Build the Next-Generation Data Center
6 week online course starting in spring 2017

Followup: Choose the Optimal VPN Service

It took me even longer than usual to process the feedback from the Choose the Optimal VPN Service webinar; all the things happening in May (from having numerous presentations to climbing my hardest route ever) left me mentally and physically exhausted. The webinar was great success and although we’ve covered nine VPN technologies in just over two hours, we’ve managed not to get lost ... and the Q&A session at the end took almost 45 minutes, clearly a good indication that the students were engaged and wanted to understand all the intricate details. Here are two quotes from the participants:

Great session. Enjoyed the compare/contrast approach and feel that this approach gets to the critical issues most quickly.

Bob Dixon

It was good. I can’t wait for the recordings and the configuration examples. I’d like a single session about DMVPN, it has a lot of tricks.

Enrique Villa Crespo

Enrique’s wish is coming true; I’m already planning the “Advanced and Crazy DMVPN designs”.

If you’ve missed this session, register for the next one.

Upcoming webinars (2010-05-30)

Date US, Canada,
Europe, Africa,
Middle East
Asia, Pacific
June 16th Building IPv6 Service Provider Core
10:00 (Paris), 12:00 (Moscow), 18:00 (Sydney)
Market Trends in Service Provider Networks
09:00 (New York), 15:00 (Paris), 14:00 (London)
June 30th Choose the optimal VPN service
10:00 (Paris), 12:00 (Moscow), 18:00 (Sydney)
August 30th Next-generation IP Services
07:00 (San Francisco), 10:00 (New York), 16:00 (Paris)

Conditional OSPF default route origination based on classless IP prefixes

Almost two years ago I wrote the OSPF default mysteries IP Corner article in which I’ve described (among numerous other details) the caveats of conditional OSPF default route origination; it requires an IP access list that can only match classful networks.

Later someone sent me a message stating that you can match classless IP prefixes with an ip prefix-list ... and it took me well over a year to find the time (and mental energy) to lab the scenario and document the results.

Update: IOS Release Numbering

Phillip Remaker provided an excellent explanation of new IOS release numbering rules in a comment on the Did you notice 15.1T is released? post. Here’s a short summary:

  • 15.0(1)M was an exception which consolidated the transition from 12.x rules to 15.x rules.
  • Every new 15.x epoch will start with feature releases (15.1(1)T, 15.1(2)T ...) and end with a mature mainline 15.x(y)M release, which will get bug fixes and maintenance rebuilds.
  • 15.x+1(1)T will appear approximately at the same time as 15.x(y)M and the whole cycle will repeat.

NAT64 and DNS64 in 30 minutes

During last week’s 3rd Slovenian IPv6 summit (program description in English-resembling form) I had a short presentation on IPv6-related NAT topics. The initial idea was to cover only the technical details of NAT64/DNS64, but as nobody jumped at the opportunity to explain the differences between various NAT-based solutions to the audience, I decided to switch back to my default “big picture” perspective and describe the need for NAT, various NAT-like solutions and as many details about NAT64/DNS64 as my 30-minute slot permitted. Luckily, one of the other presenters was AWOL, so my slot got extended.

For more information on IPv6 in Service Provider and Enterprise networks, check out my webinars and workshops: Market Trends in Service Provider Networks, Building IPv6 Service Provider Core and Enterprise IPv6 deployment.

You can view the NAT64 and DNS64 in 30 minutes presentation on Slideshare or (if you find a real-time spoken-language translator from Slovenian to English) watch my presentation (it starts @ 0:02:00).

The first step on the path to CGv6

In another interesting timing coincidence, the documentation for IOS-XR release 3.9.1 appeared at approximately the same time (probably a little bit later) as I started to research the viability of CGv6 during the preparation for my NAT64/DNS64 presentation.

A kind guest has provided links to configuration guide and command reference in a comment to my blog post. Thank you!

Looking at the release notes, the CGSE blade currently supports only CGN (large-scale NAT44), the interesting parts (NAT64 or DS-lite AFTR) are still in the pipeline.

iSCSI: Moore’s Law won

A while ago I was criticizing the network-blindness of the storage industry that decided to run 25-year old protocol (SCSI) over the most resource-intensive transport protocol (TCP) instead of fixing their stuff or choosing a more lightweight transport mechanism. My argument (although theoretically valid) became moot a few months ago: Intel and Microsoft have demonstrated an iSCSI solution that can saturate a 10GE link and perform more than 1 million I/O operations per second. Another clear victory for the Moore’s Law.

You’ll find introduction to SCSI, Fiber Channel, iSCSI and server virtualization in the Next Generation IP Services webinar.

Should the managers know how to ...?

In another great blog post, Scott Berkun lays out his thoughts on what managers of programming teams should be able to do. You should read the whole article, as most concepts apply equally well to networking teams: if you’re a team leader, you should have decent knowledge of technology and its limitations, if you’re higher up the management chain, it’s more important that you can trust your people, work with them to reach good decisions ... and figure out when they’re bullshitting you.

“Comcast signs first IPv6 corporate customer” ... so what?

Network World has recently published another “breaking news” article: Comcast has connected its first corporate customer to its dual-stack IPv4/IPv6 service. Let me try to put the news in perspective:

  • We (NIL Data Communications) were able to find two ISPs with production-grade dual-stack IPv4/IPv6 service in Slovenia (a country with 2 million people, which puts us somewhere between Manhattan and Queens).
  • We’ve got PI address space from RIPE a year ago.
  • We’ve been multihomed (via BGP) to both service providers for months.

So, what is Network World trying to tell us?

For more information on IPv6 in Service Provider and Enterprise networks, check out my webinars and workshops: Market Trends in Service Provider Networks, Building IPv6 Service Provider Core and Enterprise IPv6 deployment.

Disclaimer: I am not trying to bash Comcast in any way. I know they’ve been among the first to realize IPv6 potential and have invested heavily in IPv6 infrastructure and technologies (DS-Lite efforts were started by Comcast).

How widespread is IPv6 on mobile phones?

We had great fun listening to Christian Gotare from Ericsson during the 3rd Slovenian IPv6 Summit (program description as translated by Google Translate). He made numerous very strong statements about the (in)abilities of application programmers (watch his presentation ... it starts at approximately 0:42:00) and concluded his presentation with a live demo: he accessed Facebook through IPv6 from a Nokia phone running Symbian.

We all found the idea of an Ericsson guy doing demo with a Nokia phone hilarious and I thought he wanted to demonstrate that even Nokia could get it done ... until one of the Slovenian mobile operators described the problems they’re facing when trying to deploy IPv6 in their mobile network.

Seven reasons to attend the Next-Generation IP Services webinar

When I’ve asked you to help me fix the webinar marketing based on the results of the Market Trends in Service Provider Networks event, a few readers pointed out that I’m advertising a high-level topic to a wrong audience. However, I firmly believe (and the attendees agreed with me) that a successful engineer has to understand the bigger picture (the environment she’s working in and the forces that shape it), not just from the broader technology perspective (addressed by the Market Trends in Service Provider Networks webinar) but also from the “vertical” (integration) perspective.

I’ve designed the Next Generation IP Services to help you get there and here are a few reasons why you might want to attend:

Update: Make FTP server slightly more secure

John shared a great idea in his comment to my “FTP: a trip down the memory lane” post: when using some FTP servers you can specify the range of passive ports, allowing you to tighten your router ACL (otherwise you’d have to allow inbound connections to all TCP ports above 1024).

If you’re using wu-ftpd, the port range is specified with the passive ports configuration directive in the ftpaccess configuration file. ProFTPD uses PassivePorts configuration directive and recommends using IANA-specified ephemeral port range. Pure-FTPd takes a more cryptic approach: the port range is specified in the –p command-line option.

Upcoming webinars (2010-05-16)

Date US, Canada,
Europe, Africa,
Middle East
Asia, Pacific
June 2nd Next-generation IP Services
07:00 (San Francisco), 10:00 (New York), 16:00 (Paris)
June 16th Building IPv6 Service Provider Core
10:00 (Paris), 12:00 (Moscow), 18:00 (Sydney)
Market Trends in Service Provider Networks
09:00 (New York), 15:00 (Paris), 14:00 (London)
June 30th Choose the optimal VPN service
10:00 (Paris), 12:00 (Moscow), 18:00 (Sydney)

FTP: a trip down the memory lane

A while ago I’ve bitterly complained about the FTP protocol design. I have decades-long grudge with FTP. If you’re old enough to remember configuring firewalls before stateful inspection or reflexive access lists became available, you probably know what I’m talking about; if not, here’s the story.

When enterprises started using the Internet 15+ years ago, most desktop FTP clients did not support passive mode (although it was part of the FTP standard). When configuring “firewalls” (one or two routers with long access lists), you had to allow all inbound TCP session to ports higher than 1024 just to support FTP data sessions. No problem ... unless you were using Sun workstations or NetBIOS over TCP (both of them use dynamic server ports above 1024), in which case those services were totally exposed to the Internet.

E-book saga continues: HTML scraping

As you might imagine, I'm "somewhat" busy working on my IPv6 summit presentation. I wrote this rant a while ago but somehow never managed to publish it.

In a comment to my piracy rant Steve asked how I feel about Safari. In principle, I like anything that brings my books to the readers in a more usable form, and Safari is a perfect idea: virtual bookshelf, searchable books, and temporary access to books you don’t need permanently ... The implementation, however, belongs to the previous century; it’s too easy to write a bot that scrapes the text from HTML and eventually collects the whole book.

CGv6 – how real is it?

Last November I was delighted to read the announcement describing how a module in CRS-1 was going to support CGN, NAT444, NAT64 and DS-Lite. It looked like a major vendor has finally decided it’s time to solve the IPv4-to-IPv6 transition problem.

However, I was not able to find anything beyond a few fancy videos, a white paper and a brochure. Can anyone shed more light on CGv6? Have you seen it running outside of PowerPoint? When can an IPv6-embracing Service Provider expect to see it on an ASR 1000?

And before you ask ... no, CGv6 is not described in my webinars; I only talk about features (not futures) that I was able to get my hands on.

The role of NAT in transition to IPv6

I was invited to present my thoughts on NAT64 and DNS64 in the upcoming 3rd Slovenian IPv6 Summit (well, they still haven’t managed to create a bilingual site, so here's the same page from the perspective of Google Translate). While preparing for the presentation, I’ve greatly enjoyed reading the Framework for IPv4/IPv6 Translation IETF draft. I would highly recommend it; it’s rare to find such a concise and instructive document and it’s a mandatory reading if you want to understand the role of NAT in the IPv4-to-IPv6 transition.

The role of NAT64 in enterprise networks is described in the Enterprise IPv6 Deployment workshop.

Tunneling VPNs and Zone-Based Firewalls

Arnold sent me an excellent question yesterday; he bought my Deploying Zone-Based Firewalls book, but found no sample configurations using IPSec VPN. I was able to find a few sample configurations on CCO, but none of them included the self zone. The truly interesting bit of the puzzle is the traffic being received or sent by the router (everything else is self-explanatory if you’ve read my book), so those configurations are not of great help.

Realizing that this is a bigger can of worms than I’ve expected, I immediately fixed the slides in my Choose the Optimal VPN Service webinar, which now includes the security models for GRE, VTI and DMVPN-based VPN services (you can still register for the May 12th event).

These last-second changes were included in the downloadable PDF materials that the registered attendees can already get from our Webex site.

Upcoming webinars (2010-05-09)

Date US, Canada,
Europe, Africa,
Middle East
Asia, Pacific
May 12th Choose the optimal VPN service
07:00 (San Francisco), 10:00 (New York), 16:00 (Paris)
June 16th Building IPv6 Service Provider Core
10:00 (Paris), 12:00 (Moscow), 18:00 (Sydney)
Market Trends in Service Provider Networks
09:00 (New York), 15:00 (Paris), 14:00 (London)

Fast static route convergence

A few days ago I’ve received a cryptic e-mail with exactly this content: “I am having a issue "static routes not flushed when next hop is unreachable" please advice.” I suspected that the sender actually wanted to ask me what to do if a static route pointing to an IP next-hop does not disappear when the next hop becomes unreachable and told him to adjust the ip route static adjust-time parameter while monitoring the CPU usage.

MPLS/VPN services and the barrier to change

Whenever you decide to use MPLS/VPN services from a Service Provider, you’re effectively ripping out your network core (including the core routers) and replacing it with the layer-3 SP backbone (the equipment vendors or service providers sometimes fail to mention this fact).

The network core outsourcing usually makes sense from the financial perspective, but also creates a significant lock-in and high switching costs that you should consider in combination with the CapEx/OpEx cost analysis when selecting your VPN service. We’ll discuss the benefits and drawbacks of MPLS/VPN and numerous other VPN technologies in the Choose the Optimum VPN Service webinar (register here).

Where could we expect to see Wimax?

In another Ask the Expert topic, I’m answering the question on expected Wimax deployment scenarios. Although I personally believe it’s a better technology than LTE (and obviously I cannot comment on the RAN part of either), I don’t expect existing mobile operators to pick it up, as they’ve thrown too much money into the GSM/HSCSD/GPRS/EDGE/UMTS/HSDPA/HSUPA neverending story.

To submit your own question to the Ask the Expert project, use this link.

IPv6 myths are alive and well

One would hope that the IPv6 myths are slowly fading away as more people get exposed to IPv6 ... but if you like them, don’t worry; they are constantly being recycled. The IPv6: Why Bother? article published by InformIT is a perfect example:

With IPv6, there are enough addresses now that every country or major network can be assigned a large range. It can then assign subranges within that to networks that it connects to, and so on. This hierarchical assignment (in theory, at least) simplifies routing decisions.

Choose the Optimal VPN Service: new description

I’ve just published new and vastly expanded description of the upcoming Choose the Optimal VPN Service webinar: the consulting engineers are one of the primary Target audiences (more about that in an upcoming post), the webinar deliverables are described in greater details and there’s a whole new Contents section.

To attend this webinar (the next one is only a week away), register here.

Possibility != Capability to Execute (as applied to cloud security)

The "You can't secure the cloud" article published by Hoff on Rational Survivability discusses whether you can make the cloud solutions as secure as enterprise (walled garden) ones. Here's a great summary:

Yes, it’s true. It’s absolutely possible to engineer solutions across most cloud services today that meet or exceed the security provided within the walled gardens of your enterprise today.

The realities of that statement come crashing down, however, when people confuse possibility with the capability to execute whilst not disrupting the business and not requiring wholesale re-architecture of applications, security, privacy, operations, compliance, economics, organization, culture and governance.

The rest of the article is also well worth reading.