The Men & Mice Blog

The RIPE-javik logs: Day 5

Posted by Carsten Strotmann on 5/26/19 11:06 AM

ripe day 5carsten@menandmice:~$ cat ~/ripe/ripejavik-day5.txt | blog-publish

As RIPE 78 came to a close, it was time to reflect and to forge plans for the future.

The last day of RIPE 78

In the final plenary session of RIPE 78, Theódór Gíslason from Icelandic security company Syndis, talked about current threats on the Internet and that many users underestimate the security issues. He underpinned this statement with some examples of how attackers can find detailed information on the victim through public information like commits on Github or Facebook, and that data breaches are getting more and bigger.

One could say that most of the information in the presentation wasn't new to the RIPE audience, and Theódór Gíslason was somewhat surprised when he asked the audience who is using Facebook and only a few hands went up. The RIPE audience is a special case.

Later on, it was Roland van Rijswijk-Deij’s turn again to take the stage. Today he was reporting on historical data on RPKI, the Resource Public Key Infrastructure securing the Internet’s routing system. The RIPE NCC has archived historical RPKI repositories and Roland used the "Routinator" tool to analyze how RPKI usage has changed over time. For example, he found that the average prefix size in RPKI is decreasing over time for both IPv4 and IPv6.

Richard Nelson from the Faucet Foundation presented on the open source OpenFlow controller with the name "Faucet". Faucet is targeted at enterprises that want to move router and switch management away from closed network equipment vendors into OpenFlow Hardware/Software. Richard reported on their real world implementation of the Faucet system at the Super-Computer Conference 2018 in Dallas, TX.

Before RIPE Chair Hans Petter Holen officially closed RIPE 78, there was a challenging online quiz titled  "Are you up to the Level of RIPE 78?" which was organized by Fernando Garcia. RIPE meetings are often exhausting, quite challenging, but also lots of fun!

A final note

RIPE 78 was the second largest RIPE meeting ever, and for me personally it was one of the best RIPE meetings I've attended. It had great presentations, a good location (Hotel Nordica) and food and very nice weather in Reykjavik. I have been told this has been one of the warmest weeks in May for years. Must’ve been the hot topics at RIPE 78.

And then there was the "Group of Secrets" (aka Secret Working Group), but the report from that group is a secret and I'm not allowed to tell you anything about it. If you want to know what is going on in that Working Group, you will have to come in person to RIPE 79 in October in Rotterdam, NL. See you there!

A note from the editors: RIPE-javik may be over, but not done

Thus concludes our RIPE 78 coverage, but not our investigation of issues raised or following up on conversation started.

In the coming weeks and months, we’ll be returning to these topics frequently. We’ll deep-dive into issues on the blog, and we’re also preparing a podcast series, starting with interviews (conducted by Carsten) with prominent speakers and attendees at RIPE.

We’ve learned a ton this past week. But we’re also interested to hear your feedback: what did you find the most interesting? What new development are you the most excited for? We’re listening!

Topics: DNS, Open Source, Security, network security

The RIPE-javik logs: Day 3

Posted by Carsten Strotmann on 5/23/19 7:11 AM

ripe day 3carsten@menandmice:~$ cat ~/ripe/ripejavik-day3.txt | blog-publish

Wednesday was a hands-on kind of day at RIPE 78. Attending the OpenSource Working Group yielded lots of interesting information, and we’ve interviewed some RIPE 78 participants for our upcoming podcasts. (Watch this space!)

Open Source Working Group

The Working Group started with two different solutions for a similar task, both very interesting.

The first presentation was about building Network Labs using OpenSource tools. Wolfgang Tremmel from German Internet Exchange DE-CIX reported his experiences with using Docker Linux containers to build a training lab for BGP training. He used a Docker container with FRRouting (an open source routing software rooted on Quagga) and exposed the terminal command line of each container via ttyd to the net.

In this configuration, the training participants only need a web browser to access the lab machines. The lab can either run local in the training room or on some cloud service. Getting IPv6 to work with Docker can be challenging, and Wolfgang ran into problems there. I personally would recommend podman or systemd-nspawn as an IPv6 friendly alternative to Docker.

In the same presentation slot, Sander Steffann talked about his experiences with his router labs. While the focus in Wolfgang’s training is the routing protocol itself (and less the routing software used), Sander has a lab that allows the students to try out real commercial router software such as Cisco, Juniper, or Microtik.

Sander is using the GNS3 project that is able to emulate or virtualize commercial router hardware to run the router firmware unmodified. While GNS3 itself is open source, the router firmware needed is not. Emulation is costly, especially for more modern router machines, so his lab needed very powerful machines. Sander combined GNS3 with a nice, web-based management system that would display instructions and information about the routing labs.


The second presentation was from Max Rottenkolber, who was talking about his open source project, a high-performance VPN solution for x86_64 machines. This Site-to-Site VPN software is called Vita and is built upon Snabb, a high-performance network stack running in userspace.

While it is running on top of Linux, it does not use the Linux network stack, instead accessing the network cards hardware from userspace directly. While doing this, Snabb can be used to create applications that are very optimized for network throughput. Vita (and Snabb) are mainly built with the Lua programming language, and the code is compiled to optimized x84_64 machine code using a Just-in-Time (JIT) compiler. Because Vita is bypassing the kernel, it can fully control the hardware and squeeze maximum performance out of the system.

The project is still in development, and the medium-term goal is to be able to encrypt 100 Gbps line-rate traffic (with 60byte packets). Because VPN gateways running Vita are dedicated servers, and because all networking is done in userspace, almost no kernel syscalls are used and the system's performance is not affected by the mitigations for the Intel CPU problems such as Spectre, Meltdown, and others.

Lightning talks

In the lightning talks session, Sander Steffann was asking the RIPE community for help with the NAT64check website he operates. The service allows users to enter the URL of a particular website, and run tests over IPv4, IPv6, and NAT64 in order to check:

  • whether the website is actually reachable in each case,
  • whether identical web pages are returned,
  • and whether all the resources such as images, stylesheets, and scripts load correctly.

Sander is looking for people who are interested in joining the team that keeps this service running.


Next, Maria Jan Matejka from CZ.NIC presented an update on new developments around the BIRDv2 open source routing daemon. BIRD is a dynamic routing daemon running on Linux, BSD and other systems and implements many routing protocols like BGP, OSPF, Babel and more.

The new version has custom route attributes, a filter benchmark tool and will become faster filter in the future. There was also a "dirty hack" presented on how to auto-reload a route as an RPKI change.


The working-group closed with a discussion on industry hackathons, with presentations on both experiences from the IETF hackathons and the RIPE hackathons.

More coverage (And a podcast!)

RIPE 78 is now in full swing, with conference events and lots of off-site discussions, sight-seeing, and social happenings. We’ll continue our daily briefings throughout the week, but we’re also working on a more in-depth project: a podcast digging deeper into all things DNS, DHCP, and IPAM.

Make sure you follow Men & Mice’s social media channels and blog for the announcement!

Topics: Open Source, RIPE 78, VPN, workshop, routing

Immediate ROI with the Men & Mice Suite during transition to Open Source DHCP

Posted by Men & Mice on 4/23/14 11:30 AM

Texas Woman's University (TWU) is a major multi-campus U.S. public university, primarily for women. Texas Woman's UniversityIts campuses in Denton, Dallas and Houston are joined by an e-learning campus offering innovative online degree programs in business, education and general studies. 

Situation:

This University needed better control and increased flexibility for a variety of network administration tasks, with the immediate need being a smooth transition from Windows to Open Source DHCP.

"Managing the Transition to Open Source DHCP “A Major Selling Point.”

“I am a proponent of open source technology,” said the College’s Lead Network Administrator, “and converting to Linux had been on my list of goals for a long while. I’d built a test Linux DHCP server, but I ran into some difficulties modeling the database migration.” So he did what any network administrator might do: he went looking for help online. “Basically I was trying to convert things cleanly and completely from Windows to Linux, and I was looking for a tool that would help me do that. I posted my needs on message boards and got a recommendation from another network administrator: “Try Men & Mice”. Not only did it help him make a smooth transition to Linux, but he adds, “I was able to get much better control over my Windows DHCP server right away. We are now running all of the DNS servers through the Men & Mice management console, as well. I am very happy with it.”

While helping the University accomplish their transition to Open Source DHCP, Men & Mice also expedited their ROI by also helping them to get a handle on their IP address management which was still being handled on an excel spreadsheet. Men & Mice Really Simplifies the IPAM Management Piece.”

In addition, the robust API that Men & Mice includes was used to mitigate DNS coding errors and security concerns by automating DNS procedures previously not possible in the home grown application they were using. To accelerate the shortened ROI,  the University also used the tool to help clean up stale PTR records in a minimal amount of time which was “a huge benefit and time savings”.

The Results:

“A Significant Benefit for us.”

From a network administrator’s perspective, success can be measured in a number of ways, and for the University Office of Technology, one of the most meaningful measures is user satisfaction. “We are here to facilitate people’s education. Our students are here to better their lives, and we are here to support them. It’s an important mission, and when technology problems interfere with that, people will let you know quickly. Since we installed the Men & Mice Suite, I haven’t heard a thing.”

Read the full case study on how TWU, with the Men & Mice Suite, put their focus on facilitating people’s education instead of mundane network management and troubleshooting tasks.

Topics: Men & Mice Suite, Open Source, ROI

Why follow Men & Mice?

The Men & Mice blog publishes educational, informational, as well as product-related material for everyone and anyone interested in IP Address Management, DNS, DHCP, IPv6, DNSSEC and more.

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all