Reaction: DNS is Part of the Stack

12 October 2016 | Comments Off on Reaction: DNS is Part of the Stack

Over at ipspace.net, Ivan is discussing using DNS to program firewall rules— Could you use DNS names to translate human-readable rules into packet filters? The traditional answer was “no, because I don’t trust DNS”. This has been a pet peeve of mine for some years—particularly after my time at Verisign Labs, looking at the DNS…

Elephant Flows, Fabrics, and I2RS

3 October 2016 |

The last post in this series on I2RS argues that this interface is designed to augment, rather than replace, the normal, distributed routing protocol. What sort of use case could we construct that would use I2RS in this way? What about elephant flows in data center fabrics? An earlier post considers how to solve the…

Can I2RS Keep Up? (I2RS Performance)

20 September 2016 |

What about I2RS performance? The first post in this series provides a basic overview of I2RS; there I used a simple diagram to illustrate how I2RS interacts with the RIB— One question that comes to mind when looking at a data flow like this (or rather should come to mind!) is what kind of performance…

Enough with “firewalls”

14 September 2016 | Comments Off on Enough with “firewalls”

A mythical conversation on firewalls, and some observations “Let’s put the firewall here, so it can protect the servers in this part of the network.” “How would you define a firewall?” “You know, the appliance that, well, protects servers and other machines from outside threats…” “And how does it do this?” “By filtering the traffic…

On Definitions: Whatever is Forwarding Information?

5 September 2016 |

After last week’s, a reader left a comment noting “I2RS doesn’t manipulate forwarding data.” If I2RS isn’t “manipulating forwarding data,” then what, precisely, is it doing? I thought it’s worth a post to try and help folks understand the definitions in this space—except, as you’ll soon discover, there are no definitions here. In fact, it’s…

An I2RS Overview

31 August 2016 |

What is the Interface to the Routing System (I2RS), and why do we need it? To get a good I2RS overview, consider the following illustration for a moment— What does the interface between, say, BGP and the routing table (RIB) actually look like? What sort of information is carried over this interface, and why? A…

DNS Cookies and DDoS Attacks

16 June 2016 |

DDoS attacks, particularly for ransom—essentially, “give me some bitcoin, or we’ll attack your server(s) and bring you down,” seem to be on the rise. While ransom attacks rarely actually materialize, the threat of DDoS overall is very large, and very large scale. Financial institutions, content providers, and others regularly consume tens of gigabits of attack…

DHCP Topology Customization Options

1 June 2016 | Comments Off on DHCP Topology Customization Options

The Dynamic Host Configuration Protocol (DHCP) is widely used, and yet poorly understood. There are, in fact, a large number of options in DHCP—but before we get to these, let’s do a quick review of basic off-segment operation. When the client, which has no IP address, sends out a request for configuration information, what happens?…

Reaction: More Encryption is Bad?

15 March 2016 |

This week I was peacefully reading the March 9th issue of ACM Queue when I received a bit of a surprise. It seems someone actually buys the “blame the victim” game, arguing that governments are going to break all encryption if we don’t give them what they want. These ideas are all based on the…

Defining SDN Down

16 October 2015 |

If a WAN product that uses software to control the flow of traffic is an SD-WAN, and a data center than uses software to build a virtual topology is an SD-DC, and a storage product that uses software to emulate traditional hardware storage products is SD storage, and a network where the control plane has…