These slide are from a presentation I gave at the Cisco NAG2010 conference about using LISP to build large VPN's over the internet instead of regular GRE or DMVPN based setups.
Moved to https://speakerdeck.com/ebiken/zebra-srv6-cli-on-linux-dataplane-enog-number-49
Introduction to SRv6, Linux SRv6 implementation and how to add SRv6 CLI to Zebra 2.0 Open Source Network Operation Stack.
Presented at ENOG (Echigo NOG) #49.
Segment routing is a technology that is gaining popularity as a way to simplify MPLS networks. It has the benefits of interfacing with software-defined networks and allows for source-based routing. It does this without keeping state in the core of the network and needless to use LDP and RSVP-TE.
Moved to https://speakerdeck.com/ebiken/zebra-srv6-cli-on-linux-dataplane-enog-number-49
Introduction to SRv6, Linux SRv6 implementation and how to add SRv6 CLI to Zebra 2.0 Open Source Network Operation Stack.
Presented at ENOG (Echigo NOG) #49.
Segment routing is a technology that is gaining popularity as a way to simplify MPLS networks. It has the benefits of interfacing with software-defined networks and allows for source-based routing. It does this without keeping state in the core of the network and needless to use LDP and RSVP-TE.
Tutorial: Using GoBGP as an IXP connecting routerShu Sugimoto
- Show you how GoBGP can be used as a software router in conjunction with quagga
- (Tutorial) Walk through the setup of IXP connecting router using GoBGP
This slide contains concept about MPLS_VPNs specially L3_VPN protocol, according to the latest version of Cisco books(SP and R&S) and i taught it at IRAN TIC company.
In the next slide, i prepare title about MPLS L3_VPN Services and VPLS (MPLS L2_VPN)
IPv6 Segment Routing is a major IPv6 extension that provides a modern version of source routing that is currently being developed within the Internet Engineering Task Force (IETF). We propose the first open-source implementation of IPv6 Segment Routing in the Linux kernel. We first describe it in details and explain how it can be used on both endhosts and routers. We then evaluate and compare its performance with plain IPv6 packet forwarding in a lab environment. Our measurements indicate that the performance penalty of inserting IPv6 Segment Routing Headers or encapsulat- ing packets is limited to less than 15%. On the other hand, the optional HMAC security feature of IPv6 Segment Routing is costly in a pure software implementation. Since our implementation has been included in the official Linux 4.10 kernel, we expect that it will be extended by other researchers for new use cases.
Presented at ANRW'17 https://irtf.org/anrw/2017/program.html on behalf of David Lebrun
In this webinar, we cover how Border Gateway Protocol works. Starting from key concepts, you'll learn about Autonomous Systems, the BGP protocol, AS Path, learning and advertising routes, RIBs and route selection. See the webinar recording at https://www.thousandeyes.com/webinars/how-bgp-works
Watch the replay: http://cs.co/90028sLgC
We’re going to make this as simple as Cisco’s new Software-Defined Access makes building and managing more secure enterprise networks:
Do you want to streamline device provisioning and host onboarding? Automate policy and segmentation? Get performance insights you didn’t think possible? Of course you do.
Register for the workshop today to get performance insights you didn’t think possible.
Resources:
Watch the New Era of Networking playlist: http://cs.co/90058sI1U
Tutorial: Using GoBGP as an IXP connecting routerShu Sugimoto
- Show you how GoBGP can be used as a software router in conjunction with quagga
- (Tutorial) Walk through the setup of IXP connecting router using GoBGP
This slide contains concept about MPLS_VPNs specially L3_VPN protocol, according to the latest version of Cisco books(SP and R&S) and i taught it at IRAN TIC company.
In the next slide, i prepare title about MPLS L3_VPN Services and VPLS (MPLS L2_VPN)
IPv6 Segment Routing is a major IPv6 extension that provides a modern version of source routing that is currently being developed within the Internet Engineering Task Force (IETF). We propose the first open-source implementation of IPv6 Segment Routing in the Linux kernel. We first describe it in details and explain how it can be used on both endhosts and routers. We then evaluate and compare its performance with plain IPv6 packet forwarding in a lab environment. Our measurements indicate that the performance penalty of inserting IPv6 Segment Routing Headers or encapsulat- ing packets is limited to less than 15%. On the other hand, the optional HMAC security feature of IPv6 Segment Routing is costly in a pure software implementation. Since our implementation has been included in the official Linux 4.10 kernel, we expect that it will be extended by other researchers for new use cases.
Presented at ANRW'17 https://irtf.org/anrw/2017/program.html on behalf of David Lebrun
In this webinar, we cover how Border Gateway Protocol works. Starting from key concepts, you'll learn about Autonomous Systems, the BGP protocol, AS Path, learning and advertising routes, RIBs and route selection. See the webinar recording at https://www.thousandeyes.com/webinars/how-bgp-works
Watch the replay: http://cs.co/90028sLgC
We’re going to make this as simple as Cisco’s new Software-Defined Access makes building and managing more secure enterprise networks:
Do you want to streamline device provisioning and host onboarding? Automate policy and segmentation? Get performance insights you didn’t think possible? Of course you do.
Register for the workshop today to get performance insights you didn’t think possible.
Resources:
Watch the New Era of Networking playlist: http://cs.co/90058sI1U
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
"Implementing an IPv6 Enabled Environment for a Public Cloud Tenant" case study I delivered in OpenStack Vancouver Summit (May, 2015) jointly with Anik and Sharmin from Cisco System.
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...Cisco Russia
- Зачем нужна новая архитектура?
- Общие понятия и принципы SD-Access
- Как работает SD-Access?
- Выводы и с чего начать
Запись вебинара: http://ciscoclub.ru/cisco-software-defined-access-novaya-arhitektura-dlya-korporativnyh-kampusnyh-setey-cisco
Ed Warnicke's talk at Open Networking Summit.
All Open Source Networking project depend on having access to a Universal Dataplane that is:
Able to they deployment models: Bare Metal/Embedded/Cloud/Containers/NFVi/VNFs
High performance
Feature Rich
Open with Broad Community support/participation
FD.io provides all of this and more. Come learn more about FD.io and how you can begin using it.
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
We present a new open source project which provides IPv6 networking for Linux Containers by generating programs for each individual container on the fly and then runs them as JITed BPF code in the kernel. By generating and compiling the code, the program is reduced to the minimally required feature set and then heavily optimised by the compiler as parameters become plain variables. The upcoming addition of the Express Data Plane (XDP) to the kernel will make this approach even more efficient as the programs will get invoked directly from the network driver.
Similar to LISP + GETVPN as alternative to DMVPN+OSPF+GETVPN (20)
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Monitoring Java Application Security with JDK Tools and JFR Events
LISP + GETVPN as alternative to DMVPN+OSPF+GETVPN
1. Applied LISP
LISP is good for you!
Job Snijders
job@instituut.net
Protégé of InTouch N.V., The Netherlands
2. Who am I?
Job Snijders
• One of the chosen few: I got native v6 at
home
• Love bleeding edge stuff
• Co-author LISP LCAF draft
3. What’s InTouch NV?
• 16 years old (73 in internet years)
• Managed Service provider
• Nice & decent network through West-Europe
• Sells technology independent products which
we call “services”
• Example: Large private networks for
multinationals in multi-tenant way
4. What is LISP?
• http://en.wikipedia.org/wiki/Locator/Identifie
r_Separation_Protocol
• Abstraction layer
• Location independent prefixes
• IPv4 over IPv4, IPv6 over IPv4, IPv4 over IPv6,
IPv6 over IPv6
5. Problem statement
Dear Santa,
I’d like a manageable way of building large
virtual private networks over the internet.
your friend,
Job
6. Our typical “Satellite” office
• 2 (cheap) internet connections from 2 ISP’s
• 1 (cheap) router
• 1 RFC1918 prefix behind it
• 5 to 10 people behind it that need access to
corporate IT: Active Directory, Exchange, etc
8. Current approach
Remember: We don’t own the last mile. We
have to deliver over the top.
• Build 2 GRE or DMVPN tunnels
• Use plain IPSEC or GETVPN
• OSPF for tunnel/link failover
13. Proxy Router (PxTR)
bridge between LISP world and VRF
• Public IP address (reachable for all xTR’s)
• Talk BGP with VRF intouch-office
• GRE Tunnel to MapServer for LISP+ALT
– Talk BGP with MapServer
• GRE Tunnel to Keyserver
– because PxTR and xTR functionality don’t mix (this
is an implementation limitation, not protocol)
14. PxTR Picture
interface LISP0
ip policy route-map nexthop
crypto map GETVPN_MAP
end
route-map nexthop permit 10
match ip address 10
set ip next-hop 172.16.0.1
15. PxTR Config
ip lisp path-mtu-discovery min 1280 max 1500
ip lisp alt-vrf lisp
ip lisp proxy-etr
ip lisp proxy-itr 212.2.2.2
interface FastEthernet0/1.300
encapsulation dot1Q 300
ip address 172.16.0.20 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
address-family ipv4 vrf lisp
no synchronization
redistribute connected
redistribute static
neighbor 10.0.1.1 remote-as 65100
neighbor 10.0.1.1 update-source Tunnel321
neighbor 10.0.1.1 activate
neighbor 10.0.1.1 next-hop-self
neighbor 10.0.1.1 soft-reconfiguration inbound
exit-address-family
16. Pxtr# show ip route vrf lisp
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.1.0/30 is directly connected, Tunnel321
L 10.0.1.2/32 is directly connected, Tunnel321
172.16.0.0/16 is variably subnetted, 9 subnets, 2 masks
B 172.16.31.1/32 [20/0] via 10.0.1.1, 6d09h
B 172.16.31.3/32 [20/0] via 10.0.1.1, 1d06h
B 172.16.31.4/32 [20/0] via 10.0.1.1, 6d09h
B 172.16.31.5/32 [20/0] via 10.0.1.1, 5d20h
B 172.16.31.6/32 [20/0] via 10.0.1.1, 1d05h
B 172.16.42.0/24 [20/0] via 10.0.1.1, 6d09h
B 172.16.43.0/24 [20/0] via 10.0.1.1, 6d09h
B 172.16.45.0/24 [20/0] via 10.0.1.1, 5d20h
B 172.16.46.0/24 [20/0] via 10.0.1.1, 1d04h
17. MapServer
• Similar to DNS Server
• Public reachable IP address
• Not a part of the GETVPN cloud
• xTR’s register themselves at the MapServer
• PxTR talks with MapServer to know who is
where (over that GRE tunnel)
22. KeyServer Config #1 (LISP)
lisp loc-reach-algorithm rloc-probing
ip lisp database-mapping 172.16.31.1/32 IPv4-
interface FastEthernet0/0.95 priority 0 weight
100
ip lisp itr map-resolver 212.2.2.2
ip lisp itr
ip lisp etr map-server 212.2.2.2 key k3ys3rv3r
ip lisp etr accept-map-request-mapping
ip lisp etr
23. KeyServer config #2 (GETVPN)
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 1000
!
crypto isakmp policy 50
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key blablastrong address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set GETVPN_TS esp-3des esp-sha-hmac
!
crypto ipsec profile GETVPN_PROFILE
set transform-set GETVPN_TS
!
crypto gdoi group GETVPN_GROUP
identity number 666
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa public-intouch-office-ks-key
rekey transport unicast
sa ipsec 1
profile GETVPN_PROFILE
match address ipv4 LAN
replay time window-size 36
address ipv4 172.16.31.1
interface Loopback0
ip address 172.16.31.1 255.255.255.255
!
interface Tunnel10
description to PxTR
ip address 10.0.2.1 255.255.255.252
tunnel source FastEthernet0/0.95
tunnel destination 212.26.197.2
!
interface LISP0
end
ip access-list extended LAN
deny udp any eq 848 any eq 848
deny udp any eq isakmp any eq isakmp
deny ip 172.16.31.0 0.0.0.255 172.16.31.0 0.0.0.255
permit ip any any
24. xTR
“the satellite office router”
• 1 or 2 uplinks to the internet (just transport)
• Push all packets from LAN to PxTR or other xTR’s
• All “vpn” packets go with encrypted payload over
the internets
• “internet access” is done via Firewall in the VRF
26. xTR config #1 (LISP)
lisp loc-reach-algorithm rloc-probing
ip lisp path-mtu-discovery min 1280 max 1500
ip lisp use-petr 212.2.2.2
ip lisp database-mapping 172.16.31.5/32 IPv4-interface ATM0/0/0.1 priority 0 weight 100
ip lisp database-mapping 172.16.45.0/24 IPv4-interface ATM0/0/0.1 priority 0 weight 100
ip lisp itr map-resolver 212.3.3.3
ip lisp itr
ip lisp etr map-server 212.3.3.3 key blablakeymap
ip lisp etr accept-map-request-mapping
ip lisp etr
27. xTR config #1 (GETVPN)
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 1000
crypto isakmp key blablastrong address
0.0.0.0 0.0.0.0 no-xauth
!
!
crypto gdoi group GETVPN_GROUP_GM
identity number 666
server address ipv4 172.16.31.1
client registration interface Loopback0
crypto map GETVPN_MAP 10 gdoi
set group GETVPN_GROUP_GM
interface Loopback0
ip address 172.16.31.5 255.255.255.255
!
interface LISP0
crypto map GETVPN_MAP
interface FastEthernet0/0
description LAN
ip address 172.16.45.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
28. A Sample traceroute:
from satellite office to server behind the VRF
job@DennyCrane:~$ traceroute 172.16.4.202
traceroute to 172.16.4.202 (172.16.4.202), 30 hops max, 60 byte packets
1 172.16.42.253 (172.16.42.253) 6.102 ms 7.229 ms 7.212 ms
2 172.16.0.20 (172.16.0.20) 18.650 ms 18.651 ms 18.622 ms
3 172.16.0.1 (172.16.0.1) 13.968 ms 13.993 ms 14.020 ms
4 172.16.4.202 (172.16.4.202) 13.931 ms 13.899 ms 13.897 ms
job@DennyCrane:~$
29. Things to worry about
• MTU (with 1500 internet you have 1390 payload)
• Security
– Mapserver registrations are unencrypted
– RFC1918 ip addresses are visible when wiretapping
– But GETVPN protects everything and ensures integrity
(So I think LISP is actually doing pretty fine)
30. Our status
At InTouch we have been running this for a while
now with a select group of “special”
customers (read: guinea pigs)
31. Near Future
We have got that much faith that we will deploy
this to real customers in the next 3 weeks