Transparent VLAN Tagging with libvirt and Open vSwitch

As of version 0.10.0 of libvirt, transparent VLAN tagging is fully supported with Open vSwitch (OVS). This feature allow to transparently forward tagged VM traffic to the ethernet network, providing functionality similar to a switch's VLAN trunk. Transparent VLAN tagging is particularly interesting if you want to directly and easily terminates VLANs on your virtual machines (say virtual routers or gateways), while keeping your host configuration as simple as possible, and so without messing up with tens or even hundreds of bridges.

Read More

NAT66 and IPv6 ULA on Juniper SRX

Sometimes, you do not have access to enough public address space to number all your subnets. This is especially recurrent in virtualized environments where network segmentation is a natural design choice. In such environments, you may have several VLANs and routing instances (call them routing domains, or contexts, depending of the vendor terminology you're familiar with), and for each, comes a unique set of subnets. Every network operator knows how painful IP address management is, and we all want to avoid renumbering our network, especially if the following account for hundreds, if not thousands of subnets. You certainly also figured out that Network Address Translation (NAT) could help in this manner, but do you know its benefits could be as well applied to the IPv6 world?

Read More

Juniper Firefly Perimeter on OpenStack

Juniper recently announced the General Availability of Firefly Perimeter (also known as JunosV Firefly), a virtual firewall based on the Juniper's SRX Services Gateway code. Firefly Perimeter runs as a virtual machine and delivers similar networking and security features as the branch SRXes, such as Routing, NAT and VPN. It allows you to secure business applications and services in private and public cloud environments. As of version 12.1X46, it support two hypervisors, namely VMware ESXi and Linux KVM. Each instances of the virtual appliance can support up to ten Gigabit Ethernet vNICs. As I already had an OpenStack lab up and running, I decided to give Firefly Perimeter a try.

Read More

NTP Amplification Attacks - Impacts and Mitigation

The recent increase in NTP amplification attack has shed the light on the utility of control-plane filtering. A few days ago, the US-CERT issued an advisory that warns the public about this emerging form of Distributed Denial of Service (DDoS) attack. As you know, the Network Time Protocol (NTP) is a very popular UDP based protocol, used by a large number of computers and devices, including routers and switches to keep their software clocks synchronized with remote references clocks. The protocol support a number of administrative requests that returns statistical information, such as a list of the last 600 associated clients, the statistical counters associated with the protocol's I/O module, and so on. Most of these commands are ideal for amplification attacks, because they returns a large number of information, and therefore their replies have sizes significantly higher than their initial requests.

Read More

Did you know? IS-IS Minimum MTU

I recently came across the fact that my favorite IGP, the Intermediate System To Intermediate System (IS-IS) Routing Protocol has strict requirements regarding the minimum MTU of a link. In fact, for your adjacency to come up, the IS-IS link's maximum transmission unit (MTU) must be at least of 1492 bytes.

Read More