A while ago I’ve bitterly complained about the FTP protocol design. I have decades-long grudge with FTP. If you’re old enough to remember configuring firewalls before stateful inspection or reflexive access lists became available, you probably know what I’m talking about; if not, here’s the story.

When enterprises started using the Internet 15+ years ago, most desktop FTP clients did not support passive mode (although it was part of the FTP standard). When configuring “firewalls” (one or two routers with long access lists), you had to allow all inbound TCP session to ports higher than 1024 just to support FTP data sessions. No problem ... unless you were using Sun workstations or NetBIOS over TCP (both of them use dynamic server ports above 1024), in which case those services were totally exposed to the Internet.

As you might imagine, I'm "somewhat" busy working on my IPv6 summit presentation. I wrote this rant a while ago but somehow never managed to publish it.

In a comment to my piracy rant Steve asked how I feel about Safari. In principle, I like anything that brings my books to the readers in a more usable form, and Safari is a perfect idea: virtual bookshelf, searchable books, and temporary access to books you don’t need permanently ... The implementation, however, belongs to the previous century; it’s too easy to write a bot that scrapes the text from HTML and eventually collects the whole book.

Last November I was delighted to read the announcement describing how a module in CRS-1 was going to support CGN, NAT444, NAT64 and DS-Lite. It looked like a major vendor has finally decided it’s time to solve the IPv4-to-IPv6 transition problem.

However, I was not able to find anything beyond a few fancy videos, a white paper and a brochure. Can anyone shed more light on CGv6? Have you seen it running outside of PowerPoint? When can an IPv6-embracing Service Provider expect to see it on an ASR 1000?

And before you ask ... no, CGv6 is not described in my webinars; I only talk about features (not futures) that I was able to get my hands on.

I was invited to present my thoughts on NAT64 and DNS64 in the upcoming 3rd Slovenian IPv6 Summit (well, they still haven’t managed to create a bilingual site, so here's the same page from the perspective of Google Translate). While preparing for the presentation, I’ve greatly enjoyed reading the Framework for IPv4/IPv6 Translation IETF draft. I would highly recommend it; it’s rare to find such a concise and instructive document and it’s a mandatory reading if you want to understand the role of NAT in the IPv4-to-IPv6 transition.

The role of NAT64 in enterprise networks is described in the Enterprise IPv6 Deployment workshop.

Arnold sent me an excellent question yesterday; he bought my Deploying Zone-Based Firewalls book, but found no sample configurations using IPSec VPN. I was able to find a few sample configurations on CCO, but none of them included the self zone. The truly interesting bit of the puzzle is the traffic being received or sent by the router (everything else is self-explanatory if you’ve read my book), so those configurations are not of great help.

Realizing that this is a bigger can of worms than I’ve expected, I immediately fixed the slides in my Choose the Optimal VPN Service webinar, which now includes the security models for GRE, VTI and DMVPN-based VPN services.

A few days ago I’ve received a cryptic e-mail with exactly this content: “I am having a issue "static routes not flushed when next hop is unreachable" please advice.” I suspected that the sender actually wanted to ask me what to do if a static route pointing to an IP next-hop does not disappear when the next hop becomes unreachable and told him to adjust the ip route static adjust-time parameter while monitoring the CPU usage.

In another Ask the Expert topic, I’m answering the question on expected Wimax deployment scenarios. Although I personally believe it’s a better technology than LTE (and obviously I cannot comment on the RAN part of either), I don’t expect existing mobile operators to pick it up, as they’ve thrown too much money into the GSM/HSCSD/GPRS/EDGE/UMTS/HSDPA/HSUPA neverending story.

To submit your own question to the Ask the Expert project, use this link.

One would hope that the IPv6 myths are slowly fading away as more people get exposed to IPv6 ... but if you like them, don’t worry; they are constantly being recycled. The IPv6: Why Bother? article published by InformIT is a perfect example:

With IPv6, there are enough addresses now that every country or major network can be assigned a large range. It can then assign subranges within that to networks that it connects to, and so on. This hierarchical assignment (in theory, at least) simplifies routing decisions.

The "You can't secure the cloud" article published by Hoff on Rational Survivability discusses whether you can make the cloud solutions as secure as enterprise (walled garden) ones. Here's a great summary:

Yes, it’s true. It’s absolutely possible to engineer solutions across most cloud services today that meet or exceed the security provided within the walled gardens of your enterprise today.

The realities of that statement come crashing down, however, when people confuse possibility with the capability to execute whilst not disrupting the business and not requiring wholesale re-architecture of applications, security, privacy, operations, compliance, economics, organization, culture and governance.

The rest of the article is also well worth reading.

Every now and then an incident reminds us how vulnerable BGP is. Very few of these incidents are intentional (the Pakistan vs. YouTube is a rare exception) and few of them are propagated far enough to matter on a global scale (bugs in BGP implementations are scarier). Most of these incidents could be prevented with either Secure BGP or Secure Origin BGP but it looks like they will not be implemented any time soon.

Ever since I’ve figured out how to explain complex topics to bright engineers, I wanted to develop content (books, courses, documents) that explained (in this order):

• The Big Picture and WIIFM (What will the student gain by understanding and deploying something based on what I’m describing).
• How the technology we’re using actually works (remember: knowledge, not recipes) and finally
• How to configure, monitor and troubleshoot the actual boxes used to build the solution.

I’m positive you agree this approach makes perfect sense, and every now and then I’ve managed to get it right (for example, in the MPLS VPN books). Unfortunately, you’re often facing an uphill battle, as people want to focus on hands-on topics and hate to learn why things work the way they do instead of memorizing recipes like “Thou shalt not have more than 3 OSPF areas per router”.

Every so often I stumble across a blog post (or receive an e-mail) complaining how hard it is to learn the material needed to pass a certification exam. That’s definitely true if you try the memorization approach to networking: trying to cram as many facts as possible into your grey matter. However, it’s impossible to make any reasonable progress that way; to move forward, you have to handle networking like you would math or physics: having a firm basic foundation, you slowly expand it, all the time trying to fit the new concepts into a coherent model (let’s call it “the big picture”).

Recently-published RFC 5837 describes additions to ICMP messages that would allow you to gather more information (including interface ifIndex, IP address and name). Two obvious applications are enhanced traceroute and path MTU discovery where the new ICMP extensions could indicate which interface is the MTU bottleneck.

The RFC authors come from BT, Juniper and Cisco, so there’s a non-zero chance it will actually get implemented where it’s most needed.

Jerry sent me an interesting question:

I was wondering if there's a way to modify an as-path access-list much like we do with regular access lists, simply by adding/ removing lines according to their sequence numbers.

I'm not aware of any such mechanism in Cisco IOS (but then maybe I’m missing something), but his question made me wonder: if you’re maintaining large AS-path access lists, do you edit them on the router (I guess not) or off-line (on a NMS platform) and download them when they need to be changed?