BGP or OSPF? Does Topology Visibility Matter?

One of the comments added to my Using BGP in Data Centers blog post said:

With symmetric fabric… does it make sense for a node to know every bit of fabric info or is reachability information sufficient?

Let’s ignore for the moment that large non-redundant layer-3 fabrics where BGP-in-Data-Center movement started don’t need more than endpoint reachability information, and focus on a bigger issue: is knowledge of network topology (as provided by OSPF and not by BGP) beneficial?

Using BGP in Data Center Fabrics

While the large data centers increasingly use BGP as the routing protocol within their fabrics, the enterprise engineers tend to shy away from that idea because they think BGP is too complex/scary/hard-to-configure/obsolete/unknown/whatever.

It’s time to fix that.

How Did You Become a Networking Engineer?

A while ago I answered a few questions that Dan Novak from University of Maryland sent me, and as they might be relevant to someone out there decided to publish the answers.

Dan started with a soft one:

What circumstances led you to choosing network engineering for a career?

It was pure coincidence.

Who Said What in an SDN Quiz?

John Herbert published an awesome blog post based on the recent Networking Field Day SDN discussion. Try to figure out who said what ;)… it's not that hard.

Introduction to BGP-LS and PCEP

Julian Lucek did a fantastic job describing how NorthStar controller uses BGP-LS and PCEP, so I asked him whether he’d be willing to do a deep dive on these two topics. He gracefully agreed, and the results are already online.

Upcoming Event: Network Automation Workshop

I spent most of last year developing SDN-related content, resulting in pretty successful 2-day workshop and 20+ hours of online content. However, I fully agree with Matt Oswalt that network automation matters even more than lofty centralized ideas, so it was time to focus on that area.

As always, the easiest way to push yourself is to commit to a deadline, so I agreed to do a network automation workshop during the Troopers 16 event. Here’s what it will cover:

So What Exactly Is SDN?

Five years after the SDN hype exploded, it remains as meaningless as Cloud, and it seems that all we’re left with is a plethora of vendors engaged in SDN-washing their products.

Even when a group of highly intelligent engineers considering these topics on a daily basis gets together they don’t get very far apart from a great question: “what business problem is it supposed to solve?” (or maybe they got distracted by irrelevant hot-air opinions).

Is it still worth trying to find a useful definition of SDN? It seems it’s easier to list what SDN is not like I’ll be doing in the free Introduction to SDN webinar on February 10th. Let’s see:

Should Firewalls Track TCP Sequence Numbers?

It all started with a tweet by Stephane Clavel:

Trying to fit my response into the huge Twitter reply field I wrote “Tracking Seq# on FW should be mostly irrelevant with modern TCP stacks” and when Gal Sagie asked for more elaboration, I decided it’s time to write a blog post.

Inspecting East-West Traffic in vSphere Environments

Harry Taluja asked an interesting question in his comment to one of my virtualization blog posts:

If vShield API is no longer supported, how does a small install (6-8 ESXi hosts) take care of east/west IPS without investing in NSX?

Short answer: It depends, but it probably won’t be cheap ;) Now for the details…

Quick link: User-Space Network I/O on x86 Servers

Robert Graham published another great blog post explaining why you need user-space handling of network traffic for multigigabit performance on x86 servers. A must-read if you’re interested in performance of software-based packet forwarding.

Want more? Listen to Snabb Switch Deep Dive and PF_RING Deep Dive podcasts.

Need product details? I collected some performance data points in the NFV webinar.

Free Webinar: Introduction to SDN

Almost exactly two years ago I ran an Introduction to SDN webinar trying to explain what SDN might be. The landscape has changed significantly in the meantime (for example, software/hardware disaggregation is becoming a reality), but SDN remains as meaningless as Cloud and wrapped in many layers of marketing nonsense.

It was clearly time to do a second version of the webinar, and it’s still free thanks to my sponsor NIL Data Communications. All you have to do to attend it is to fill in the registration form.

Dell OS10 and Cumulus Linux

A few days ago Dell announced their next-generation network OS based on Debian Linux, and bloggers (like my good friend Tom Hollingsworth) started wondering what’s going to happen with Cumulus Linux.

Let’s get into prognostication mode…

On a totally unrelated note, I love the picture Dell marketing put on the OS10 page. Linux distro in a binder? Really? When was the last time they checked the calendar?

Docker Networking on Software Gone Wild

A year and a half ago, Docker networking couldn’t span multiple hosts and used NAT with port mapping to expose container-based services to the outside world.

Docker is the hottest Linux container solution these days. Want to know more about it? Matt Oswalt is running Introduction to Docker webinar in a few days.

In August 2014 a small startup decided to change all that. Docker bought them before they managed to get public, and the rest is history.

Disabling SLAAC in Data Center Subnets

Continuing the IPv6 address selection discussion we have a few days ago, Luka Manojlovič sent me a seemingly workable proposal:

I think we were discussing a borderline problem. In a server environment there won’t be any SLAAC, and we could turn off DHCPv6 client on servers with fixed IP addresses.

Sounds great, but as always, the reality tends to be a bit harsher.

Whatever Happened to “Do No Harm”?

A long time ago in a podcast far, far away one of the hosts saddled his pony unicorn and started explaining how stateful firewalls work:

Stateful firewall is a way to imply trust… because it’s possible to hijack somebody’s flows […] and if the application changes its port numbers… my source port changes when I’m communicating with my web server - even though I’m connected to port 80, my source port might change from X to Y. Once I let the first one through, I need to track those port changes […]

WAIT, WHAT? Was that guy really trying to say “someone can change a source port number of an established TCP session”?

IPv6 Microsegmentation in Data Center Environments

The proponents of microsegmentation solutions would love you to believe that it takes no more than somewhat-stateful packet filters sitting in front of the VMs to get rid of traditional subnets. As I explained in my IPv6 Microsegmentation talk (links below), you need more if you want to have machines from multiple security domains sitting in the same subnet – from RA guard to DHCPv6 and ND inspection.