Wednesday, September 9, 2009

Wednesday, June 17, 2009

Router lab progress update

Ok, So I guess you have to be careful out there who you select to host your virtual server. FSCKVPS.com got hacked and lost all of their customer's VPS's. Now, I would have stayed with them had they come out and announced it but I go to check on something and I find my VPS is down, their website is gone and the only email I get is to let me know that they may have even had my Credit Card information stolen.

After spending some time researching it, I think I am going to go to Slicehost.com who was recently purchased by Rackspace. Slicehost is even based out of St. Louis so its got the (somewhat) local thing going for it.

Sunday, May 17, 2009

More progress on www.onlinerouterlab.com

I have been making a lot of progress on the new router lab venture. I decided that I needed a place to host my website that I could do more than just HTML and since I decided I didn't want the box at home (since the basement is loud enough with the lab itself) I got a virtual host through www.fsckvps.com for a very reasonable price and on top of it I get a static IP included which is very useful. I hope to get the backend systems up so that I can at least start offering a beta of the free service in the next month (although that progress may be slow as I'm going in for knee surgery).

Check out the new website at:

www.onlinerouterlab.com

Thursday, May 7, 2009

Ping your boss...

Sometimes we have too much fun in the office...

From: Carl Fugate
Subject: Ping Allen

Per Stacy’s request to ping Allen it appears that he is offline:

C:\>ping allen
Ping request could not find host allen. Please check the name and try again.

From: Coworker 1
Subject: RE: Ping Allen

No no it is case sensitive!

C:\Documents and Settings\rtutlel>ping Allen
Reply from 0.0.0.0: bytes=32 time=1003ms TTL=1250

From: Coworker 2
Subject: RE: Ping Allen

Looks right…response time is very slow. Time to live is a bit optimistic…

Tuesday, May 5, 2009

Overcoming Cisco VPN lack of support for 64 bit OS's

I took the plunge and installed Windows 7 RC today on my laptop that I am going to be using for work. The install went flawless and via Windows Update I had all of my drivers as well. The problem came when I realized that I had installed the 64 bit version and the lack of a client for non-SSL Cisco VPN. After reading several places I found that the best solution was NCP's Secure Entry Client. They recently released a BETA version that supports Windows 7.

I must say I was pretty impressed. I installed it and did a profile import and I was up and running. It's not free ($144) but if you need support for 64bit OS's it works great.

You can get the client here:

http://www.ncp-e.com/en.html

Tuesday, April 28, 2009

Sprint - We've got Snipers

Totally unrelated to my blog but since I used to work for Sprint and a lot of people who follow my blog do here is a great video...Brought to you by Nathan Fink's post on Facebook:



Monday, April 20, 2009

New hurdle for getting additional IPv4 addresses

Beginning May 18, 2009 ARIN will start requiring an officer of the company to attest to the utilization of the current IP space assigned to the company before processing a request for more space. This is due to the fact that ARIN estimates that the current pool of IPv4 addresses will be exhausted in the next two years.

More details can be found here:

https://www.arin.net/resources/agreements/officer_attest.html

Tuesday, April 7, 2009

Rakesh Hegde CCIE Plaque

I was disappointed when I saw the new CCIE plaques that Cisco was handing out as quite a few people were and a good friend of mine Rakesh Hegde recently passed his CCIE R&S exam. One of my coworkers Chris Damico is an amazing woodworker so I commissioned him to make a new plaque for Rakesh which my team presented to him today.



Rakesh recently returned home to India for vacation and when he came back he brought back some Sandlewood for Chris which he used on the plaque for his name and number. Congratulations Rakesh and great work Chris. More pictures from the lunch and presentation can be found here:

Pictures from the presentation

Friday, April 3, 2009

More Bogons please...

The old adage you can lead a horse to water but can't make him drink sounded true today when I got copied on an email after we had told one of our customers partners that using Bogon address space to IP their network was a bad idea:

Also you might want to hold off on the 10.x.x.x/24 as we are changing it over most likely this weekend to 100.x.x.x/16.
Yes, you should get out of RFC1918 entirely and on to Bogon address space because nothing possibly bad can happen from that. At least they are consistent...

My work from home office

Today I finished configuring an IPSEC tunnel to the office so that I could install a Cisco IP phone at the house. Now when I'm working from home people don't have to track me down on my mobile. One of the neatest things about IP Telephony is that I have have multiple phones in different locations that all have my extension so when I get a call it rings at my desk and at home.

Now as soon as I get some routing fixed at the office I will be able to use the data port on the phone and not have to use the VPN client to get in any longer. I love being an IP engineer.

Tuesday, March 31, 2009

Conficker Virus may cause more problems starting tomorrow

The Conficker Virus hits another important date tomorrow when it will start phoning home by connecting to randomly generated domains (approximately 50k of them) to get instructions on what to do next. Luckily within the last few days researchers have been able to come up with a fingerprint for detecting infected hosts which has been very difficult up until now.

The great people over at insecure.org have updated the popular NMAP tool (Version 4.85Beta5) with the ability to scan for infected hosts. I would certianly have this on hand for tomorrow if this becomes bigger than what has been predicted.

Friday, March 27, 2009

Route Servers and Looking Glasses

One of my favorite Internet troubleshooting website's is http://traceroute.org. It hosts a collection of links to BGP Looking Glasses and Route Servers all over the Internet. This is extremely useful when trying to track down why people in various parts of the Internet cannot reach your public IP space by being able to make sure that the routes that you are advertising are propagated properly and that someone else is not stepping on your routes.

For example, I was troubleshooting a problem where users in my network were not able to get out to the Internet. After checking our firewalls and routers I found that the traffic was indeed leaving the network out to the Internet but I wasn't getting any return traffic. I saw that I was advertising the return routes out to the Internet, but by logging into a Route Server I found that there was a more specific route that was being advertised by AT&T (who was not our carrier) than what I was advertising to the Internet. Because of this I was able to start advertising more specific ranges than what AT&T was sending to work around the problem until I tracked someone down at AT&T.

Once I got a hold of someone we found that someone was turning up a new AT&T customer who had a very similar address range as my IP space and had fat fingered the IP address when they put in the route. This in turn started advertising my space more specifically than mine which sent all of my return traffic to AT&T. Had I not been able to look at how the "Internet" was routing my IP space I would have never been able to find this problem.

Most of the providers even have the ability to ping and traceroute from various points around the world as well which is sometimes helpful as well.

Sunday, March 22, 2009

My Workstation


Thanks to a new monitor arm setup and a cheap video card from a friend of mine (Thanks Jeremy), I am able to use all three monitors on one PC. I have a Samsung 24" Widescreen as my primary monitor with two Samsung 19" Widescreen monitors on top. Using Winsplit Revolution I can have 8 terminal windows up with no problem (or a couple of basketball games with March Madness). With such a sweet setup, I'm not sure how I'm going to be able to go back into the office and use my single 24" monitor...

Saturday, March 21, 2009

Now it's "No business case for IPv6"

As a follow up from a previous entry on IPv6 adoption as well as on Bogon addresses, Slashdot featured an article from Network World titled "No business case for IPv6, survey finds" which outlines reasons why companies are not adopting IPv6. In the article, one responder mentioned that they would increase the amount of Network Address Translation (NAT) if they can't get allocations of IP space. While this certainly will cause some problems, it is going to be required one way or another (V4 to V6 or V6 to V4 NAT). It also mentions that experts estimate that IPv4 addresses will all be allocated by 2012 which doesn't give us a lot of time to make a move towards something. Personally I think that the IPv4 address exhaustion problem is just as big or bigger than the Y2K problem we just had less than a decade ago. Modifying software for dates while certainly not a minor task will look like childs play when you look at litterally having to redo all of the networkable applications and your network infrastructure to take advantage of IPv6. Not to mention that the number of IPv6 experts out there is miniscule compared to the people who support IPv4.

My guess is that within the next couple of years, people with a strong background with IPv6 are going to be the new "COBOL" programmers of Y2K making really good money to bring enterprise networks onto the new protocol.

Monday, March 16, 2009

Martian's and Bogon's (and no this isn't Sci-Fi)

After discovering Bogon's and Martian's in networks that I manage I decided that it was time to bring more light to these devious creatures.

Lets start with the more common Martians which are networks that should NEVER be routed on any network with few exceptions. As a matter of fact, Juniper has them defined in JunOS and you must modify the list if you need to route for any of them:
carlfugate> show route martians

inet.0:
0.0.0.0/0 exact -- allowed
0.0.0.0/8 orlonger -- disallowed
127.0.0.0/8 orlonger -- disallowed
128.0.0.0/16 orlonger -- disallowed
191.255.0.0/16 orlonger -- disallowed
192.0.0.0/24 orlonger -- disallowed
223.255.255.0/24 orlonger -- disallowed
240.0.0.0/4 orlonger -- disallowed

On one of my internet facing routers I have a protection ACL that blocks some of these which surprisingly some ISP's allow people to source packets from these subnets:
Extended IP access list 110
10 deny ip host 0.0.0.0 any (93 matches)
20 deny ip 127.0.0.0 0.255.255.255 any (53 matches)
30 deny ip 192.0.2.0 0.0.0.255 any

Some people forget that 127/8 is totally reserved for Loopback addressing and not just 127.0.0.1/32.
From RFC3330:
127.0.0.0/8 - This block is assigned for use as the Internet host
loopback address. A datagram sent by a higher level protocol to an
address anywhere within this block should loop back inside the host.
This is ordinarily implemented using only 127.0.0.1/32 for loopback,
but no addresses within this block should ever appear on any network
anywhere [RFC1700, page 5].

If you ping any address in the 127/8 range on a Windows or *nix box you will get a reply:
Reply from 127.0.0.1: bytes=32 time<1ms ttl="">
What is a Bogon?

From Wikipedia:
"Bogon" is an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Regional Internet Registry (RIR). The areas of unallocated address space are called "bogon space".
The term Bogon comes from Hacker jargon referring to the quantum of "bogosity" which is the property of being bogus. This makes sense when you realize that packets sourced from Bogon addresses which have not been assigned obviously cannot be routed on the Internet.

There are networks out there that instead of using RFC 1918 address space used Bogon's such as 100/8 for a variety of reason (such as seeing them being used in vendor presentations) to address their network. This is becoming more of an issue that IANA is starting to run out of IP addresses that are available for assignment (I recently added a counter to my blog that shows this) and have been assigning more and more blocks that were once considered Bogon's.

Why is this such a big deal? Lets say that you addressed your network in the 100/8 IP space but tomorrow that block is assigned for use and Google gets some of those IP's for some of its new applications. When a user in your network goes to access that application, your network will look at its routing table and may find that it has a more specific route than the 0/0 or default route and send the packets towards some internal host in your network instead of out to the Internet.

There are some dirty ways of routing around this but eventually it can lead to some serious problems. If you manage a network that is addressed out of any of this space I would make it a point to come up with a migration or mitigation plan for this very soon because over the next 2 years we will find that almost all of the previously Bogon space will be assigned and available for use.

You can find a list of all of the current Bogon's as well as some other really helpful tools (such as a BGP peering that you can use to block Bogon's) here:

http://www.cymru.com/Documents/bogon-list.html

Tuesday, February 10, 2009

We mourn the passing of Eric Simon

A dear friend and former colleague of mine from Sprint passed away in his sleep on January 23rd, 2009. Eric Simon was a wonderful person who I had the distinct honor of working closely with for several years while I was at Sprint. Eric was a very talented engineer but what set him apart was not just his knowledge of technology, but his kindness and understanding. Everyone I know enjoyed working with and around him.

To remind everyone of the contributions that he made during his long tenure at Sprint, a firewall set is being renamed in his honor.

Eric I know that I speak for everyone that has every worked with you in saying we will sincerely miss you.

Monday, January 12, 2009

Juniper Testing Status Update

I didn't pass the JNCIP-M lab exam on 1/5/09 as I ran out of time, however my good friend Joel Studtmann who went with me did pass the JNCIE-M exam to become JNCIE #394. Big congratulations to Joel on this huge accomplishment. Now hopefully with some encouragement from me Tim Eberhard and Jeremy Thompson will pass the JNCIP-M lab in March/April respectively.