Blog Posts in May 2010
Phillip Remaker provided an excellent explanation of new IOS release numbering rules in a comment on the Did you notice 15.1T is released? post. Here’s a short summary:
- 15.0(1)M was an exception which consolidated the transition from 12.x rules to 15.x rules.
- Every new 15.x epoch will start with feature releases (15.1(1)T, 15.1(2)T ...) and end with a mature mainline 15.x(y)M release, which will get bug fixes and maintenance rebuilds.
- 15.x+1(1)T will appear approximately at the same time as 15.x(y)M and the whole cycle will repeat.
In another interesting timing coincidence, the documentation for IOS-XR release 3.9.1 appeared at approximately the same time (probably a little bit later) as I started to research the viability of CGv6 during the preparation for my NAT64/DNS64 presentation.
Looking at the release notes, the CGSE blade currently supports only CGN (large-scale NAT44), the interesting parts (NAT64 or DS-lite AFTR) are still in the pipeline.
A while ago I was criticizing the network-blindness of the storage industry that decided to run 25-year old protocol (SCSI) over the most resource-intensive transport protocol (TCP) instead of fixing their stuff or choosing a more lightweight transport mechanism.
My argument (although theoretically valid) became moot a few months ago: Intel and Microsoft have demonstrated an iSCSI solution that can saturate a 10GE link and perform more than 1 million I/O operations per second. Another clear victory for the Moore’s Law.
In another great blog post, Scott Berkun lays out his thoughts on what managers of programming teams should be able to do. You should read the whole article, as most concepts apply equally well to networking teams: if you’re a team leader, you should have decent knowledge of technology and its limitations, if you’re higher up the management chain, it’s more important that you can trust your people, work with them to reach good decisions ... and figure out when they’re bullshitting you.
John shared a great idea in his comment to my “FTP: a trip down the memory lane” post: when using some FTP servers you can specify the range of passive ports, allowing you to tighten your router ACL (otherwise you’d have to allow inbound connections to all TCP ports above 1024).
If you’re using wu-ftpd, the port range is specified with the passive ports configuration directive in the ftpaccess configuration file. ProFTPD uses PassivePorts configuration directive and recommends using IANA-specified ephemeral port range. Pure-FTPd takes a more cryptic approach: the port range is specified in the –p command-line option.
A while ago I’ve bitterly complained about the FTP protocol design. I have decades-long grudge with FTP. If you’re old enough to remember configuring firewalls before stateful inspection or reflexive access lists became available, you probably know what I’m talking about; if not, here’s the story.
When enterprises started using the Internet 15+ years ago, most desktop FTP clients did not support passive mode (although it was part of the FTP standard). When configuring “firewalls” (one or two routers with long access lists), you had to allow all inbound TCP session to ports higher than 1024 just to support FTP data sessions. No problem ... unless you were using Sun workstations or NetBIOS over TCP (both of them use dynamic server ports above 1024), in which case those services were totally exposed to the Internet.
As you might imagine, I'm "somewhat" busy working on my IPv6 summit presentation. I wrote this rant a while ago but somehow never managed to publish it.
In a comment to my piracy rant Steve asked how I feel about Safari. In principle, I like anything that brings my books to the readers in a more usable form, and Safari is a perfect idea: virtual bookshelf, searchable books, and temporary access to books you don’t need permanently ... The implementation, however, belongs to the previous century; it’s too easy to write a bot that scrapes the text from HTML and eventually collects the whole book.
Last November I was delighted to read the announcement describing how a module in CRS-1 was going to support CGN, NAT444, NAT64 and DS-Lite. It looked like a major vendor has finally decided it’s time to solve the IPv4-to-IPv6 transition problem.
However, I was not able to find anything beyond a few fancy videos, a white paper and a brochure. Can anyone shed more light on CGv6? Have you seen it running outside of PowerPoint? When can an IPv6-embracing Service Provider expect to see it on an ASR 1000?
And before you ask ... no, CGv6 is not described in my webinars; I only talk about features (not futures) that I was able to get my hands on.
I was invited to present my thoughts on NAT64 and DNS64 in the upcoming 3rd Slovenian IPv6 Summit (well, they still haven’t managed to create a bilingual site, so here's the same page from the perspective of Google Translate). While preparing for the presentation, I’ve greatly enjoyed reading the Framework for IPv4/IPv6 Translation IETF draft. I would highly recommend it; it’s rare to find such a concise and instructive document and it’s a mandatory reading if you want to understand the role of NAT in the IPv4-to-IPv6 transition.
The role of NAT64 in enterprise networks is described in the Enterprise IPv6 Deployment workshop.
Arnold sent me an excellent question yesterday; he bought my Deploying Zone-Based Firewalls book, but found no sample configurations using IPSec VPN. I was able to find a few sample configurations on CCO, but none of them included the self zone. The truly interesting bit of the puzzle is the traffic being received or sent by the router (everything else is self-explanatory if you’ve read my book), so those configurations are not of great help.
Realizing that this is a bigger can of worms than I’ve expected, I immediately fixed the slides in my Choose the Optimal VPN Service webinar, which now includes the security models for GRE, VTI and DMVPN-based VPN services.
A few days ago I’ve received a cryptic e-mail with exactly this content: “I am having a issue "static routes not flushed when next hop is unreachable" please advice.” I suspected that the sender actually wanted to ask me what to do if a static route pointing to an IP next-hop does not disappear when the next hop becomes unreachable and told him to adjust the ip route static adjust-time parameter while monitoring the CPU usage.
In another Ask the Expert topic, I’m answering the question on expected Wimax deployment scenarios. Although I personally believe it’s a better technology than LTE (and obviously I cannot comment on the RAN part of either), I don’t expect existing mobile operators to pick it up, as they’ve thrown too much money into the GSM/HSCSD/GPRS/EDGE/UMTS/HSDPA/HSUPA neverending story.
To submit your own question to the Ask the Expert project, use this link.
One would hope that the IPv6 myths are slowly fading away as more people get exposed to IPv6 ... but if you like them, don’t worry; they are constantly being recycled. The IPv6: Why Bother? article published by InformIT is a perfect example:
With IPv6, there are enough addresses now that every country or major network can be assigned a large range. It can then assign subranges within that to networks that it connects to, and so on. This hierarchical assignment (in theory, at least) simplifies routing decisions.
The "You can't secure the cloud" article published by Hoff on Rational Survivability discusses whether you can make the cloud solutions as secure as enterprise (walled garden) ones. Here's a great summary:
Yes, it’s true. It’s absolutely possible to engineer solutions across most cloud services today that meet or exceed the security provided within the walled gardens of your enterprise today.
The realities of that statement come crashing down, however, when people confuse possibility with the capability to execute whilst not disrupting the business and not requiring wholesale re-architecture of applications, security, privacy, operations, compliance, economics, organization, culture and governance.
The rest of the article is also well worth reading.