Build the Next-Generation Data Center
6 week online course starting in spring 2017

IPv6 Source Address Validation Improvement

We learned how to deal with ARP and IP spoofing in IPv4 networks. Every decent switch has DHCP snooping, ARP protection and IP source guard (or whatever the features are called) ... but validating source IPv6 addresses in security-conscious environments or public multi-access networks remains a major headache.

It would be pretty easy to solve the problem with a central controller, but IETF decided to go another way and developed yet-another framework: Source Address Validation Improvements (SAVI). For more information, watch the following video from IPv6 Security webinar in which Eric Vyncke describes the intricacies of SAVI in great details.

Where is my VLAN provisioning application?

Yesterday I wrote that it’s pretty easy to develop a VLAN provisioning application (integrating it with vCenter or System Center earns you bonus points, but even that’s not too hard), so based on the frequent “I hate using CLI to provision VLANs” rants you might wonder where all the startups developing those applications are. Simple answer: there’s no reasonably-sized market. How would I know that? We’ve been there.

Trying to debug an overlay network SDN application


Source: DevOps Reactions

What did you do to get rid of manual VLAN provisioning?

I love listening to the Packet Pushers (the best networking podcast there is) on my way to work, and I know what to expect in every SDN-focused episode: an “I’m sick and tired of using CLI to manually provision VLANs” rant. Sure, we’re all in the same boat, but did you ever do something to get rid of that problem?

The Spectrum of Firewall Statefulness

One of the first slides I created for the Virtual Firewalls webinar explained various categories of traffic filters, from stateless (and fast) packet filters to application-level firewalls.

As always, the real life is not black-and-white; I found a whole spectrum of products in the wild.

Control-plane policing in OpenFlow networks

The Controller-Based Packet Forwarding in OpenFlow Networks post generated the obvious question: “does that mean we need some kind of Control-Plane Protection (CoPP) in OpenFlow controller?” Of course it does, but things aren’t as simple as that.

ProgrammableFlow Configuration Interfaces

Like every recently designed fabric configuration/management platform, NEC ProgrammableFlow controller supports numerous configuration interfaces, including CLI, GUI, web-based configuration, REST API and OpenStack plugin. For more details, watch this part of the ProgrammableFlow Technical Deep Dive webinar.

Does dedicated iSCSI infrastructure make sense?

Chris Marget recently asked a really interesting question:

I've encountered an environment where the iSCSI networks are built just like FC networks: Multipathing software in use on servers and storage, switches dedicated to "SAN A" and "SAN B" VLANs, and full isolation of paths (redundant paths) between server and storage. I understand creating a dedicated iSCSI VLAN, but why would you need two? Isn’t the whole thing running on top of TCP? Am I missing something?

Well, it actually makes sense in some mission-critical environments.

Update 2015-12-06: Ethernet checksums are not a workaround for lack of iSCSI-level checksums. If your iSCSI solution doesn't support application-level checksum, your data might be at risk

3 & 5 Years Ago (February 2013)

Several of all-time-favorites were written in February 2008: BGP AS-path prepending, BGP communities and AS-Path based filters.

In February 2010 I wrote about Dynamips (read the comments – for whatever reason they seem to be out-of-sequence, but you’ll eventually figure them out), unnumbered VLAN interfaces and IPv6 myths.

Virtual Firewalls Webinar – Longer Than Expected

When I started developing the virtual firewalls webinar, it looked like a simple project: define what a virtual firewall is and explain the architectural options (see the diagram).

Then I got a crazy idea: it would be nice to add a few sample products ... and the webinar material started to swell.

Happy Eyeballs – Happiness Defined by Your Perspective

It seems that most people not having a vested interest in status quo agree the socket API is broken. After all, why should every single application ever written have to deal with the idiosyncrasies of two address families?

Not surprisingly, the browser vendors got sick and tired of waiting for a fixed API or a standardized session layer (nothing happened in the last two decades) and decided to implement happy eyeballs – a simple mechanism that creates two TCP sessions (one over IPv4, another one over IPv6) and uses whichever one works better.

3 & 5 Years Ago (January 2013)

In January 2008 I wrote about OSPF route selection rules, internal BGP sessions and BGP prefix origination.

Not surprisingly, MIBs in Wireshark was most popular post of January 2010. I also wrote about OSPF flooding filters and broken NAT-PT.

Inter-Process OSPF Route Selection Rules

Nicolas Michel left an interesting comment (quoting Cisco’s documentation) on my OSPF Route Selection Rules blog post:

… The OSPF route selection rule is that intra-area routes are preferred over inter-area routes, which are preferred over external routes. However, this rule should apply to routes learned via the same process …

Let’s see what’s going on behind the scenes.

Start Reading V6OPS Documents

You might not have to deploy IPv6 in your network tomorrow (if you’re an ISP I sincerely hope you do), but that’s no excuse for not getting prepared for the eventual inevitable deployment (Tom Hollingsworth has way more to say on this topic).

Don’t believe in the “inevitable” part? Maybe you should spend some time with people who were running SNA and IPX networks two decades ago and living in blissful IP denial.

Controller-Based Packet Forwarding in OpenFlow Networks

One of the attendees of the ProgrammableFlow webinar sent me an interesting observation:

Though there is separate control plane and separate data plane, it appears that there is crossover from one to the other. Consider the scenario when flow tables are not programmed and so the packets will be punted by the ingress switch to PFC. The PFC will then forward these packets to the egress switch so that the initial packets are not dropped. So in some sense: we are seeing packet traversing the boundaries of typical data-plane and control-plane and vice-versa.

He’s absolutely right, and if the above description reminds you of fast and process switching you’re spot on. There really is nothing new under the sun.

The Best of MENOG 12

There were numerous great presentations at last week’s MENOG 12 meeting. The best technical ones (from my perspective): BGP Traffic Engineering by Andy Davidson, problems WIMAX operators face in IPv6 world by Reza Mahmoudi and Regional Threat Profile by Dave Monnier (Team Cymru).

NEC ProgrammableFlow Scalability Features

Once you get rid of spanning tree and associated kludges (not too hard in OpenFlow-based networks), BUM flooding becomes your biggest enemy. NEC’s engineers implemented some interesting features in the ProgrammableFlow switches and controllers: rate-limiting of unknown unicast frames, flooding control, and ARP snooping (if only they’d go for ARP proxy).

Keep your applications running on IPv6 transition

A heated debate on one of the IPv6 mailing lists (more about that later) contained a gem I simply have to share with you: The importance of IPv6 application testing from Apricot 2013. Enjoy!

3 & 5 Years Ago (December 2012)

The most popular posts from December 2007: Display open TCP and UDP ports on Cisco IOS, explanation of RIB failure and why password recovery might fail. It seems this blog has changed quite a bit in the last five years.

December 2009 had some interesting ones: role of certifications in the hiring process and a switching-is-a-stupid-marketing-term rant (it seems like nothing has changed in the last three years). Then there was a storage networking is still emulating a flat cable rant and hilarious ten steps of small LAN design.

Predicting the IPv6 BGP table size

One of my readers sent me an interesting question:

Are you aware of any studies looking at the effectiveness of IPv6 address allocation policies? I'm specifically interested in the affects of allocation policy on RIB/FIB sizes.

Well, we haven’t solved a single BGP-inflating problem with IPv6, so expect the IPv6 BGP table to be similar to IPv4 BGP table once IPv6 is widely deployed.

All You Ever Wanted to Know About IPv6-over-IPv4 Tunnels

Sander Steffann, Iljitsch van Beijnum and Rick van Rein recently published an amazing IETF draft comparing IPv6-over-IPv4 tunneling mechanisms. If you’re even remotely interested in this topic, the draft is an absolute must-read (and if you want to know about other transitional mechanisms, check out this webinar).

Quality of Service in ProgrammableFlow Networks

OpenFlow is not exactly known for its quality-of-service features (hint: there are none), but as I described in the ProgrammableFlow Technical Deep Dive webinar NEC implemented numerous OpenFlow extensions in their edge switches and the ProgrammableFlow controller to give you a robust set of QoS features.