Secure browser-to-proxy communication - again

2014-09-21, Categories: security, network

I've previously blogged about a secure connection between browser and proxy. Unfortunately that doesn't work on Android yet, since except if you use Google for Work (an enterprise offering) you can't set Proxy Auto-Config.

This post shows you how to get that working for Android. Also it skips the stunnel hop since it doesn't add value and only makes Squid not know your real address. I'm here also using username and password to authenticate to the proxy instead of client certificates, to make it easier to set up.

Read the rest of this entry »

Another way to protect your SSH keys

2014-06-18, Categories: security, network, unix

Let's say you don't have a TPM chip, or you hate them, or for some other reason don't want to use it to protect your SSH keys. There's still hope! Here's a way to make it possible to use a key without having access to it. Meaning if you get hacked the key can't be stolen.

Read the rest of this entry »

Fixing high CPU use on Cisco 7600/6500

2013-10-27, Categories: cisco, network

Recently some time ago (this blog post has also been lying in draft for a while) someone came to me with a problem they had with a Cisco 7600. It felt sluggish and "show proc cpu" showed that the weak CPU was very loaded.

This is how I fixed it.

Read the rest of this entry »

Next-hop resolution and point-to-point

2013-10-26, Categories: network

I had this blog post lying around as a draft for a long time. I didn't think it was was "meaty" enough yet, but since I'm no longer a network consultant I don't think it'll become any meatier. So here it goes.

Here I will describe the process of L3-to-L2 mapping, or next-hop resolution and how it works with point-to-point circuits like PPP, ATM and Frame relay. It's the process of finding out what to actually do with a packet once the relevant routing table entry has been identified.

It's deceptively simpler than on a LAN segment, but since people generally learn Ethernet before they learn point-to-point nowadays I'm writing it anyway.

Read the rest of this entry »

Plug computer for always-on VPN

2013-02-09, Categories: security, network, unix

Last time I was at a hacker conference I for obvious reasons didn't want to connect to the local network. It's not just a matter of setting up some simple firewall rules, since the people around you are people who have and are inventing new and unusual attacks. Examples of this would be rogue IPv6 RA and NDs, and people who have actually generated their own signed root CAs. There's also the risk (or certainty) of having all your unencrypted traffic sniffed and altered.

For next time I've prepared a SheevaPlug computer I had laying around. I updated it to a modern Debian installation, added a USB network card, and set it up to provide always-on VPN. This could also be done using a raspberry pi, but I don't have one.

Read the rest of this entry »

Interesting Arping bug report

2012-10-05, Categories: unix, coding, network, arping

A few months ago I was strolling in the Debian bug tracking system and found a curious bug filed against Arping, a program I maintain.

It said that unlike Arping 2.09, in Arping 2.11 the ARP cache was not updated after successful reply. I thought that was odd, since there's no code to touch the ARP cache, neither read nor write. Surely this behaviour hasn't changed?

Read the rest of this entry »

Benchmarking TPM-backed SSL

2012-02-05, Categories: security, network, tpm, hsm


As you can plainly see from this graph, my TPM chip can do approximately 1.4 SSL handshakes per second. A handshake takes about 0.7 seconds of TPM time, so when two clients are connecting the average connect time is 1.4 seconds. This means probably not useful on server side, but should be good for some client side applications.

Read the rest of this entry »

TPM-backed SSL

2012-02-04, Categories: security, network, coding, tpm, hsm

This is a short howto on setting up TPM-backed SSL. This means that the secret key belonging to an SSL cert is protected by the TPM and cannot be copied off of the machine or otherwise inspected.

Meaning even if you get hacked the attackers cannot impersonate you, if you manage to kick them off or just shut down the server. The secret key is safe. It has never been outside the TPM and never will be.

This can be used for both client and server certs.

Read the rest of this entry »

Secure browser-to-proxy communication

2011-12-27, Categories: security, network

When connecting to a possibly hostile network I want to tunnel all traffic from my browser to some proxy I have set up on the Internet.

The obvious way to do this is with a proxy. The problem with that is that the traffic from the browser to the proxy is not encrypted. Even when you browse to secure SSL sites some traffic is being sent in the clear, such as the host name. That's not so bad, but I want to hide my HTTP traffic too.

Read the rest of this entry »

Optimizing TCP slow start

2011-10-15, Categories: unix, network

The short version of the problem and solution I will describe is that while TCP gets up to speed fairly fast, and "fast enough" for many uses, it doesn't accelerate fast enough for short-lived connections such as web page requests. If I have 10Mbps connection and the server has 10Mbps to spare, why doesn't a 17kB web page transfer at 10Mbps from first to last byte? (that is, when excluding TCP handshake, HTTP request and server side page rendering)

This is pretty Linux-focused, but I'll add pointers for other OSs if I see them.

Read the rest of this entry »

tlssh - a replacement for SSH

2010-08-05, Categories: security, unix, coding, network

I've started writing a replacement for SSH.

Why? Because SSH has some drawbacks that sometimes annoy me. I also wanted an authentication scheme that's more similar to SSL/TLS than what SSH does.

With tlssh you don't specify username or password, you simply connect to the server using a client-side certificate to log in as the user specified in the certificate. No interaction until you reach the shell prompt on the server.

Read the rest of this entry »

The rules of multicast

2010-06-11, Categories: multicast, cisco, network

The first rule of multicast is you don't talk about multicast

Most networks don't do multicast routing, which means most network guys don't have much experience with it. Sure they know that it exists, and it's probably used on their layer 2, but they don't do multicast routing. These "rules" list some things that you should know when configuring or troubleshooting multicast.

Read the rest of this entry »

It's duplex mismatch

2010-06-09, Categories: network

It's duplex mismatch

Print it out and put it next to your monitor. It will help you troubleshoot network problems.

Read the rest of this entry »

Shaping and policing on Cisco

2010-01-09, Categories: cisco, network, qos

This post is about policing and shaping on Cisco routers and switches. This is a very big topic so don't expect this post to cover everything. What I'm attempting to to is cover some things that I found aren't explained very well by books or the Internets, while still being readable for someone who hasn't read all the other stuff.

Read the rest of this entry »

Holy ip packet Batman!

2009-10-17, Categories: cisco, network, qos

Never forget.

Read the rest of this entry »

Spanning tree limits

2009-06-28, Categories: cisco, spanning-tree, network

I'm compiling a list of spanning tree and VLAN limits on different switches. This is what I've come up with so far. I don't have an authoritative source for these, but in many cases this is hard to get from specs.

If you go over these limits, bad things will happen! (broadcast storms, VLANs disappearing, cats and dogs living together. That sort of thing)

Read the rest of this entry »

What should have been default on Cisco devices

2009-04-10, Categories: cisco, network

Some things on Cisco switches and routers never should have been on by default. Other things should have been turned on or set differently. This is not how I want them to be configured in the end (I like CDP for example), just how I think they should have been configured from the factory.

Read the rest of this entry »

Erlang BGP daemon

2008-07-27, Categories: cisco, bgp, erlang, coding, network, bugs

I'm writing a BGP daemon in Erlang. It can connect, parse update packets and announce routes.

Read the rest of this entry »