Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

Comment Re:You mean (Score 1) 128

If you're a Carrier network or large Enterprise, you have two options- Juniper or Cisco. Nobody else makes hardware that even comes close when you're talking routing and switching.

Cisco has the market in the enterprise, but the service provider space is a bit more competitive, simply because service providers generally don't like to single source major components to their core business. Many are now looking into white box configurations with SDN.

There's no good reason you should even have the device's management interface directly exposed to the public internet.

Many times the management interface of a routing device are not used in leu of a management IP address on a software loopback interface. This is so the device is reachable in the event of a link failure, because the management address is associated with an interface (software) that will never be withdrawn from the routing table. All the management IP needs to be reachable is at least one functioning routed interface.

If you want to be able to remotely manage your equipment, you setup a VPN

I'm not sure I would trust an SSL, or better yet a TLS encrypted tunnel over an SSH connection. The OpenBSD guys tend to be pretty paranoid about security; the OpenSSL community doesn't have the same reputation. Ultimately it comes down to the implementation that is more trusted; for example, I would trust an an OpenBSD based OpenSSH server over a Cisco device for receiving SSH connections directly from the internet.

which will then give access to your internal, privately addressed (i.e. not publicly routable) management network, and access the equipment from the inside

I don't think of private addressing as a strong security measure. Having adequate access controls at administrative boundaries would be more effective and less complex. It's been repeated many times on this forum and others, NAT is not a security feature.

You should ***NEVER*** be able to directly open a connection, either via SSH or any other method, from the 'wild' internet... it's just flat out stupid even if there are no flaws in your equipment.

Multiple layers of security are definitely helpful. It diminishes the effectiveness if the same credentials are used to secure each layer.

Comment Pizza Delivery (Score 1) 216

Seems like there's quite a few people commenting that taxis require special regulation because they are spending more time on the road than a normal person driving for personal reasons. Insurance companies take mileage into account when quoting a rate. How does this differ from delivering food and other products in a personal vehicle?

Comment Re:Ugh, no ex-military, thank you (Score 1) 299

If somebody's fresh out of the military, then they're not even considered.

Not sure if you are aware of this, but veteran status is a protected class in the US. This type of discrimination is not easy to prove though, so I'd be careful what emails you send concerning a candidate's military background.

http://en.wikipedia.org/wiki/U...

Comment Re:Locator/Identifier Separation Protocol (LISP) (Score 1) 248

Thanks for replying to my post instead of keeping the non-brilliance of my ideas to yourself. My biggest concern when writing that post was that I was talking to myself. I'll attempt to address your concerns one by one.

No one router has a "full table" of all the routes. The routing protocols and the engineers work to make sure the tables are as close to lean as possible.

Just about all ISPs and backbone carriers carry full tables and many large organisations do as well for multihoming purposes. Global BGP tables are currently around 513,191 routes and this is what facilitated the issues mentioned in the article. One ISP made a mistake and started advertising more specific prefixes for blocks that were already summarized and this pushed the number of global routes beyond the limits of some older hardware. I would suggest reading about the Default Free Zone.

Your offered solution isn't necessary.

LISP is not something that I invented, it's something the IETF is working on to solve a perceived problem.(RFC6830) Some IETF contributors came to the conclusion the Internet routing system was not scaling well with the "explosive growth of new sites" and multihoming that many organisations now do. Problem Statement From all indications, the growth of the Internet does not appear to be slowing down, but accelerating. It seems like a prudent choice to evaluate different ideas as possible solutions to the issue of Internet scalability.

Your bitcoinesque solution for IPv6 allocation would make things worse.

It seemed like a technical solution to avoid the politics of Internet governance. I admit it wasn't well thought out, however I am curious how it would make things worse by allowing a small block of IPv6 addresses to be allocated in a decentralized way and adding cryptographic integrity along the way.

Plus, networks transit other networks all the time, meaning one network can advertise a prefix they don't own, legitimately.

I should have been more specific; I was suggesting originating advertisements would be signed as opposed to transient advertisements.

Routers that speak BGP are on the ISP and backbone level,

Medium to large organisations also use BGP to advertise their address space to their ISP(s).

and are physically secured.

Originating BGP route advertisement signing is not intended to supplant physical security measures.

Your home router doesn't speak BGP, and if it did, your ISP's router would ignore it.

None of this would really be necessary for a home user as their ISP would be doing all of this on their behalf.

To announce rogue routes, one needs to hack into the ISP and backbone peering routers -- which happened recently, but is rare.

To announce rogue routes, one only needs an ISP that doesn't filter incoming BGP advertisements properly. It seems apparent as the Internet grows there will be more and more BGP peerings and as a consequence of that not all of them will be competent or aboveboard with their implementations.

The Resource Public Key Infrastructure (RPKI) is a step in the right direction, however seems to be mainly for preventing mis-configurations from causing outages. Someone with malicious intent need only use AS path prepending to bypass this protection.

Comment Locator/Identifier Separation Protocol (LISP) (Score 1) 248

I noticed no one had mentioned LISP. I don't completely understand it, but I'll add my two cents anyway.

LISP is supposed to help with routing table exaustion and keep the global routing tables lean. It does this with a distributed database to basically map out endpoints and create tunnels around the internet. This is so no one router on the internet needs to have a full table.

In the short term for backwards compatibility, endpoints will be identified with IPv4 or IPv6 addresses, but it seems to work with any unique ID, like a serial number or GPS coordinate.

Locator/Identifier Separation Protocol (LISP)

My additional two cents...
I realize I'm risking any credibility I might have by mentioning anything related to bitcoin, but I think it's an interesting idea worth stating. Although I don't have any interest in using bitcoins as a currency, I think the underlying technology is interesting and could be useful in other applications.

The idea is for organisations to "mine" for their IPv6 allocation. They can then use their "wallet" to sign their BGP advertisements so that their peers can be certain (for various values of certain) they own that prefix. This also has the effect of decentralizing the allocation of resources, and considering the vastness of the address space of IPv6, it would be a waste of time for anyone to attempt to mine all of it and hoard it.

Comment Re:Because Airport Wi-Fi sucks (Score 1) 135

At work we are considering aruba wireless. We were shown an installation that was handling 11k users at at any point during the day. They said that installation sees 60k unique devices in a week. They would fit a room with 5 or 6 radios to handle 300 people at around 2 to 3 devices each. They do this by turning down the transmit power on each radio, because it's not about coverage but density.

Slashdot Top Deals

A meeting is an event at which the minutes are kept and the hours are lost.

Working...