Secure browser-to-proxy communication

When connecting to a possibly hostile network I want to tunnel all traffic from my browser to some proxy I have set up on the Internet.

The obvious way to do this is with a proxy. The problem with that is that the traffic from the browser to the proxy is not encrypted. Even when you browse to secure SSL sites some traffic is being sent in the clear, such as the host name. That's not so bad, but I want to hide my HTTP traffic too.

Optimizing TCP slow start

The short version of the problem and solution I will describe is that while TCP gets up to speed fairly fast, and "fast enough" for many uses, it doesn't accelerate fast enough for short-lived connections such as web page requests. If I have 10Mbps connection and the server has 10Mbps to spare, why doesn't a 17kB web page transfer at 10Mbps from first to last byte? (that is, when excluding TCP handshake, HTTP request and server side page rendering)

This is pretty Linux-focused, but I'll add pointers for other OSs if I see them.

tlssh - a replacement for SSH

I've started writing a replacement for SSH.

Why? Because SSH has some drawbacks that sometimes annoy me. I also wanted an authentication scheme that's more similar to SSL/TLS than what SSH does.

With tlssh you don't specify username or password, you simply connect to the server using a client-side certificate to log in as the user specified in the certificate. No interaction until you reach the shell prompt on the server.

The rules of multicast

The first rule of multicast is you don't talk about multicast

Most networks don't do multicast routing, which means most network guys don't have much experience with it. Sure they know that it exists, and it's probably used on their layer 2, but they don't do multicast routing. These "rules" list some things that you should know when configuring or troubleshooting multicast.

It's duplex mismatch

Print it out and put it next to your monitor. It will help you troubleshoot network problems.

Open post to comment

Shaping and policing on Cisco

This post is about policing and shaping on Cisco routers and switches. This is a very big topic so don't expect this post to cover everything. What I'm attempting to to is cover some things that I found aren't explained very well by books or the Internets, while still being readable for someone who hasn't read all the other stuff.

Holy ip packet Batman!

Never forget.

Open post to comment

Spanning tree limits

I'm compiling a list of spanning tree and VLAN limits on different switches. This is what I've come up with so far. I don't have an authoritative source for these, but in many cases this is hard to get from specs.

If you go over these limits, bad things will happen! (broadcast storms, VLANs disappearing, cats and dogs living together. That sort of thing)

What should have been default on Cisco devices

Some things on Cisco switches and routers never should have been on by default. Other things should have been turned on or set differently. This is not how I want them to be configured in the end (I like CDP for example), just how I think they should have been configured from the factory.

Erlang BGP daemon

I'm writing a BGP daemon in Erlang. It can connect, parse update packets and announce routes.