Provider Backbone Bridging (PBB)

As you can see, I'm writing about provider architectures lately. Last week, I wrote about Bridging and Provider Bridging where you can read that the traditional bridging is not enough today for large networks because service provider and cloud companies need more than 4096 VLAN. Therefore, Provider Bridging is an option because we can address till 16 millions of networks with double VLAN tags. However, Provider Bridging is not scalable due to the fact that it needs big and expensive TCAM because customer MAC addresses are saved by every router, even core and spine routers. As a result, Provider Backbone Bridging (PBB) is here to solve this problem.

Provider Backbone Bridging is the standard 802.1.ah by IEEE and the main different with regard to Provider Bridging is the encapsulation method to hide customer MAC addresses to the backbone instead of doubling tags. This is a great advantage because we don't need expensive routers in the backbone with big content-addressable memories (TCAM) for large networks but spine and core routers speaking PBB. Therefore, inner (customer) MAC addresses are encapsulated within outer (Provider) MAC addresses which is useful for hiding customer frames to the backbone.

Bridges, VLANs, Provider Bridges and Provider Backbone Bridges

 

The encapsulation technique is also called Overlay and there are many technologies today that use this method to hide frames and interconnect layer 2 networks. For example, traditional VPNs are Network Overlays like OTV, VPLS or LISP; We can configure Host Overlays as well like VXLAN, NVGRE or STT; or even we can have a mix to make Hybrid Overlays. Anyway, it's a good way to make simple and scalable networks without worrying about the underlying network because Overlay Networks allow us to change, manage and deploy new technologies quickly, although, sometimes, the architecture could seem more complex and difficult to manage.

Overlay Networks

PBB implements intelligent bridging which is useful for layer 2 multipathing. Therefore, while traditional networks had limited performance due to the fact that traffic was North-South for web content, email, etc, flat networks like CLOS networks, along with PBB, are more manageable and scalable thanks to East-West alignment, which offer better performance and reliability for server to server communication, useful for cloud computing and hadoop architectures.

North-South and East-West traffic

Multipathing is a great feature for CLOS networks but although PBB uses encapsulation in the data plane for hiding customer frames, it may use Spanning Tree in the control plane for loop avoidance. This is a big problem, I mean, if we use Spanning Tree (STP) in the control plane, we'll have the same inherent problems than STP; nothing about layer 2 multipathing, scalability problems, convergence delays, North-South traffic, etc. Consequently, we can implement PBB-TE, which is the 802.1Qay standard, PBB-EVPN over MPLS networks or even SPB, which 802.1aq standard, for better performance, reliability and real layer 2 multipathing.

Regards my friends, this is going too fast, keep studying my friend!

Bridging and Provider Bridging

It's the beginning of the year and I'm writing here about Service Provider technologies again. Last year, I wrote about Metro Ethernet Services and how to configure E-Line VPWS and E-LAN VPLS, and also MPLS-TE FRR Link Protection, but this time, I want to write about issues that Service Providers have in their networks, or companies in their datacenters, when the amount of layer 2 networks is too big and they don't have any way to segment even more their networks.

The bridging technology is well know for all us and it is able to communicate two devices, but they have to be in the same subnet and the same broadcast domain, and also MAC addresses should be known by source, destination and switches devices to send layer 2 frames. On the other hand, if we want to make segmentation and segregation of traffic over the same physical Ethernet network, we'll have to use the 802.1q (VLAN) standard. However, we could have scalability issues with 802.1q because the VLAN header (4 bytes) has a VLAN ID tag (12 bits) which can only address 4096 networks.

VLAN Header

Virtual Networks (VLAN) is a good idea for segmentation and segregation in small networks where we can also use the Spanning Tree Protocol (STP) for loop avoidance which offers reliability and feasibility to our networks. However, if we are working or designing a Cloud or Service Provider network, the business requirements could demand more than 4096 VLANs due to multi-tenant and multilayer architectures. It's here where the 802.1ad (Provider Bridging) standard plays an important role in highly scalable networks like Service Providers or Public and Private Clouds to solve the VLAN limitation.

Bridges, VLANs and Provider Bridges

The Provider Bridging standard is known as QinQ because it stacks two VLAN tags, as a result, we could have till 16 millions of networks. In this way, the Service Provider could have a VLAN for each customer, or several VLANs for each of them, to offer services like voice, Internet or VPN. However, we are always talking about layer 2 networks then source and destination MAC addresses are inside the traditional bridging and the Provider Bridging as well, thus layer 2 switches of the Service Provider, or in the datacenter, have to know every MAC address of customers.

QinQ VLAN Tagged frame

The Provider Bridging standard is a good choice to solve the 4096 VLAN limitation but it requires all switches know every source and destination MAC address, which is a scalability challenge. Why? Because in a CLOS/Leaf and Spine architecture, leaf nodes or Top of Rack (ToR) switches are going to encapsulate and decapsulate an additional VLAN tag, and also making MAC address learning, aging an flooding, and then, they'll send frames to spine nodes and into the backbone network where core switches will “see” the original customer MAC header and they'll have to save every source and destination MAC address, which is a challenge for the limitation of MAC address tables due to the fact that these content-addressable memories are finites and expensive.

CLOS/Leaf and Spine architecture

We'll see in next posts how to solve the QinQ limitation with SPBM, Trill or FabricPath where Customer MAC addresses will be encapsulated in a different layer 2 or layer 3 header.

Regards my friends, drop me a line with the first thing you are thinking.

PoC MultiPath TCP

I have written about Multipath TCP several times in this blog because I think is a trend for the near future in networking architectures. Although MPTCP Security is a concern, this new way to establish connections have a lot of advantages, that along with HTTP/2, they are going to change our mind about as we know networks today. Next, we'll see a Proof of Concept about Multipath TCP and how to configure it in some systems like F5 BIG-IP LTM or Linux, as well as how to test it.

Today, there are increasingly more systems with MPTCP support. For instance, Multipath TCP is a benefit of Layer 7 Load Balancing and as a result F5 BIG-IP and Citrix NetScaler support this technology. On the other hand, mobile manufactures like Apple, Samsung and LG also support this technology. Of course, Linux and FreeBSD systems support MPTCP as well, and we can read How to install MPTCP in the multipath-tcp.org web-page to test it. However, Microsoft Windows doesn't support this technology yet.

Once we have installed it, we'll see Multipath TCP in the TCP Options header and even the Wireshark tool could recognize the MPTCP protocol if we enable it under Edit -> Preferences -> Protocols -> MPTCP.

MPTCP in Wireshark

 

Next, we can watch the PoC. First, we'll see how an Ubuntu system connects to the amiusingmptcp.de website to check Multipath TCP, it's green, it's OK, my laptop supports this protocol. Then, I download a 500 MB file from multipath-tcp.org while I'm monitoring the network bandwidth, and we can see how both interfaces, the wired interface eth0 and the wireless interface wlan0, download the file at the same time. Therefore, I could have a faster and reliable connection with this protocol. In addition, we canetr-multipth-tcp-figure-03-1180 watch in the video how to configure MPTCP in a F5 BIG-IP system.

If we would like to accelerate our applications with MPTCP but we don't want to modify our HTTP servers, we'll need a full proxy server between our web applications and our clients. A good choice to do it is with a load balancer like F5 BIG-IP or Citrix NetScaler. For instance, F5 TCP Express uses MPTCP along with SACK and the Nagle's Algorithm to speed up connections. Nevertheless, we have to take into account a properly networking architecture because if we install some appliance, like an UTM firewall, without MPTCP support between our clients and the full proxy server, we could deny legitimate connections and MPTCP wouldn't work.

MPTCP in F5 BIG-IP

This is a trend that big companies are implementing right now because the amount of connections against their applications are too big and their services are demanding. Consequently, they need fast, reliable and robust connections.

Regards my friend, don't stay behind, think in the future!!!

SecOps & Analytics Platform Architecture

Last weekend for the three kings day, I got an activity tracker watch for monitoring and tracking fitness-related metrics such as distance walked or run, calorie consumption, heartbeat, quality of sleep, steps climbed, and other personal metrics. What is amazing is the dashboard I have to monitor all of these things from my smartphone and the ability to set alarms and thresholds, connect with social networks and share training plans, connect with other sensors, etc. Therefore, it is a way to control, measure and monitor the health of our life.

Activity Tracker Dashboard

This is the gift that most CISOs want to manage the security of their organization. I mean, they need a dashboard to know the level of risk of their services, a dashboard to know the security operations and a single dashboard to analyse the security through graphics and tables.

Recently, I read about “Goodbye SIEM, hello SOAPA” (Security Operations And Analytics Platform Architecture) by Jon Oltsik where he wrote that a SIEM is not enough today because most CISOs have many different tools and a lot of information that they can't manage on time to make decisions. As a result, they would like to have a single dashboard to manage and analyse the security of their organization.

What Jon Oltsik proposes is a system called SOAPA which integrate many tools like endpoint detection/response tools (EDR), incident response platforms (IRPs), network security analytics, UBA/machine learning algorithms, vulnerabilities scanners and security assets managers, anti-malware sandboxes, threat intelligence, etc. To make this possible, SOAPA and security tools should use industry standards such as Cyber Observable eXpression (CybOX), Structured Threat Information Expression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) for sharing security information with each other.

I don't know if SOAPA will be a product or technology in the near future, but if I can ask, it would also be interesting to have an Information Security Management System getting indicators from assets and vulnerabilities scanners to make the Risk Management Process easily because if we can interact directly with assets and tools, we can know nearly real time the threats of our services and, therefore, the Risk Analysis and Risk identification would have better and more reliable metrics to calculate probabilities, impacts, costs, etc.

What's more, as we have interaction with incident response platforms (IRPs), we can mix this information with claims and satisfaction surveys to know if some attack or some failure has affected the service and, as a result, the satisfaction of our customers. This would be useful for the Business Impact Analysis and the Business Continuity process.

Last but not least important, another requirement for SOAPA would be to have compliance reports for PCI-DSS, HIPAA, ENS, ISO27001, etc. This is always useful for auditors and tracking activities.

I think to have a single tool, service or dashboard to monitor the whole security platform is a difficult task to do till manufactures agree how to do it with open standards. In the meantime, I have an activity tracker which interact with Gmail, WhatsApp, Android, IOS, Movistar or whatever telephone company, etc by Bluetooth.

Regards my friends, drop me a line with the first thing you are thinking!!!

I don't want more toys for this year

I want the three kings bring me procedures, professional people and experiences. I'm not going to say that last year was full of toys like appliances or tools but it was, once again, a lack of procedures, methodologies, methods and security policies. Many organizations spend a lot of money in new tools and appliances but they forget of managing these new toys, they may think it's plug&play, once it's installed, everything is OK. However, this is not so, most systems need to be managed for someone, but for professional people who know what they are doing and how they have to do it.

There are some things that we have to take care in this new year:

• Security is increasingly important in Industrial environments because a mistake could kill people and not only lose money. At the beginning, industrial systems was isolated of other networks like Internet, but today, companies are connecting industrial systems to Internet for saving money because they can manage these systems remotely and easily from one unique operation centre. I think, IT engineers and Security engineers should make an special effort to understand industrial concepts and we should work with Industrial engineers together for protecting their environments, not only with toys but with procedures and methodologies as well.
  
  
• Many things have Internet today or we can connect many things to something. I mean, many things are interconnected somehow like socks, toothbrush, ball to our smartphone, or the air conditioner and the smartTV to Internet. IoT have a lot of advantages but if we don't protect these things properly we can get a lot of disadvantages too. Starting with SmartCities, there could be many sensors like parking sensors, light sensors or sensors for improving traffic but if we design smartcities without the security concerns we'll get insecure cities. Therefore, it will be a mess, that along with the privacy, we'll have a lot of work to do.

• Cyber-attacks are profitable because we have seen a lot of ransomwares and spearphishing campaigns in recent years and they are increasing. Why? Because it's easy to deploy a malware, easy to cheat someone and difficult to know who is the attacker. Therefore, security awareness is still a must in most companies because the weakest link is the employees, they should know what is social engineering and what to do in these cases. Training employees for security matters there should be an aim for most companies.

We'll see what the three kings bring me this year but the world is crazy today, we've had many unlikely events last year like the elected president Donald Trump or the Brexit and we don't know yet if the information security is in the middle of this mess. As a result, get ready for the worst and hope the best.

What do you want for the three kings? Please, take care of your privacy and your information.