Collection of useful, relevant or just fun places on the Internets for 21st September 2013 and a bit commentary about what I’ve found interesting about them:
Fragmentation Needed: Calculating distances in meatspace – Genius bit of perl scripting from Chris Marget.
I’m working on an automated provisioning system for a very large VPN network. For each new VPN client, I need to select a headend site where VPN tunnels should land. The only data available is that which I can get from the sales and billing systems. This system offers me the zip code of the install site.
Using the zip code of the install site, and the known zip codes of my various head-end sites, I’m able to select the destination for the primary and secondary VPN tunnels.
A Few Thoughts on Cryptographic Engineering: On the NSA – This makes me want to hide under the bed, wear a tinfoil hat. Is there any moral line that these organisations would not cross ?
Which means there’s a circumstantial case that the NSA and GCHQ are either directly accessing Certificate Authority keys** or else actively stealing keys from US providers, possibly (or probably) without executives’ knowledge. This only requires a small number of people with physical or electronic access to servers, so it’s quite feasible.*** The one reason I would have ruled it out a few days ago is because it seems so obviously immoral if not illegal, and moreover a huge threat to the checks and balances that the NSA allegedly has to satisfy in order to access specific users’ data via programs such as PRISM.
The Life of Kenneth: Tear-Down of an HP ProCurve 2824 Ethernet Switch – A wonderfully detailed breakdown of the internals of a network switch. Lots of images and valuable discussion about the processors and data flow across the PCB and processors. A MUST READ for engineering types who don’t know what happens inside a switch:
There is nothing particularly exceptional about the processor, which is reasonable considering that once the switch is up and running the processor has relatively little to do. Low-end Ethernet switches (that any normal consumer would use) actually forego having a processor altogether and instead use the “unmanaged” feature of the switching fabric, where a fixed configuration is read off of an EEPROM. With enough effort and a will to void the warranty on your Ethernet switch, it is theoretically possible to modify the contents of this configuration EEPROM to make the switch fabric do something different than the default (i.e. VLAN tagging, etc). In reality this is usually pretty difficult, because the switch fabric manufacturers make it difficult to get your hands on a full datasheet, and doesn’t make much sense (since subsequently modifying any of these settings requires physically opening the switch and reflashing the EEPROM again).
MultiMarkdown 4.3.1 released – Updates to Multimarkdown for Mac. Mostly I use the QuickLook Generator because so much content is written in Markdown now.
MultiMarkdown 4.3.1 has been released, including update binary installers for Mac and Windows.
League Gothic | The League of Moveable Type – League Gothic is one of my favourite fonts for titles inside diagrams and reports. Its also free and open.
League Gothic is a revival of an old classic, and one of our favorite typefaces, Alternate Gothic #1. It was originally designed by Morris Fuller Benton for the American Type Founders Company in 1903. The company went bankrupt in 1993, and since the original typeface was created before 1923, the typeface is in the public domain.
Howfunky.com: IPv6 Unique Local Address or ULA – what are they and why you shouldn’t use them – AAAAAARRRRRGGGGHHHHHH. Widespread and mandatory use of NAT has led many people to believe that NAT a design absolute. Ed Horley tackes this
So there you have it. In summary, ULA is appropriate for a lab, a proof of concept, a super secure network and maybe an out-of-band control network. Even then, I would still argue you could do all of those functions with global unicast addresses and simply put the correct routing and firewalls rules in place. ULA is designed to never be routed on the public IPv6 Internet and as a result you should not be assigning ULA to hosts in your network unless you have the correct use case. Otherwise, stick with global unicast IPv6 addresses. Do IPv6 right the first time so you don’t have to go back and do it again.
Sooner or later someone will pay for the complexity of the kludges you use « ipSpace.net by @ioshints – Ivan continues his trend of pointing out the isolated abstraction is nearly over. You probably already know the answer. There is a better option – use applications that use DNS and can survive external IP address change when they move from one DC to another. That might sound like an academic argument considering the current state of craplications in many enterprise environments, but do step back from the pressing networking problems and take a wider look from the business perspective.
Security Snake Oil for Sale – Network Computing – Michelle Chubirka at Network Computing points out the customers keep buying security products that are proven to not work. The truly mystifying aspect of this dilemma is that the industry seems to keep getting away with selling us empty promises. Solutions that simply don’t work in solving the Gordian Security Knot facing enterprises every day. And we let them. If a networking vendor sold a device that should forward packets, but didn’t, it wouldn’t have very many customers.
In Defense Of VMware NSX And The Overlay Approach – Network Computing – Kurt Marko at NetworkComputing covers the case for overlay networking and includes comments from different industry figures. GOod thoughts here. .
At this point of SDN evolution, the modular approach of virtual network overlays on a programmable physical network fabric taken by NSX and vendors such as Embrane, Midokura and Nuage, offers the best balance of features, flexibility/adaptability and ease of deployment on existing hardware while allowing both physical and virtual networks to evolve on independent technology cycles. Traditional network equipment vendors intent on owning the entire cloud hardware/software stack will resist, but vertical integration hasn’t been a winning strategy since the mainframe era — a fact the age of SDN and virtual networks is unlikely to change.