Celebrating 6 Years

Last month I celebrated 6 years of writing my blog.

This project reached yesterday his most visited day in history with more than 1500 visitors and more than 31K all together in November. Nice to finally see someone actually reading my rumblings.

It was and still is hard work of editing old posts making them better and finding new interesting stuff to write about.

Blog is about computer network technologies, you know, the stuff that makes thing get to you and appear on your device’s screens so you can stare at it all the time 🙂

Some other interesting trivia:

  • I have 221 posts published currently.
  • I have also more than 300 drafts that may get published. Some things get old before I get to write them so I just skip those.
  • It takes me approximately 10 to 16 hours to write a post, not counting research and draft creation before starting the final edit.
  • I still use paper and coloured pencils to draw all the schemes used on the blog, same as when making first drafts of my future network designs.
  • My blog is using few banners to be able to pay for itself, so it is earning more or less the money I need to run it.
  • From a technical side, it is a small but optimised Linux VPS build by myself from scratch using some commercially available (and paid) solutions to run fast, load pages flash fast and never go down.

Thanks to all the readers and supporters 😉
howdoesinternetwork.com/welcome

IPv6 Generated with EUI-64 Has a Strange Bit Inside

UPDATE on 22 Mar 2018:
Although the article is correctly explaining the IPv6 address generated in the example at the bottom, it seems that the process of generating the IPv6 address with EUI-64 has been changed from what is described in RFC2373 to something like RFC4291 and then to something like RFC7217. Thanks to @FernandoGont for pointing to this issue. A new article is here which describes newly suggested technique on how SLAAC implementation should work in new network device/NIC implementations.

What is universal/local bit in IPv6 EUI-64 address?

One of my readers contacted me with an interesting question in comments of “IPv6 – SLAAC EUI-64 Address Format” article. The question was:

“How come that the ipv6 address after the prefix is 21C:C4FF:FECF:4ED0 if the mac address is 00-1C-C4-CF-4E-D0?”

Of course, we all know from the previous article that EUI-64 process is taking the interface MAC address (if that is an Ethernet interface) and it creates 64 bits Interface ID with it by shimming additional FFFE (16bits in hex) in between the MAC address bits.

The reader was confused with an additional change that I did not cover in that article which is called universal/local bit of the IPv6 address Interface ID part.

Let’s go.

IPv6 address is 128 bit. First ‘n’ bits (first 64 bits of EUI-64 created IPv6 address) are called “subnet prefix” and the other half of bits are called “Interface ID”.

If we use EUI-64 process to generate a unique IPv6 address of the interface, then we are generating Interface ID from MAC address (or some other kind of L2 address if this is not about Ethernet).

|                     n bits                     |   128-n bits   |
+------------------------------------------------+----------------+
|                  subnet prefix                 |  interface ID  |
+------------------------------------------------+----------------+

On RFC 2373 page 18 chapter: “APPENDIX A : Creating EUI-64 based Interface Identifiers”, you can find that 7th bit on Interface ID part of an IPv6 address (the last 64 bits) is called “universal/local bit”.

If this bit is set to “0” it indicates local scope IPv6 address and if it is “1” then the generated IPv6 address has global scope (it is globally unique).

| Continue Reading.. |

MACSec – Media Access Control Security

Media Access Control Security or MACSec is the Layer 2 hop to hop network traffic protection.

Just like IPsec protects network layer, and SSL protects application data, MACSec protects traffic at data link layer (Layer 2).

MACSec is standardized IEEE 802.1AE hop-by-hop encryption that enables confidentiality and integrity of data at layer 2.

It encrypts entire Ethernet packet except Source and Destination MAC addresses on any device-to-device, switch-to-switch, router-to-switch, host-to-switch directly connected wired L2 connection.

MacSec

If we compare MACSec with, for example, IPsec, MACsec provides same security but on layer 2 for each hop separately. On each hop, packets are received and decrypted enabling other features like QoS and load balancing to function. Same data is again encrypted before being sent out to next device on the way towards the destination. MACsec works on host-to-switch connection and on switch-to-switch connection enabling line-rate up to 10 GigabitEthernet fast encryption.

It uses, especially for that occasion developed and optimised Galois/Counter Mode Advanced Encryption Standard 128 (GCM-AES-128) which makes line-rate encryption/decryption possible.

There is some difference in MACSec on the connection between host and switch, and MACSec on the connection from switch to switch

MACsec uses MACsec Key Agreement (MKA) which is standardized protocol to provide the required session keys and manages the required encryption keys on a MACSec connection between hosts (PC, server, etc.) and switch.

| Continue Reading.. |

Reflexive Access List

Some of my readers commented on my old article about reflexive access-list with issues in the configuration. I tried it in the lab again to be sure I didn’t make any mistake in the configuration example and here I’m sharing the lab and the config used.

About Reflexive Access Lists

Extended ACLs are a special kind of extended access-lists that have limited stateful behaviour technique implemented for TCP sessions. It is better to say that reflexive access-list is simulating stateful behaviour because it, by use of ‘established’ command, is allowing TCP packets that have the ‘ACK’ bit set but not the initial ‘SYN-only’ packet. In this way, we are effectively permitting only the packets that are part of an established session.

In my prior article, I showed how this works by enabling PING from PC1 in VLAN 10 to PC2 in VLAN 20 but not the other way.

I created the lab topology in GNS3:

| Continue Reading.. |

Books that I like

I was planning for some time now to make a list of books I read recently, here’s the list

It should be something like a book reading suggestion list in order to maybe help you pick the right materials in your networking technology learning journey.

On the top are the books I used most while studying for my certs but also some of them are the books that I usually carry with me on my Kindle or PDF wherever I go. It is always a good idea to have those books on you so you can have a look at some details when you need them.

| Continue Reading.. |