2013-10-27

Fixing high CPU use on Cisco 7600/6500

Categories: cisco, network

Recently some time ago (this blog post has also been lying in draft for a while) someone came to me with a problem they had with a Cisco 7600. It felt sluggish and "show proc cpu" showed that the weak CPU was very loaded.

This is how I fixed it.

Read the rest of this entry »
2013-10-26

Next-hop resolution and point-to-point

Categories: network

I had this blog post lying around as a draft for a long time. I didn't think it was was "meaty" enough yet, but since I'm no longer a network consultant I don't think it'll become any meatier. So here it goes.

Here I will describe the process of L3-to-L2 mapping, or next-hop resolution and how it works with point-to-point circuits like PPP, ATM and Frame relay. It's the process of finding out what to actually do with a packet once the relevant routing table entry has been identified.

It's deceptively simpler than on a LAN segment, but since people generally learn Ethernet before they learn point-to-point nowadays I'm writing it anyway.

Read the rest of this entry »
2013-02-09

Plug computer for always-on VPN

Categories: network, security, unix

Last time I was at a hacker conference I for obvious reasons didn't want to connect to the local network. It's not just a matter of setting up some simple firewall rules, since the people around you are people who have and are inventing new and unusual attacks. Examples of this would be rogue IPv6 RA and NDs, and people who have actually generated their own signed root CAs. There's also the risk (or certainty) of having all your unencrypted traffic sniffed and altered.

For next time I've prepared a SheevaPlug computer I had laying around. I updated it to a modern Debian installation, added a USB network card, and set it up to provide always-on VPN. This could also be done using a raspberry pi, but I don't have one.

Read the rest of this entry »
2012-10-05

Interesting Arping bug report

Categories: coding, network, unix

A few months ago I was strolling in the Debian bug tracking system and found a curious bug filed against Arping, a program I maintain.

It said that unlike Arping 2.09, in Arping 2.11 the ARP cache was not updated after successful reply. I thought that was odd, since there's no code to touch the ARP cache, neither read nor write. Surely this behaviour hasn't changed?

Read the rest of this entry »
2012-02-05

Benchmarking TPM-backed SSL

Categories: hsm, network, security, tpm


As you can plainly see from this graph, my TPM chip can do approximately 1.4 SSL handshakes per second. A handshake takes about 0.7 seconds of TPM time, so when two clients are connecting the average connect time is 1.4 seconds. This means probably not useful on server side, but should be good for some client side applications.

Read the rest of this entry »
2012-02-04

TPM-backed SSL

Categories: coding, hsm, network, security, tpm

This is a short howto on setting up TPM-backed SSL. This means that the secret key belonging to an SSL cert is protected by the TPM and cannot be copied off of the machine or otherwise inspected.

Meaning even if you get hacked the attackers cannot impersonate you, if you manage to kick them off or just shut down the server. The secret key is safe. It has never been outside the TPM and never will be.

This can be used for both client and server certs.

Read the rest of this entry »
2011-12-27

Secure browser-to-proxy communication

Categories: network, security

When connecting to a possibly hostile network I want to tunnel all traffic from my browser to some proxy I have set up on the Internet.

The obvious way to do this is with a proxy. The problem with that is that the traffic from the browser to the proxy is not encrypted. Even when you browse to secure SSL sites some traffic is being sent in the clear, such as the host name. That's not so bad, but I want to hide my HTTP traffic too.

Read the rest of this entry »
2011-10-15

Optimizing TCP slow start

Categories: network, unix

The short version of the problem and solution I will describe is that while TCP gets up to speed fairly fast, and "fast enough" for many uses, it doesn't accelerate fast enough for short-lived connections such as web page requests. If I have 10Mbps connection and the server has 10Mbps to spare, why doesn't a 17kB web page transfer at 10Mbps from first to last byte? (that is, when excluding TCP handshake, HTTP request and server side page rendering)

This is pretty Linux-focused, but I'll add pointers for other OSs if I see them.

Read the rest of this entry »
2010-08-05

tlssh - a replacement for SSH

Categories: coding, network, security, unix

I've started writing a replacement for SSH.

Why? Because SSH has some drawbacks that sometimes annoy me. I also wanted an authentication scheme that's more similar to SSL/TLS than what SSH does.

With tlssh you don't specify username or password, you simply connect to the server using a client-side certificate to log in as the user specified in the certificate. No interaction until you reach the shell prompt on the server.

Read the rest of this entry »
2010-06-11

The rules of multicast

Categories: cisco, multicast, network

The first rule of multicast is you don't talk about multicast

Most networks don't do multicast routing, which means most network guys don't have much experience with it. Sure they know that it exists, and it's probably used on their layer 2, but they don't do multicast routing. These "rules" list some things that you should know when configuring or troubleshooting multicast.

Read the rest of this entry »