field Day. Maybe branching out into video is going to give me a new avenue as well, but for now that’s going to stay pretty secondary to the writing aspect of things. I really hope that having a more mobile writing studio also helps me get my thoughts down quickly and create some more compelling posts in the coming year. Here’s hoping it all works out and I’ve got some great things to look back on in 365 days!